Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#IP-103] add yarn-lock-upgrade resource to pushnotification terraform script #38

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

fabriziopapi
Copy link
Contributor

The current devops pipelines never update the dependency versions locked in the yarn.lock file.
The PR add to the terragrunt script for pushnotification pipeline the yarn upgrade yob configured in the yarn-lock-upgrade.yml project file (based on the template yarn-lock-upgrade/template.yaml from the azure-pipeline-templates).
With this new pipeline, the locked dependecy versions will be re-generated every day.

@fabriziopapi fabriziopapi changed the title [#IP-103] (+) add yarn-lock-upgrade resource to pushnotification terraform script [#IP-103] add yarn-lock-upgrade resource to pushnotification terraform script Apr 26, 2021
@balanza
Copy link
Contributor

balanza commented Apr 26, 2021

We will need to:

  1. enable io-azure-devops-github-ro service connection for this pipeline (see https://github.com/pagopa/gitops/blob/main/azure-devops/projects/io-backend-projects/io-functions-pushnotifications.tf#L63)
  2. define time trigger in this config to override what's defined in the project's pipeline (I don't know if it's feasible by now)

Copy link
Member

@pasqualedevita pasqualedevita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabriziopapi thanks for your pr :)

https://github.com/pagopa/azure-pipeline-templates/blob/master/templates/yarn-lock-upgrade/template.yaml#L40

Locking here it seems that u need also a GITHUB_TOKEN but I don't remember if u have to set:

  1. io-azure-devops-github-pr's service connection, or
  2. io-azure-devops-github-pr's GITHUB_TOKEN, or
  3. nothing

I think that we have to do some test
@gquadrati @balanza do u remember what's the correct way?

Another change requested is to add github pr service connection auth for this pipeline io-functions-pushnotifications-yarn-lock-upgrade-github-pr-auth

@pasqualedevita
Copy link
Member

2. define time trigger in this config to override what's defined in the project's pipeline (I don't know if it's feasible by now)

At the moment we can't define scheduled triggers with terraform. https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/build_definition

We need to define schedule block as here https://github.com/pagopa/io-functions-pushnotifications/blob/master/.devops/yarn-lock-upgrade.yml#L9

third way is set it manual :(

@fabriziopapi
Copy link
Contributor Author

https://github.com/pagopa/azure-pipeline-templates/blob/master/templates/yarn-lock-upgrade/template.yaml#L40

Locking here it seems that u need also a GITHUB_TOKEN but I don't remember if u have to set:

1. io-azure-devops-github-pr's service connection, or

2. io-azure-devops-github-pr's GITHUB_TOKEN, or

3. nothing

I think that we have to do some test
@gquadrati @balanza do u remember what's the correct way?

In the template doc at https://github.com/pagopa/azure-pipeline-templates/tree/master/templates/yarn-lock-upgrade, the GITHUB_TOKEN is stated as not required.
Maybe is falling back to some default token?

@gquadrati
Copy link
Contributor

gquadrati commented Apr 27, 2021

In the template doc at https://github.com/pagopa/azure-pipeline-templates/tree/master/templates/yarn-lock-upgrade, the GITHUB_TOKEN is stated as not required.
Maybe is falling back to some default token?

This is wrong, I'm sorry. We need all the three values to successfully create a PR in github.
They need to be set with the PagoPA bot ones.

@balanza
Copy link
Contributor

balanza commented Apr 27, 2021

They need to be set with the PagoPA bot ones.

We need a token that can push to a branch but without being admin (to prevent malicious push to master), otherwise we would introduce a possible vulnerability.

Idk if we can set such property to a token, I'm afraid they're inherited from the user's role.

@balanza
Copy link
Contributor

balanza commented Apr 27, 2021

@fabriziopapi why draft anyway? Is there a scenario in which codeowners approve the PR but you don't want it to be merged?

@gquadrati
Copy link
Contributor

We need a token that can push to a branch but without being admin (to prevent malicious push to master), otherwise we would introduce a possible vulnerability.

yes, right, sorry!

@fabriziopapi fabriziopapi marked this pull request as ready for review April 27, 2021 13:42
@pasqualedevita
Copy link
Member

pasqualedevita commented Apr 28, 2021

For security reason we need to set scheduled trigger in azure devops configuration.
AzureDevOps terraform provider doesn't support this feature so:

  1. manually set scheduled timetable on azure devops
  2. implement this feature and create a PR here https://github.com/microsoft/terraform-provider-azuredevops

PS: this open issue is not related to our scope microsoft/terraform-provider-azuredevops#362

@pasqualedevita
Copy link
Member

pasqualedevita commented Dec 24, 2021

We can reopen this PR :) azure devops 0.1.8 now support scheduled triggers @fabriziopapi @balanza @gquadrati

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants