mirror of
https://github.com/zama-ai/tfhe-rs.git
synced 2026-01-10 07:08:03 -05:00
3f3b4aef41
This is part of security issues remediation campaign after having analyzed workflow using zizmor cargo tool.
138 lines
5.2 KiB
YAML
138 lines
5.2 KiB
YAML
name: Close or Merge corresponding PR on the data repo
|
|
|
|
# When a PR with the data_PR tag is closed or merged, this will close the corresponding PR in the data repo.
|
|
|
|
env:
|
|
TARGET_REPO_API_URL: ${{ github.api_url }}/repos/zama-ai/tfhe-backward-compat-data
|
|
SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
|
|
SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
|
|
SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
|
|
PR_BRANCH: ${{ github.head_ref || github.ref_name }}
|
|
CLOSE_TYPE: ${{ github.event.pull_request.merged && 'merge' || 'close' }}
|
|
|
|
# only trigger on pull request closed events
|
|
on:
|
|
pull_request:
|
|
types: [ closed ]
|
|
|
|
# The same pattern is used for jobs that use the github api:
|
|
# - save the result of the API call in the env var "GH_API_RES". Since the var is multiline
|
|
# we use this trick: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-a-multiline-string
|
|
# - "set +e" will make sure we reach the last "echo EOF" even in case of error
|
|
# - "set -o" pipefail makes one line piped command return the error of the first failure
|
|
# - 'RES="$?"' and 'exit $RES' are used to return the error code if a command failed. Without it, with "set +e"
|
|
# the script will always return 0 because of the "echo EOF".
|
|
|
|
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
auto_close_job:
|
|
if: ${{ contains(github.event.pull_request.labels.*.name, 'data_PR') }}
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Find corresponding Pull Request in the data repo
|
|
run: |
|
|
{
|
|
set +e
|
|
set -o pipefail
|
|
echo 'TARGET_REPO_PR<<EOF'
|
|
curl --fail-with-body --no-progress-meter -L -X GET \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"${TARGET_REPO_API_URL}"/pulls\?head="${REPO_OWNER}":"${PR_BRANCH}" | jq -e '.[0]' | sed 's/null/{ "message": "corresponding PR not found" }/'
|
|
RES="$?"
|
|
echo EOF
|
|
} >> "${GITHUB_ENV}"
|
|
exit $RES
|
|
env:
|
|
REPO_OWNER: ${{ github.repository_owner }}
|
|
|
|
- name: Comment on the PR to indicate the reason of the close
|
|
run: |
|
|
BODY="'{ \"body\": \"PR ${CLOSE_TYPE}d because the corresponding PR in main repo was ${CLOSE_TYPE}d: ${REPO}#${EVENT_NUMBER}\" }'"
|
|
{
|
|
set +e
|
|
set -o pipefail
|
|
echo 'GH_API_RES<<EOF'
|
|
curl --fail-with-body --no-progress-meter -L -X POST \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"${COMMENTS_URL}" \
|
|
-d "${BODY}"
|
|
RES="$?"
|
|
echo EOF
|
|
} >> "${GITHUB_ENV}"
|
|
exit $RES
|
|
env:
|
|
REPO: ${{ github.repository }}
|
|
EVENT_NUMBER: ${{ github.event.number }}
|
|
COMMENTS_URL: ${{ fromJson(env.TARGET_REPO_PR).comments_url }}
|
|
|
|
- name: Merge the Pull Request in the data repo
|
|
if: ${{ github.event.pull_request.merged }}
|
|
run: |
|
|
{
|
|
set +e
|
|
set -o pipefail
|
|
echo 'GH_API_RES<<EOF'
|
|
curl --fail-with-body --no-progress-meter -L -X PUT \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"${TARGET_REPO_PR_URL}"/merge \
|
|
-d '{ "merge_method": "rebase" }'
|
|
RES="$?"
|
|
echo EOF
|
|
} >> "${GITHUB_ENV}"
|
|
exit $RES
|
|
env:
|
|
TARGET_REPO_PR_URL: ${{ fromJson(env.TARGET_REPO_PR).url }}
|
|
|
|
- name: Close the Pull Request in the data repo
|
|
if: ${{ !github.event.pull_request.merged }}
|
|
run: |
|
|
{
|
|
set +e
|
|
set -o pipefail
|
|
echo 'GH_API_RES<<EOF'
|
|
curl --fail-with-body --no-progress-meter -L -X PATCH \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"${TARGET_REPO_PR_URL}" \
|
|
-d '{ "state": "closed" }'
|
|
RES="$?"
|
|
echo EOF
|
|
} >> "${GITHUB_ENV}"
|
|
exit $RES
|
|
env:
|
|
TARGET_REPO_PR_URL: ${{ fromJson(env.TARGET_REPO_PR).url }}
|
|
|
|
- name: Delete the associated branch in the data repo
|
|
run: |
|
|
{
|
|
set +e
|
|
set -o pipefail
|
|
echo 'GH_API_RES<<EOF'
|
|
curl --fail-with-body --no-progress-meter -L -X DELETE \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: Bearer ${{ secrets.FHE_ACTIONS_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
"${TARGET_REPO_API_URL}"/git/refs/heads/"${PR_BRANCH}"
|
|
RES="$?"
|
|
echo EOF
|
|
} >> "${GITHUB_ENV}"
|
|
exit $RES
|
|
|
|
- name: Slack Notification
|
|
if: ${{ always() && job.status == 'failure' }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
|
|
env:
|
|
SLACK_COLOR: ${{ job.status }}
|
|
SLACK_MESSAGE: "Failed to auto-${{ env.CLOSE_TYPE }} PR on data repo: ${{ fromJson(env.GH_API_RES || env.TARGET_REPO_PR).message }}"
|