vets-api/.github/workflows/check_codeowners.yml at ce956deea8cbd02bb0b67ab3d493cbdcfa29c1ea · department-of-veterans-affairs/vets-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Check CODEOWNERS Entries

on:
  pull_request:
    branches:
      - master
    types:
      - opened
      - synchronize
      - reopened
      - edited
permissions:
  id-token: write
  contents: read

jobs:
  check-additions:
    name: Check Codeowners Additions
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6
      with:
        fetch-depth: 2

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v6
      with:
        role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
        aws-region: "us-gov-west-1"

    - name: Get GitHub Bot Token
      uses: marvinpinto/action-inject-ssm-secrets@v1.2.1
      with:
        ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
        env_variable_name: VA_VSP_BOT_GITHUB_TOKEN

    - name: Check CODEOWNERS exists for new files
      id: check_codeowners
      run: |
        chmod +x .github/scripts/check_codeowners.sh
        .github/scripts/check_codeowners.sh

    - name: Respond to PR if check CODEOWNERS exists for new files fails
      if: ${{ failure() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          const offendingFile = process.env.offending_file
          const body = `Error: A file (or its parent directories) does not have a CODEOWNERS entry. Please update the .github/CODEOWNERS file and add the entry for the Offending file: ${offendingFile}`
          await github.rest.issues.createComment({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: prNumber,
            body,
          })

    - name: Add Failure label
      if: ${{ failure() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          await github.rest.issues.addLabels({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: prNumber,
            labels: ['codeowners-addition-failure'],
          })

    - name: Remove Failure label
      if: ${{ success() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          try {
            await github.rest.issues.removeLabel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
              name: 'codeowners-addition-failure',
            })
          } catch (e) {
            if (e.status !== 404) throw e
          }

  check-deletions:
    name: Check Codeowners Deletions
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6
      with:
        fetch-depth: 2

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v6
      with:
        role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
        aws-region: "us-gov-west-1"

    - name: Get GitHub Bot Token
      uses: marvinpinto/action-inject-ssm-secrets@v1.2.1
      with:
        ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
        env_variable_name: VA_VSP_BOT_GITHUB_TOKEN

    - name: Check CODEOWNERS for removal when files deleted
      id: check_deleted_files
      run: |
        chmod +x .github/scripts/check_deleted_files.sh
        .github/scripts/check_deleted_files.sh

    - name: Respond to PR if check CODEOWNERS exists for deleted files fails
      if: ${{ failure() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          const offendingFile = process.env.offending_file
          const body = `A deleted file (or one of its parent directories) still has a CODEOWNERS entry. Please update the .github/CODEOWNERS file and remove the stale entry for the offending file: ${offendingFile}`
          await github.rest.issues.createComment({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: prNumber,
            body,
          })

    - name: Add Failure label
      if: ${{ failure() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          await github.rest.issues.addLabels({
            owner: context.repo.owner,
            repo: context.repo.repo,
            issue_number: prNumber,
            labels: ['codeowners-deletion-failure'],
          })

    - name: Remove Failure label
      if: ${{ success() }}
      uses: actions/github-script@v8
      with:
        github-token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
        script: |
          const prNumber = context.payload.pull_request.number
          try {
            await github.rest.issues.removeLabel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
              name: 'codeowners-deletion-failure',
            })
          } catch (e) {
            if (e.status !== 404) throw e
          }