konflux-central/.github/workflows/validate-pipelineruns.yml at main · dryszka/konflux-central · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Validates all PipelineRun YAML files on pull requests.
# See docs/validate-pipelineruns.md for check details and security model.
name: Validate PipelineRuns

on:
  pull_request:
    branches:
      - 'main'
      - 'rhoai-*'
    paths:
      - 'pipelineruns/**'
      - 'script/test_validate_pipelineruns.py'
      - 'script/conftest.py'
      - '.github/workflows/validate-pipelineruns.yml'

  workflow_dispatch:
    inputs:
      branch:
        type: string
        description: 'Release branch to validate against (e.g. rhoai-3.4). Leave empty for main.'
        required: false
        default: ''

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Generate GitHub App token
        id: app-token
        continue-on-error: true
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      - name: Install uv
        uses: astral-sh/setup-uv@v4

      - name: Detect branch for push PipelineRun checks
        id: detect-branch
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            target_branch="${{ github.event.inputs.branch }}"
          else
            target_branch="${{ github.base_ref }}"
          fi
          if [[ "$target_branch" =~ ^rhoai-[0-9]+\.[0-9]+$ ]]; then
            echo "branch=$target_branch" >> "$GITHUB_OUTPUT"
          else
            echo "branch=" >> "$GITHUB_OUTPUT"
          fi

      - name: Validate PipelineRuns
        id: validate
        env:
          QUAY_RHOAI_READONLY_BOT_AUTH: ${{ secrets.QUAY_RHOAI_READONLY_BOT_AUTH }}
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
          GITHUB_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GITHUB_BLOB_URL_PREFIX: ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.event.pull_request.head.sha || github.sha }}
          GITHUB_COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        run: |
          uv run --with pyyaml --with pytest pytest script/test_validate_pipelineruns.py \
            --pipelinerun-dir pipelineruns/ \
            -v \
            --validation-comment-file validation-comment.md \
            ${{ steps.detect-branch.outputs.branch && format('--branch {0}', steps.detect-branch.outputs.branch) || '' }}

      - name: Post or update PR comment
        if: always() && github.event_name == 'pull_request'
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
        run: |
          if [[ ! -f validation-comment.md ]]; then
            echo "No validation comment file generated, skipping."
            exit 0
          fi

          PR_NUMBER="${{ github.event.pull_request.number }}"
          MARKER="<!-- pipelinerun-validation-comment -->"

          # Find existing comment by marker
          COMMENT_ID=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
            --paginate --jq ".[] | select(.body | contains(\"${MARKER}\")) | .id" | head -1)

          if [[ -n "$COMMENT_ID" ]]; then
            gh api "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
              --method PATCH \
              --field body=@validation-comment.md
          else
            gh pr comment "${PR_NUMBER}" --body-file validation-comment.md
          fi