feat: apigw automation #236
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
… - applied 2nd version of flow
Comment on lines
586
to
718
| runs-on: ubuntu-latest | ||
| if: github.event.action == 'closed' && github.event.pull_request.merged == true | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| #environment: [dev, test, qa, uat, prod, vapt] | ||
| environment: [dev, qa] | ||
|
|
||
| env: | ||
| ENVIRONMENT: ${{ matrix.environment }} | ||
| PR_NUMBER: ${{ github.event.number }} | ||
|
|
||
| steps: | ||
| - name: Checkout remote repository | ||
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 | ||
| with: | ||
| repository: ${{ vars.INTEROP_INFRA_REPO }} | ||
| token: ${{ secrets.INTEROP_INFRA_REPO_TOKEN }} | ||
| path: interop-infra | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Find and cleanup remote PR for ${{ matrix.environment }} | ||
| # search for open PRs on interop-infra | ||
| # if there are diffs on tfvars, do nothing, show them and terminate workflow | ||
| # if there are no diffs on tfvars, I can proceed with deletion of remote PR and branch | ||
| env: | ||
| INTEROP_INFRA_REPO_TOKEN: ${{ secrets.INTEROP_INFRA_REPO_TOKEN }} | ||
| MERGED_PR_NUMBER: ${{ github.event.pull_request.number }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| echo "=== Looking for remote PR: ref_pr=$MERGED_PR_NUMBER + env=$ENVIRONMENT ===" | ||
|
|
||
| # Search for specific PR using ref_pr and env labels | ||
| OPEN_PRS=$(curl -sSL \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| -H "Authorization: Bearer $INTEROP_INFRA_REPO_TOKEN" \ | ||
| -H "X-GitHub-Api-Version: 2022-11-28" \ | ||
| "https://api.github.com/repos/${{ vars.INTEROP_INFRA_REPO }}/pulls?state=open&per_page=100") | ||
|
|
||
| # Search PR (apply same logic as List PRs step) | ||
| TARGET_PR_LABEL="ref_pr=$MERGED_PR_NUMBER" | ||
| TARGET_ENV_LABEL="env=$ENVIRONMENT" | ||
|
|
||
| PR_INFO=$(echo "$OPEN_PRS" | jq -r --arg target_pr_label "$TARGET_PR_LABEL" --arg target_env_label "$TARGET_ENV_LABEL" ' | ||
| .[] | | ||
| select( | ||
| (.labels | any(.name == $target_pr_label)) and | ||
| (.labels | any(.name == $target_env_label)) | ||
| ) | | ||
| "\(.number)|\(.head.ref)|\(.title)|\(.html_url)" | ||
| ') | ||
|
|
||
| # check, if I haven't found the PR, exit | ||
| if [[ -z "$PR_INFO" ]]; then | ||
| echo "No remote PR found for $ENVIRONMENT environment" | ||
| echo "This is normal if no remote PR was created for this environment" | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Extract PR info | ||
| IFS='|' read -r pr_number branch_name title url <<< "$PR_INFO" | ||
|
|
||
| echo "Found remote PR for $ENVIRONMENT:" | ||
| echo " - PR #$pr_number: $title" | ||
| echo " - Branch: $branch_name" | ||
| echo " - URL: $url" | ||
|
|
||
| cd interop-infra | ||
|
|
||
| # Verify if branch exists | ||
| if ! git ls-remote --exit-code --heads origin "$branch_name" >/dev/null 2>&1; then | ||
| echo "WARNING: Branch $branch_name no longer exists, skipping" | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Fetch main | ||
| git fetch origin main | ||
|
|
||
| # fetch branch and verify existence, if doesn't exist skip | ||
| git fetch origin "$branch_name:$branch_name" 2>/dev/null || { | ||
| echo "WARNING: Could not fetch branch $branch_name, skipping" | ||
| exit 0 | ||
| } | ||
|
|
||
| # Check differences for specific environment | ||
| tfvars_file="src/main/core-es1/env/${ENVIRONMENT}/terraform.tfvars" | ||
|
|
||
| if [[ ! -f "$tfvars_file" ]]; then | ||
| echo "WARNING: File $tfvars_file not found, skipping" | ||
| exit 0 | ||
| fi | ||
|
|
||
| echo "Checking differences for $tfvars_file..." | ||
|
|
||
| # Compare file on branch with the one on main | ||
| if ! git diff --quiet "origin/main:$tfvars_file" "$branch_name:$tfvars_file" 2>/dev/null; then | ||
| echo "Found differences in $tfvars_file - keeping PR open" | ||
| echo "=== Differences ===" | ||
| git diff "origin/main:$tfvars_file" "$branch_name:$tfvars_file" | ||
| exit 0 | ||
| fi | ||
|
|
||
| # CLEANUP PHASE | ||
| echo "No differences found - proceeding with cleanup" | ||
|
|
||
| # Close the PR | ||
| echo "Closing PR #$pr_number..." | ||
| close_result=$(curl -sSL \ | ||
| -X PATCH \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| -H "Authorization: Bearer $INTEROP_INFRA_REPO_TOKEN" \ | ||
| -H "X-GitHub-Api-Version: 2022-11-28" \ | ||
| "https://api.github.com/repos/${{ vars.INTEROP_INFRA_REPO }}/pulls/$pr_number" \ | ||
| -d '{"state":"closed"}') | ||
|
|
||
| close_status=$(echo "$close_result" | jq -r '.state // "error"') | ||
| if [[ "$close_status" == "closed" ]]; then | ||
| echo "Successfully closed PR #$pr_number" | ||
|
|
||
| # Delete remote branch | ||
| echo "Deleting branch $branch_name..." | ||
| if git push origin --delete "$branch_name" 2>/dev/null; then | ||
| echo "Successfully deleted branch $branch_name" | ||
| else | ||
| echo "WARNING: Failed to delete branch $branch_name" | ||
| fi | ||
| else | ||
| echo "ERROR: Failed to close PR #$pr_number: $close_result" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "Cleanup completed for $ENVIRONMENT environment" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
To resolve this issue, an explicit permissions block should be added to the cleanup job definition within .github/workflows/apigw-automation.yaml. The minimal starting point recommended by CodeQL is contents: read. However, the steps within this job manipulate pull requests (closing/deleting via gh pr close), so you should include pull-requests: write in addition to contents: read. The block should look like:
permissions:
contents: read
pull-requests: writeSpecifically, insert this block directly under runs-on: ubuntu-latest in the cleanup job. No other changes or external dependencies are required.
Suggested changeset
1
.github/workflows/apigw-automation.yaml
| @@ -578,6 +578,9 @@ | ||
| # =========================================== | ||
| cleanup: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| if: github.event.action == 'closed' && github.event.pull_request.merged == true | ||
| strategy: | ||
| fail-fast: false |
Copilot is powered by AI and may make mistakes. Always verify output.
…ed label automated - used gh cli instead of curl
Comment on lines
+71
to
+77
| - name: Checkout local repository | ||
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| fetch-depth: 2 | ||
|
|
||
| - name: Detect relevant changes (diff + reverts) |
Check warning
Code scanning / CodeQL
Checkout of untrusted code in trusted context Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 23 days ago
General approach:
To fix the problem, split the workflow into two separate workflows:
- The first ("Untrusted") is triggered by
pull_request, runs with restricted permissions, and checks out/runs code as required. It saves results (such as test results, lists of changed files, etc.) as artifacts. - The second ("Privileged") is triggered by
workflow_runupon successful completion of the first workflow. It does not checkout pull request code (unless absolutely necessary and then with careful verification) and instead downloads and processes the artifacts from the first workflow. All privileged actions (such as commenting with secrets, updating branches, deploying) are done here, away from direct PR code.
Detailed steps in this code:
- In
.github/workflows/apigw-automation.yaml, refactor so that:- Job 1 ("propagate") is limited to analyzing changes and producing an artifact summarizing which environments and microservices are affected.
- Remove all privileged operations (such as writing to remote branches, using repository write tokens, calling APIs with secrets) from the pull request workflow.
- Add a step to upload artifacts summarizing results.
- A new workflow (to be created separately, e.g.,
.github/workflows/apigw-automation-privileged.yaml) triggered byworkflow_runwill download the artifact, verify content, and perform privileged operations.
Required changes in this snippet:
- In
.github/workflows/apigw-automation.yaml:- Add an artifact upload step at the end of the propagate job, summarizing if changes were detected and for which environment.
- Remove or clearly isolate any steps that use repository secrets/tokens or perform writes, ensuring such steps only occur in a second workflow not shown in this snippet.
Methods/Imports/Definitions needed:
- Use
actions/upload-artifact@v3or similar for artifact creation. - Ensure subsequent privileged workflow downloads and verifies the artifact before performing privileged operations (not shown here).
Suggested changeset
1
.github/workflows/apigw-automation.yaml
| @@ -98,7 +98,16 @@ | ||
| exit 0 | ||
| fi | ||
|
|
||
| - name: Extract microservice tags | ||
| - name: Save propagate result for privileged workflow | ||
| run: | | ||
| mkdir -p propagate-artifact | ||
| echo "environment=${ENVIRONMENT}" > propagate-artifact/env.txt | ||
| echo "has_relevant_changes=$(cat $GITHUB_OUTPUT | grep has_relevant_changes | cut -d= -f2)" > propagate-artifact/changes.txt | ||
| - name: Upload propagate artifact | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: propagate-result | ||
| path: propagate-artifact/ | ||
| if: steps.detect-changes.outputs.has_relevant_changes == 'true' | ||
| id: extract-tags | ||
| run: | |
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.