fix: resolve comments

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

get-pr-comments.sh

@@ -1,8 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
 # This gets all of the comments for a PR, helpful when writing with an agent.
 # Expects your environment to have GITHUB_TOKEN with a PAT that can access the API.
+
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+  echo "Error: GITHUB_TOKEN environment variable is not set." >&2
+  exit 1
+fi
+
+if ! command -v jq >/dev/null 2>&1; then
+  echo "Error: jq is required but not installed." >&2
+  exit 1
+fi
+
 PROJECT="rancher/terraform-rancher2-aws"
-PULL_ID=$1
+PULL_ID=${1:-}
+
+if [ -z "$PULL_ID" ]; then
+  echo "Error: PR ID argument is required." >&2
+  echo "Usage: $0 <pr-id>" >&2
+  exit 1
+fi
+
+OWNER=$(echo "$PROJECT" | cut -d/ -f1)
+REPO=$(echo "$PROJECT" | cut -d/ -f2)
+
+# The GitHub REST API doesn't expose resolution status. We switch to GraphQL to filter by 'isResolved'.
+JSON_PAYLOAD=$(jq -n \
+  --arg q 'query($owner: String!, $name: String!, $pr: Int!) { repository(owner: $owner, name: $name) { pullRequest(number: $pr) { reviewThreads(first: 100) { nodes { isResolved comments(first: 50) { nodes { path line diffHunk body } } } } } } }' \
+  --arg owner "$OWNER" \
+  --arg name "$REPO" \
+  --argjson pr "${PULL_ID:-0}" \
+  '{ query: $q, variables: { owner: $owner, name: $name, pr: $pr } }')
+
 curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
-  -H "Accept: application/vnd.github+json" \
-  "https://api.github.com/repos/$PROJECT/pulls/${PULL_ID}/comments" | \
-  jq -r '.[] | "File: \(.path)\nLine: \(.line)\nDiff:\n\(.diff_hunk)\n\nComment:\n\(.body)\n\n========================================\n"'
+  -X POST -d "$JSON_PAYLOAD" \
+  "https://api.github.com/graphql" | \
+  jq -r '.data.repository.pullRequest.reviewThreads.nodes[]? | select(.isResolved == false) | .comments.nodes[]? | "File: \(.path)\nLine: \(.line)\nDiff:\n\(.diffHunk)\n\nComment:\n\(.body)\n\n========================================\n"'

main.tf

@@ -75,10 +75,6 @@ resource "terraform_data" "input_validation" {
       ))
       error_message = "The fqdn must be a fully qualified domain name"
     }
-    precondition {
-      condition     = local.fqdn == lower(local.fqdn)
-      error_message = "fqdn must be lowercase"
-    }
     precondition {
       condition = (
         local.rancher_helm_chart_values != {} &&

modules/deploy/create.sh.tpl

@@ -19,12 +19,12 @@ trap 'cleanup' INT TERM
 # Handle age decryption if needed
 SECRETS_DECRYPTED=0
 if [ -n "$AGE_KEY_PATH" ] && [ -n "$SECRETS_PATH" ] && [ -f "$AGE_KEY_PATH" ] && [ -f "$SECRETS_PATH" ]; then
-  DECRYPTED_SECRETS="/tmp/secrets.rc"
+  DECRYPTED_SECRETS=$(mktemp /tmp/secrets.XXXXXX)
   echo "Decrypting secrets with age..."
 
   age -d -i "$AGE_KEY_PATH" -o "$DECRYPTED_SECRETS" "$SECRETS_PATH"
   if [ -f "$DECRYPTED_SECRETS" ]; then
-    chmod +x "$DECRYPTED_SECRETS"
+    chmod 0600 "$DECRYPTED_SECRETS"
     # shellcheck disable=SC1090
     . "$DECRYPTED_SECRETS"
     SECRETS_DECRYPTED=1

modules/deploy/destroy.sh.tpl

@@ -17,12 +17,12 @@ trap 'cleanup' INT TERM
 # Handle age decryption if needed
 SECRETS_DECRYPTED=0
 if [ -n "$AGE_KEY_PATH" ] && [ -n "$SECRETS_PATH" ] && [ -f "$AGE_KEY_PATH" ] && [ -f "$SECRETS_PATH" ]; then
-  DECRYPTED_SECRETS="/tmp/secrets.rc"
+  DECRYPTED_SECRETS=$(mktemp /tmp/secrets.XXXXXX)
   echo "Decrypting secrets with age..."
 
   age -d -i "$AGE_KEY_PATH" -o "$DECRYPTED_SECRETS" "$SECRETS_PATH"
   if [ -f "$DECRYPTED_SECRETS" ]; then
-    chmod +x "$DECRYPTED_SECRETS"
+    chmod 0600 "$DECRYPTED_SECRETS"
     # shellcheck disable=SC1090
     . "$DECRYPTED_SECRETS"
     SECRETS_DECRYPTED=1

modules/deploy/main.tf

@@ -103,8 +103,8 @@ resource "file_local" "instantiate_tpl_snapshot" {
     file_local_snapshot.persist_tpl_file,
   ]
   for_each    = local.template_file_map
-  directory   = "${local.deploy_path}/${replace(dirname(each.key), ".", "")}"
-  name        = basename(each.value)
+  directory   = dirname("${local.deploy_path}/${each.key}")
+  name        = basename(each.key)
   permissions = data.file_local.template_files[each.key].permissions
   contents    = base64decode(file_local_snapshot.persist_tpl_file[each.key].snapshot)
 }
@@ -191,7 +191,7 @@ resource "file_local" "generate_files" {
     file_local_directory.template_dirs,
   ]
   for_each    = local.generated_files
-  directory   = "${local.deploy_path}/${replace(dirname(each.key), ".", "")}"
+  directory   = dirname("${local.deploy_path}/${each.key}")
   name        = basename(each.key)
   contents    = each.value
   permissions = "0755"

modules/deploy/variables.tf

@@ -3,6 +3,7 @@ variable "inputs" {
   description = <<-EOT
     Contents of an inputs.tfvars file to save in the deployment path.
   EOT
+  default     = ""
 }
 variable "template_files" {
   type        = map(any)
@@ -31,6 +32,7 @@ variable "data_path" {
     Should match your TF_DATA_DIR environment variable.
     This directory is used to stage all of the various files for your implementation.
   EOT
+  default     = null
 }
 variable "plugin_cache_path" {
   type        = string

test/scripts/readyNodes.sh

@@ -40,7 +40,7 @@ notReady() {
 TIMEOUT=3 # 3 minutes
 TIMEOUT_MINUTES=$((TIMEOUT * 60))
 INTERVAL=10 # 10 seconds
-MAX=$((TIMEOUT_MINUTES / INTERVAL)) # defaults to 6
+MAX=$((TIMEOUT_MINUTES / INTERVAL)) # defaults to 18
 ATTEMPTS=0
 
 while notReady; do