semgrep · yosefAlsuhaibani · Aug 16, 2024 · Aug 2, 2024 · Aug 2, 2024 · Aug 2, 2024
diff --git a/.github/workflows/autoapprove.yml b/.github/workflows/autoapprove.yml
@@ -0,0 +1,73 @@
+# This workflow auto approves the PR generated by the bump_version
+# workflow, and moves the tag that was created in the PR's branch
+# to develop.
+
+name: github-actions auto-approve
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  approve-bot:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'semgrep-ci[bot]'}}
+    steps:
+      - name: Approve
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Watch untill PR checks are done
+        run: gh pr checks --required --watch  "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Merge PR
+        run: gh pr merge --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Now we switch to semgrep-ci[bot] to actually be able to
+      # move the tag we created in bump_version.yml from the
+      # release branch to develop
+
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          ref: develop
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Move tag to develop branch
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+          # We tagged the release branch first in bump_version.yml
+          # to allow tests to pass; now moving it to develop so
+          # it can be a part of its history
+          git push --delete origin "v${CURR_VERSION}"
+          git tag "v${CURR_VERSION}" HEAD
+          git push origin tag "v${CURR_VERSION}"
diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml
@@ -0,0 +1,86 @@
+# This workflow is called by the start release workflow to bump this
+# repo's semgrep version to the newly release version; triggered by
+# the start-release workflow.
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      checks: write
+    env:
+      NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
+    steps:
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Bump version in this repo
+        run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}"
+
+      - name: Commit and push
+        id: commit
+        env:
+          BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
+          SUBJECT: "Bump setup to ${{ github.event.inputs.version }}"
+        run: |
+          git config user.name ${{ github.actor }}
+          git config user.email ${{ github.actor }}@users.noreply.github.com
+          git checkout -b $BRANCH
+          git commit -am "$SUBJECT"
+          git tag "v${NEW_SEMGREP_VERSION}" HEAD
+          git remote -vv
+          git push --set-upstream origin $BRANCH
+          git push origin tag "v$NEW_SEMGREP_VERSION"
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+
+      - name: Create PR
+        id: open-pr
+        env:
+          SOURCE: "${{ steps.commit.outputs.branch }}"
+          TARGET: "${{ github.event.repository.default_branch }}"
+          TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}"
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+          VERSION: "${{ inputs.version }}"
+        run: |
+          # check if the branch already has a pull request open
+          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
+              # pull request already open
+              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
+              echo "cancelling release"
+              exit 1
+          fi
+          # open new pull request with the body of from the local template.
+          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
+            --base "${TARGET}" --head "${SOURCE}")
+
+name: bump-version
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version of semgrep to use"
+        required: true
+        type: string
diff --git a/scripts/bump-version.sh b/scripts/bump-version.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+VERSION=$1
+OLD_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+
+# Do text substitution in setup.py & README.md
+sed "s/$OLD_VERSION/$VERSION/" setup.py > tmp
+mv tmp setup.py
+sed "s/$OLD_VERSION/$VERSION/" README.md > tmp
+mv tmp README.md
+sed "s/$OLD_VERSION/$VERSION/" .pre-commit-config.yaml > tmp
+mv tmp .pre-commit-config.yaml