semgrep · yosefAlsuhaibani · Aug 2, 2024 · Aug 2, 2024 · Aug 2, 2024 · Aug 2, 2024
diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml
@@ -0,0 +1,130 @@
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      checks: write
+    env:
+      NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
+    steps:
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Bump version in this repo
+        run: scripts/bump-version.sh "$NEW_SEMGREP_VERSION"
+
+      - name: Commit and push
+        id: commit
+        env:
+          BRANCH: "gha/bump-version-${NEW_SEMGREP_VERSION}-${{ github.run_id }}-${{ github.run_attempt }}"
+          SUBJECT: "Bump semgrep to ${NEW_SEMGREP_VERSION}"
+        run: |
+          git config user.name ${{ github.actor }}
+          git config user.email ${{ github.actor }}@users.noreply.github.com
+          git checkout -b $BRANCH
+          git add .
+          git commit -m "$SUBJECT"
+          git tag "v$NEW_SEMGREP_VERSION" HEAD
+          git push --set-upstream origin $BRANCH
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+
+      - name: Create PR
+        id: open-pr
+        env:
+          SOURCE: "${{ steps.commit.outputs.branch }}"
+          TARGET: "${{ github.event.repository.default_branch }}"
+          TITLE: "chore: Release Version ${{ inputs.version }}"
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+          VERSION: "${{ inputs.version }}"
+        run: |
+          # check if the branch already has a pull request open
+          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
+              # pull request already open
+              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
+              echo "cancelling release"
+              exit 1
+          fi
+          # open new pull request with the body of from the local template.
+          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
+            --base "${TARGET}" --head "${SOURCE}" --reviewer semgrep/cdx)
+
+      - name: Approve & Merge PR
+        run: |
+          gh pr review --approve ${{ steps.commit.branch }}
+          gh pr merge --auto --squash ${{ steps.commit.branch }}
+
+      - name: bump-yaml
+        run: scripts/bump-version-yaml.sh "$NEW_SEMGREP_VERSION"
+
+      - name: Commit and push
+        id: commit-yaml
+        env:
+          BRANCH: "gha/bump-version-yaml-${NEW_SEMGREP_VERSION}-${{ github.run_id }}-${{ github.run_attempt }}"
+          SUBJECT: "Bump semgrep to ${NEW_SEMGREP_VERSION}"
+        run: |
+          git config user.name ${{ github.actor }}
+          git config user.email ${{ github.actor }}@users.noreply.github.com
+          git checkout -b $BRANCH
+          git add .
+          git commit -m "$SUBJECT"
+          git push --set-upstream origin $BRANCH
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+
+      - name: Create PR
+        id: open-2nd-pr
+        env:
+          SOURCE: "${{ steps.commit-yaml.outputs.branch }}"
+          TARGET: "${{ github.event.repository.default_branch }}"
+          TITLE: "chore: Release Version ${{ inputs.version }}"
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+          VERSION: "${{ inputs.version }}"
+        run: |
+          # check if the branch already has a pull request open
+          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
+              # pull request already open
+              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
+              echo "cancelling release"
+              exit 1
+          fi
+          # open new pull request with the body of from the local template.
+          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
+            --base "${TARGET}" --head "${SOURCE}" --reviewer semgrep/cdx)
+
+      - name: Approve & Merge yaml PR
+        run: |
+          gh pr review --approve ${{ steps.commit-yaml.branch }}
+          gh pr merge --auto --squash ${{ steps.commit-yaml.branch }}
+
+
+name: bump-version
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version of semgrep to use"
+        required: true
+        type: string
diff --git a/.github/workflows/inc-version.yml b/.github/workflows/inc-version.yml
@@ -0,0 +1,23 @@
+name: inc-version
+on:
+  workflow_dispatch:
+    inputs:
+      commit-sha-to-release:
+        description: The full commit SHA in semgrep-pro that you'd like to release. It must match the output of the push-pr-binaries job after it runs successfully on the 'develop' branch. It is used to name the release candidate binaries uploaded to S3.
+        required: true
+        type: string
+      dry-run:
+        default: false
+        description: Whether a dry-run (e.g., print tags to push) should be peformed. Actually push images if false.
+        required: true
+        type: boolean
+      semgrep-version:
+        description: The version of Semgrep OSS that this Pro release is built for. This is the version that is about to be released and should be what the previous version bump step set the OSS version to in the previous step. This is only really required as a safety check, failing to get the version correct here will only cause this step to fail and should not break anything.
+        required: true
+        type: string
+jobs:
+jobs:
+  test-hooks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
diff --git a/scripts/bump-version-yaml.sh b/scripts/bump-version-yaml.sh
@@ -0,0 +1,10 @@
+VERSION=$1
+
+sed -ie "s/\(rev\:*\) \'v[0-9.]*\'/\1 \'v$VERSION\'/" .pre-commit-config.yaml
+
+# commit & tag & push code
+git checkout -b bump-pre-commit-yaml-to-$VERSION
+git add .pre-commit-config.yaml
+git commit -m "Bump to version $VERSION"
+
+git push origin HEAD
diff --git a/scripts/bump-version.sh b/scripts/bump-version.sh
@@ -0,0 +1,6 @@
+VERSION=$1
+
+# Do text substitution in setup.py & README.md
+sed -ie "s/\(version\)=\"[0-9.]*\"\,/\1=\"$VERSION\"\,/" setup.py
+sed -ie "s/\(semgrep\)==[0-9.]*/\1==$VERSION/" setup.py
+sed -ie "s/\(rev\:*\) \'v[0-9.]*\'/\1 \'v$VERSION\'/" README.md