-
Notifications
You must be signed in to change notification settings - Fork 462
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Trigger AWS Lambda tests on label (#2538)
Our AWS Lambda test suite currently doesn't run properly on external contributor PRs because it needs access to repo secrets, which it currently doesn't have. This PR adds a label to grant access to the secrets, which is invalidated upon any new code changes.
- Loading branch information
1 parent
c0f4a9d
commit cd3f08b
Showing
6 changed files
with
157 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
#!/usr/bin/env python3 | ||
import argparse | ||
import json | ||
import os | ||
from urllib.parse import quote | ||
from urllib.request import Request, urlopen | ||
|
||
LABEL = "Trigger: tests using secrets" | ||
|
||
|
||
def _has_write(repo_id: int, username: str, *, token: str) -> bool: | ||
req = Request( | ||
f"https://api.github.com/repositories/{repo_id}/collaborators/{username}/permission", | ||
headers={"Authorization": f"token {token}"}, | ||
) | ||
contents = json.load(urlopen(req, timeout=10)) | ||
|
||
return contents["permission"] in {"admin", "write"} | ||
|
||
|
||
def _remove_label(repo_id: int, pr: int, label: str, *, token: str) -> None: | ||
quoted_label = quote(label) | ||
req = Request( | ||
f"https://api.github.com/repositories/{repo_id}/issues/{pr}/labels/{quoted_label}", | ||
method="DELETE", | ||
headers={"Authorization": f"token {token}"}, | ||
) | ||
urlopen(req) | ||
|
||
|
||
def main() -> int: | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument("--repo-id", type=int, required=True) | ||
parser.add_argument("--pr", type=int, required=True) | ||
parser.add_argument("--event", required=True) | ||
parser.add_argument("--username", required=True) | ||
parser.add_argument("--label-names", type=json.loads, required=True) | ||
args = parser.parse_args() | ||
|
||
token = os.environ["GITHUB_TOKEN"] | ||
|
||
write_permission = _has_write(args.repo_id, args.username, token=token) | ||
|
||
if ( | ||
not write_permission | ||
# `reopened` is included here due to close => push => reopen | ||
and args.event in {"synchronize", "reopened"} | ||
and LABEL in args.label_names | ||
): | ||
print(f"Invalidating label [{LABEL}] due to code change...") | ||
_remove_label(args.repo_id, args.pr, LABEL, token=token) | ||
args.label_names.remove(LABEL) | ||
|
||
if write_permission or LABEL in args.label_names: | ||
print("Permissions passed!") | ||
print(f"- has write permission: {write_permission}") | ||
print(f"- has [{LABEL}] label: {LABEL in args.label_names}") | ||
return 0 | ||
else: | ||
print("Permissions failed!") | ||
print(f"- has write permission: {write_permission}") | ||
print(f"- has [{LABEL}] label: {LABEL in args.label_names}") | ||
print(f"- args.label_names: {args.label_names}") | ||
print( | ||
f"Please have a collaborator add the [{LABEL}] label once they " | ||
f"have reviewed the code to trigger tests." | ||
) | ||
return 1 | ||
|
||
|
||
if __name__ == "__main__": | ||
raise SystemExit(main()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
scripts/split-tox-gh-actions/templates/check_permissions.jinja
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
check-permissions: | ||
name: permissions check | ||
runs-on: ubuntu-20.04 | ||
steps: | ||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: permissions | ||
run: | | ||
{% raw %} | ||
python3 -uS .github/workflows/scripts/trigger_tests_on_label.py \ | ||
--repo-id ${{ github.event.repository.id }} \ | ||
--pr ${{ github.event.number }} \ | ||
--event ${{ github.event.action }} \ | ||
--username "$ARG_USERNAME" \ | ||
--label-names "$ARG_LABEL_NAMES" | ||
{% endraw %} | ||
env: | ||
{% raw %} | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
# these can contain special characters | ||
ARG_USERNAME: ${{ github.event.pull_request.user.login }} | ||
ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }} | ||
{% endraw %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters