Adding audit log actions workflow (#37253)

Co-authored-by: Robert Sese <734194+rsese@users.noreply.github.com> Co-authored-by: Rachael Sewell <rachmari@github.com>
2026-01-07 09:01:31 -05:00 · 2023-08-18 10:39:55 -07:00
parent afb6ca7756
commit 8d2de79d5f
1 changed files with 114 additions and 0 deletions
--- a/.github/workflows/sync-audit-logs.yml
+++ b/.github/workflows/sync-audit-logs.yml
@@ -0,0 +1,114 @@
+name: Sync Audit Log data
+
+# **What it does**: This updates our Audit Logs schema.
+# **Why we have it**: We want our Audit Logs up to date.
+# **Who does it impact**: Docs engineering, people reading Audit Logs.
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+# **IMPORTANT:** Do not change the FREEZE environment variable set here!
+# This workflow runs on a recurring basis. To temporarily disable it (e.g.,
+# during a docs deployment freeze), add an Actions Secret to the repo settings
+# called `FREEZE` with a value of `true`. To re-enable Audit Logs updates, simply
+# delete that Secret from the repo settings. The environment variable here
+# will duplicate that Secret's value for later evaluation.
+env:
+  FREEZE: ${{ secrets.FREEZE }}
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: true
+
+jobs:
+  update_audit_logs_files:
+    if: github.repository == 'github/docs-internal'
+    runs-on: ubuntu-latest
+    steps:
+      - if: ${{ env.FREEZE == 'true' }}
+        run: |
+          echo 'The repo is currently frozen! Exiting this workflow.'
+          exit 1 # prevents further steps from running
+
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+
+      - uses: ./.github/actions/node-npm-setup
+
+      - name: Run updater script
+        env:
+          # need to use a token from a user with access to github/audit-log-allowlists for this step
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
+        run: |
+          src/audit-logs/scripts/sync.js
+
+      - name: Check if changes exist
+        id: changes-exist
+        run: |
+          # If nothing to commit, exit now. It's fine. No orphans.
+          changes=$(git diff --name-only | wc -l)
+          untracked=$(git status --untracked-files --short | wc -l)
+          if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
+            echo "There are no changes to commit after running src/audit-logs/scripts/sync.js. Exiting..."
+            echo "CHANGES_EXIST=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          else
+            echo "CHANGES_EXIST=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create pull request
+        if: ${{ steps.changes-exist.outputs.CHANGES_EXIST == 'true' }}
+        id: create-pull-request
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 # pin @v5.0.0
+        env:
+          # Disable pre-commit hooks; they don't play nicely here
+          HUSKY: '0'
+        with:
+          # Need to use a token with repo and workflow scopes for this step.
+          # Token should be a PAT because actions performed with GITHUB_TOKEN
+          # don't trigger other workflows and this action force pushes updates
+          # from the default branch.
+          token: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }}
+          commit-message: 'Update Audit Logs data files'
+          title: Audit Logs schema update
+          body:
+            "Hello! Some Audit Logs data in github/audit-log-allowlists was updated recently. This PR
+            syncs up the Audit Logs data in this repo.\n\n
+            If CI passes, this PR will be auto-merged. :green_heart:\n\n
+            If CI does not pass or other problems arise, contact #docs-engineering on slack."
+          branch: audit-logs-schema-update
+
+      - name: Enable GitHub auto-merge
+        if: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
+          AUTOMERGE_PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        run: node .github/actions-scripts/enable-automerge.js
+
+      - if: ${{ failure() && env.FREEZE != 'true'}}
+        name: Delete remote branch (if previous steps failed)
+        uses: dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          branches: audit-logs-schema-update
+
+      - if: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        name: Approve
+        uses: juliangruber/approve-pull-request-action@dcc4effb325c0b503408619918d56e40653dcc91
+        with:
+          github-token: ${{ secrets.DOCUBOT_REPO_PAT }}
+          number: ${{ steps.create-pull-request.outputs.pull-request-number }}
+
+      # - name: Send Slack notification if workflow fails
+      #   uses: someimportantcompany/github-actions-slack-message@1d367080235edfa53df415bd8e0bbab480f29bad
+      #   if: ${{ failure() && env.FREEZE != 'true' }}
+      #   with:
+      #     channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
+      #     bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
+      #     color: failure
+      #     text: The last sync-audit-logs run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions/workflows/sync-audit-logs.yml