108 lines
4.1 KiB
YAML
108 lines
4.1 KiB
YAML
name: Sync Audit Log data
|
|
|
|
# **What it does**: This updates our Audit Logs schema.
|
|
# **Why we have it**: We want our Audit Logs up to date.
|
|
# **Who does it impact**: Docs engineering, people reading Audit Logs.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
update-audit-log-files:
|
|
if: github.repository == 'github/docs-internal'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
|
|
- uses: ./.github/actions/node-npm-setup
|
|
|
|
- name: Run updater script
|
|
env:
|
|
# need to use a token from a user with access to github/audit-log-allowlists for this step
|
|
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
|
|
run: |
|
|
npm run sync-audit-log
|
|
|
|
- name: Get the audit-log-allowlists SHA being synced
|
|
id: audit-log-allowlists
|
|
run: |
|
|
COMMIT_SHA=$(cat src/audit-logs/lib/config.json | jq -r '.sha')
|
|
echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_OUTPUT
|
|
echo "Commit SHA from audit-log-allowlists: $COMMIT_SHA"
|
|
if [ -z $COMMIT_SHA ]; then
|
|
echo "audit-log-allowlists commit SHA is empty!"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Create and merge pull request
|
|
env:
|
|
# Needed for gh
|
|
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
|
|
run: |
|
|
# If nothing to commit, exit now. It's fine. No orphans.
|
|
changes=$(git diff --name-only | wc -l)
|
|
untracked=$(git status --untracked-files --short | wc -l)
|
|
filesChanged=$(git diff --name-only)
|
|
# There will always be at least one file changed:
|
|
# src/audit-logs/lib/config.json
|
|
# If the config file is the only file changed, exit.
|
|
if [[ $changes -eq 1 ]] && [[ $untracked -eq 1 ]] && [[ $filesChanged == *lib/config.json ]]; then
|
|
echo "There are no changes to commit or untracked files. Exiting..."
|
|
exit 0
|
|
fi
|
|
|
|
git config --global user.name "docs-bot"
|
|
git config --global user.email "77750099+docs-bot@users.noreply.github.com"
|
|
|
|
branchname=audit-logs-schema-update-${{ steps.audit-log-allowlists.outputs.COMMIT_SHA }}
|
|
|
|
remotesha=$(git ls-remote --heads origin $branchname)
|
|
if [ -n "$remotesha" ]; then
|
|
# output is not empty, it means the remote branch exists
|
|
echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..."
|
|
exit 0
|
|
fi
|
|
|
|
git checkout -b $branchname
|
|
git add .
|
|
git commit -m "Add updated audit log event data"
|
|
git push origin $branchname
|
|
|
|
echo "Creating pull request..."
|
|
gh pr create \
|
|
--title "Update audit log event data" \
|
|
--body '👋 humans. This PR updates the audit log event data with the latest changes. (Synced from github/audit-log-allowlists)
|
|
|
|
If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
|
|
--repo github/docs-internal \
|
|
--label audit-log-pipeline \
|
|
--head=$branchname
|
|
|
|
# can't approve your own PR, approve with Actions
|
|
unset GITHUB_TOKEN
|
|
gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}"
|
|
gh pr review --approve
|
|
|
|
# Actions can't merge the PR so back to docs-bot to merge the PR
|
|
unset GITHUB_TOKEN
|
|
gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_BASE }}"
|
|
gh pr merge --auto
|
|
|
|
- uses: ./.github/actions/slack-alert
|
|
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
|
|
with:
|
|
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
|
|
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
|