From b7900673921cfdbd05660229e9da2ccadf02bdf3 Mon Sep 17 00:00:00 2001 From: Ben Jarmak Date: Thu, 3 Aug 2023 09:42:46 -0500 Subject: [PATCH 1/4] Change from App auth to an org secret --- .../project_automation_set_in_progress.yml | 16 +--------------- .../project_automation_set_in_review.yml | 14 +------------- .../project_automation_sync_pr_issues.yml | 14 +------------- 3 files changed, 3 insertions(+), 41 deletions(-) diff --git a/.github/workflows/project_automation_set_in_progress.yml b/.github/workflows/project_automation_set_in_progress.yml index d99040365d..32a3b93766 100644 --- a/.github/workflows/project_automation_set_in_progress.yml +++ b/.github/workflows/project_automation_set_in_progress.yml @@ -29,6 +29,7 @@ env: PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}} + GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -54,21 +55,12 @@ jobs: fi fi - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1.8.0 - with: - app_id: ${{ secrets.CCCL_AUTH_APP_ID }} - private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} - - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -104,8 +96,6 @@ jobs: - name: Set PR Fields id: set_pr_fields - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' mutation { @@ -233,8 +223,6 @@ jobs: - name: Sync Linked Issues id: sync_linked_issues - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Find the linked issues to the PR gh api graphql -f query=' @@ -339,8 +327,6 @@ jobs: id: set_pr_draft # only run if PR is not a draft if: ${{ github.event.pull_request.draft }} == false - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Set the PR to draft using the graphQL API gh api graphql -f query=' diff --git a/.github/workflows/project_automation_set_in_review.yml b/.github/workflows/project_automation_set_in_review.yml index 5ce02392db..a03b3fb9d1 100644 --- a/.github/workflows/project_automation_set_in_review.yml +++ b/.github/workflows/project_automation_set_in_review.yml @@ -25,6 +25,7 @@ env: ORG: ${{ github.event.repository.owner.login }} PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} + GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -38,21 +39,12 @@ jobs: runs-on: ubuntu-latest steps: - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1.8.0 - with: - app_id: ${{ secrets.CCCL_AUTH_APP_ID }} - private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} - - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -88,8 +80,6 @@ jobs: - name: Set PR to In Review id: set_pr_in_review - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Update the PR status to In Review gh api graphql -f query=' @@ -113,8 +103,6 @@ jobs: - name: Set Linked Issues to In Review id: update_linked_issues - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' query { diff --git a/.github/workflows/project_automation_sync_pr_issues.yml b/.github/workflows/project_automation_sync_pr_issues.yml index 58098a9a85..0206ed95d0 100644 --- a/.github/workflows/project_automation_sync_pr_issues.yml +++ b/.github/workflows/project_automation_sync_pr_issues.yml @@ -25,6 +25,7 @@ env: ORG: ${{ github.event.repository.owner.login }} PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} + GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -38,21 +39,12 @@ jobs: runs-on: ubuntu-latest steps: - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1.8.0 - with: - app_id: ${{ secrets.CCCL_AUTH_APP_ID }} - private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} - - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -88,8 +80,6 @@ jobs: - name: Get Status, Start Sprint, and Working Sprint Fields from the PR id: get_pr_status - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query the PR's status from the project gh api graphql -f query=' @@ -146,8 +136,6 @@ jobs: - name: Sync Linked Issues id: update_linked_issues - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' query { From 62f7a169e25f2b6f0d77c2dc7c6bdb4ceaf16d4a Mon Sep 17 00:00:00 2001 From: Ben Jarmak Date: Thu, 3 Aug 2023 09:51:05 -0500 Subject: [PATCH 2/4] Fix labels in issue templates --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- .github/ISSUE_TEMPLATE/doc_request.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 4d00f14ca3..4ea0b66320 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -1,7 +1,7 @@ name: Bug Report description: Create a report to help us improve title: '[BUG]: ' -labels: ['Bug'] +labels: ['bug'] body: - type: checkboxes id: check-duplicates diff --git a/.github/ISSUE_TEMPLATE/doc_request.yml b/.github/ISSUE_TEMPLATE/doc_request.yml index 729f13a1df..e96b412a9d 100644 --- a/.github/ISSUE_TEMPLATE/doc_request.yml +++ b/.github/ISSUE_TEMPLATE/doc_request.yml @@ -1,7 +1,7 @@ name: Documentation Request description: Suggest an idea to improve CCCL title: '[DOC]: ' -labels: ['Doc'] +labels: ['doc'] body: - type: checkboxes diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 9ef8c829b7..39b8b47691 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -1,7 +1,7 @@ name: Feature Request description: Suggest an idea to improve CCCL title: '[FEA]: ' -labels: ['Feature'] +labels: ['feature request'] body: - type: checkboxes id: check-duplicates From 20874f18f26aa295aabb43221d6aaa7cc0e32cc6 Mon Sep 17 00:00:00 2001 From: Ben Jarmak Date: Thu, 3 Aug 2023 10:54:13 -0500 Subject: [PATCH 3/4] Revert app secret method, not the root cause --- .../project_automation_set_in_progress.yml | 16 +++++++++++++++- .../project_automation_set_in_review.yml | 14 +++++++++++++- .../project_automation_sync_pr_issues.yml | 14 +++++++++++++- 3 files changed, 41 insertions(+), 3 deletions(-) diff --git a/.github/workflows/project_automation_set_in_progress.yml b/.github/workflows/project_automation_set_in_progress.yml index 32a3b93766..d99040365d 100644 --- a/.github/workflows/project_automation_set_in_progress.yml +++ b/.github/workflows/project_automation_set_in_progress.yml @@ -29,7 +29,6 @@ env: PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}} - GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -55,12 +54,21 @@ jobs: fi fi + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@v1.8.0 + with: + app_id: ${{ secrets.CCCL_AUTH_APP_ID }} + private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} + - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -96,6 +104,8 @@ jobs: - name: Set PR Fields id: set_pr_fields + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' mutation { @@ -223,6 +233,8 @@ jobs: - name: Sync Linked Issues id: sync_linked_issues + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Find the linked issues to the PR gh api graphql -f query=' @@ -327,6 +339,8 @@ jobs: id: set_pr_draft # only run if PR is not a draft if: ${{ github.event.pull_request.draft }} == false + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Set the PR to draft using the graphQL API gh api graphql -f query=' diff --git a/.github/workflows/project_automation_set_in_review.yml b/.github/workflows/project_automation_set_in_review.yml index a03b3fb9d1..5ce02392db 100644 --- a/.github/workflows/project_automation_set_in_review.yml +++ b/.github/workflows/project_automation_set_in_review.yml @@ -25,7 +25,6 @@ env: ORG: ${{ github.event.repository.owner.login }} PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} - GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -39,12 +38,21 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@v1.8.0 + with: + app_id: ${{ secrets.CCCL_AUTH_APP_ID }} + private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} + - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -80,6 +88,8 @@ jobs: - name: Set PR to In Review id: set_pr_in_review + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Update the PR status to In Review gh api graphql -f query=' @@ -103,6 +113,8 @@ jobs: - name: Set Linked Issues to In Review id: update_linked_issues + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' query { diff --git a/.github/workflows/project_automation_sync_pr_issues.yml b/.github/workflows/project_automation_sync_pr_issues.yml index 0206ed95d0..58098a9a85 100644 --- a/.github/workflows/project_automation_sync_pr_issues.yml +++ b/.github/workflows/project_automation_sync_pr_issues.yml @@ -25,7 +25,6 @@ env: ORG: ${{ github.event.repository.owner.login }} PR_NUMBER: ${{ github.event.pull_request.number }} REPO: ${{ github.event.repository.name }} - GH_TOKEN: ${{ secrets.CCCL_PROJECT_AUTOMATION_TOKEN }} # The environment vars below are hard-coded from external queries to save time + complexity here # Note: PVT means Project V2, not "Private" @@ -39,12 +38,21 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@v1.8.0 + with: + app_id: ${{ secrets.CCCL_AUTH_APP_ID }} + private_key: ${{ secrets.CCCL_AUTH_APP_PEM }} + - name: Wait 1 Second id: sleep run: sleep 1 - name: Get PR Project ID id: get_pr_id + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query up to 10 projects for the PR gh api graphql -f query=' @@ -80,6 +88,8 @@ jobs: - name: Get Status, Start Sprint, and Working Sprint Fields from the PR id: get_pr_status + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | # Query the PR's status from the project gh api graphql -f query=' @@ -136,6 +146,8 @@ jobs: - name: Sync Linked Issues id: update_linked_issues + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | gh api graphql -f query=' query { From 6272bf1b552d917a597786f3c7da31c22aad51c5 Mon Sep 17 00:00:00 2001 From: Ben Jarmak Date: Thu, 10 Aug 2023 14:09:50 -0500 Subject: [PATCH 4/4] Move draft conversion, exit if pull_request_review --- .../project_automation_set_in_progress.yml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/project_automation_set_in_progress.yml b/.github/workflows/project_automation_set_in_progress.yml index d99040365d..3a2d28dfe2 100644 --- a/.github/workflows/project_automation_set_in_progress.yml +++ b/.github/workflows/project_automation_set_in_progress.yml @@ -42,6 +42,10 @@ env: jobs: query_and_mutate_project_fields: runs-on: ubuntu-latest + + permissions: + issues: write + pull-requests: write steps: - name: Check if changes requested from a reviewer @@ -51,8 +55,20 @@ jobs: if [ ${{ github.event.review.state }} != 'changes_requested' ]; then echo "Changes not requested, exiting" exit 0 + + # If it is requesting changes, set PR to draft + # We use the default token here since we're granting write access to the PR + elif [ ${{ github.event.pull_request.draft }} == true ]; then + gh api graphql -f query=' + mutation { + convertPullRequestToDraft(input: {pullRequestId: "${{ env.PR_GLOBAL_ID }}"}) { + clientMutationId + } + }' + exit 0 fi fi + continue-on-error: true - name: Generate token id: generate_token @@ -334,19 +350,3 @@ jobs: fi done continue-on-error: true - - - name: set PR to draft - id: set_pr_draft - # only run if PR is not a draft - if: ${{ github.event.pull_request.draft }} == false - env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} - run: | - # Set the PR to draft using the graphQL API - gh api graphql -f query=' - mutation { - convertPullRequestToDraft(input: {pullRequestId: "${{ env.PR_GLOBAL_ID }}"}) { - clientMutationId - } - }' - continue-on-error: true