Updates to AL-Go deployment process (microsoft#659)

This PR changes the deployment process to * Create pull requests when deploying Al-Go rather than force pushing * Fetch the OrgPat from a GitHub environment to ensure that the secret can only be accessed from workflows running on the main branch of AL-Go * (Update the OrgPat to be from a service account rather than a PAT from a Microsoft engineer) New deployment process: 1. Run the Deploy workflow in microsoft/Al-Go 2. Request approval from another team member 3. The deploy action will by default create PRs in Al-Go-PTE / Al-Go-AppSource / Al-Go-Actions. Go to those repositories, validate that the PR looks as expected and merge the new changes. --------- Co-authored-by: Maria Zhelezova <[email protected]>
mazhelez · Aug 16, 2023 · f3d69d5 · f3d69d5
1 parent dbd045c
commit f3d69d5
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 20 deletions.
diff --git a/.github/workflows/Deploy.yaml b/.github/workflows/Deploy.yaml
@@ -9,9 +9,15 @@ on:
         description: 'Branch to deploy to (NOTE: Use preview when deploying preview releases on microsoft/al-go)'
         required: true
       copyToMain:
-        description: 'Additionally deploy templates to main+preview branch? (Y/N) - (NOTE: Enter Y if this is a release to PROD on microsoft/al-go)'
+        type: boolean
+        description: 'Additionally deploy templates to main+preview branch? Set if this is a release to PROD on microsoft/al-go'
         required: false
-        default: 'N'
+        default: false
+      directCommit:
+        type: boolean
+        description: Push directly to the target branch. If not set, a PR will be created.
+        required: false 
+        default: false
       defaultBcContainerHelperVersion:
         description: 'Which version of BcContainerHelper to use? (latest, preview, private, a specific version number or a direct download URL like https://github.com/freddydk/navcontainerhelper/archive/master.zip - leave empty to use latest)'
         required: false
@@ -24,21 +30,33 @@ defaults:
 jobs:
   Deploy:
     runs-on: [ ubuntu-latest ]
+    environment: Production
     steps:
-      - uses: actions/checkout@v3
+      - name: Validate Deployment
+        if: github.repository_owner == 'microsoft'
+        env: 
+          branch: ${{ github.event.inputs.branch }}
+          repository: ${{ github.repository }}
+          runId: ${{ github.run_id }}
+        run: | 
+          if ($env:branch -match 'preview') {
+            Write-Host "Deploying to preview branch. No validation required"
+          } else {
+            $approval = gh api /repos/$($env:repository)/actions/runs/$($env:runId)/approvals | ConvertFrom-Json
+            $run = gh api /repos/$($env:repository)/actions/runs/$($env:runId) | ConvertFrom-Json
 
-      - name: CheckUser
-        run: |
-          $threeMusketeers = @("freddydk", "aholstrup1", "mazhelez")
-          if ("$ENV:GITHUB_REPOSITORY" -eq "microsoft/AL-Go" -and "$ENV:GITHUB_ACTOR" -notin $threeMusketeers) {
-            Write-Host "::Error::You cannot run deploy and collect in the microsoft/AL-Go repo"
-            exit 1
+            if ($approval.user.login -eq $run.actor.login) {
+              throw "You cannot approve your own deployment"
+            }
           }
 
+      - uses: actions/checkout@v3
+
       - name: Deploy
         env:
           branch: ${{ github.event.inputs.branch }}
           copyToMain: ${{ github.event.inputs.copyToMain }}
+          directCommit: ${{ github.event.inputs.directCommit }}
           defaultBcContainerHelperVersion: ${{ github.event.inputs.defaultBcContainerHelperVersion }}
         run: |
           $errorActionPreference = "Stop"; $ProgressPreference = "SilentlyContinue"; Set-StrictMode -Version 2.0
@@ -47,19 +65,17 @@ jobs:
             if (!$token) {
               throw "In order to run the Deploy workflow, you need a Secret called OrgPAT containing a valid Personal Access Token"
             }
-            else {
-              $githubOwner = "$ENV:GITHUB_REPOSITORY_OWNER"
-              $config = @{
+            $githubOwner = "$ENV:GITHUB_REPOSITORY_OWNER"
+            $config = @{
                   "githubOwner" = $githubOwner
                   "actionsRepo" = "AL-Go-Actions"
                   "perTenantExtensionRepo" = "AL-Go-PTE"
                   "appSourceAppRepo" = "AL-Go-AppSource"
                   "branch" = $env:branch
-                  "copyToMain" = ($env:copyToMain -eq 'Y')
+                  "copyToMain" = ($env:copyToMain -eq 'true')
                   "defaultBcContainerHelperVersion" = $env:defaultBcContainerHelperVersion
-              }
-              . ".\Internal\Deploy.ps1" -config $config -token $token
             }
+            . ".\Internal\Deploy.ps1" -config $config -token $token -directCommit ($env:directCommit -eq 'true')
           }
           catch {
             Write-Host "::Error::Error deploying repositories. The error was $($_.Exception.Message)"

diff --git a/Internal/Deploy.ps1 b/Internal/Deploy.ps1
@@ -1,14 +1,50 @@
-Param(
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'directCommit', Justification = 'False positive.')]
+Param(
     [Parameter(Mandatory=$true)]
     [Hashtable] $config,
     [Parameter(Mandatory=$true)]
-    [string] $token
+    [string] $token,
+    [Parameter(Mandatory=$false)]
+    [bool] $directCommit
 )
 
 Import-Module (Join-Path $PSScriptRoot "..\Actions\Github-Helper.psm1" -Resolve) -DisableNameChecking
 
 $errorActionPreference = "Stop"; $ProgressPreference = "SilentlyContinue"; Set-StrictMode -Version 2.0
 
+function PushChanges
+(
+    [Parameter(HelpMessage = "The branch Al-Go is being deployed to (e.g. main / v.3.2)", Mandatory = $false)]
+    [string] $BaseBranch,
+    [Parameter(HelpMessage = "The message on the commit or PR that contains the latest changes", Mandatory = $false)]
+    [string] $CommitMessage,
+    [Parameter(HelpMessage = "If true, the commit will be pushed directly to the base branch. If false, a pull request will be created", Mandatory = $false)]
+    [bool] $DirectCommit
+)
+{
+    invoke-git add .
+
+    if ($DirectCommit) {
+        # Direct commit to base branch
+        invoke-git commit --allow-empty -m $CommitMessage
+        invoke-git push origin $BaseBranch
+    } else {
+        # Create PR to base branch
+        if (-not (git ls-remote --heads origin $BaseBranch)) {
+            Write-Host "Branch $BaseBranch does not exist in origin. Creating it"
+            invoke-git branch $BaseBranch origin/main
+            invoke-git push origin $BaseBranch
+        }
+        $branchName = "deploy/$BaseBranch/$((Get-Date).ToUniversalTime().ToString(`"yyMMddHHmmss`"))"
+
+
+        invoke-git checkout -b $branchName origin/$BaseBranch
+        invoke-git commit --allow-empty -m $CommitMessage
+        invoke-git push origin $branchName
+        invoke-gh pr create --base $BaseBranch --title $CommitMessage --body $CommitMessage
+    }
+}
+
 $oldPath = Get-Location
 try {
 
@@ -198,10 +234,8 @@ try {
         if (Test-Path -Path (Join-Path '.' '.github') -PathType Container) {
             Copy-Item -Path (Join-Path $baseRepoPath "RELEASENOTES.md") -Destination (Join-Path "./.github" "RELEASENOTES.copy.md") -Force
         }
+        PushChanges -BaseBranch $branch -CommitMessage "Deploying AL-Go from $algoBranch ($srcSHA) to $branch" -DirectCommit $directCommit
 
-        invoke-git add .
-        invoke-git commit --allow-empty -m 'checkout'
-        invoke-git push $serverUrl
     }
 }
 finally {