-
Notifications
You must be signed in to change notification settings - Fork 2.8k
154 lines (141 loc) · 6.47 KB
/
event-processor.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: GitHub Event Processor
on:
issues:
types: [edited, labeled, opened, reopened, unlabeled]
# issue_comment is used for both issues and pull_requests
# github.event.issue.pull_request will be non-null on pull request comments
issue_comment:
types: [created]
# synchronize is the pull_request_target event when changes are pushed
# pull request merged is the closed event with github.event.pull_request.merged = true
pull_request_target:
types: [closed, labeled, opened, reopened, review_requested, synchronize, unlabeled]
# This removes all unnecessary permissions, the ones needed will be set below.
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions: {}
jobs:
# This event requires the Azure CLI to get the LABEL_SERVICE_API_KEY from the vault.
# Because the azure/login step adds time costly pre/post Az CLI commands to any every job
# it's used in, split this into its own job so only the event that needs the Az CLI pays
# the cost.
event-handler-with-azure:
permissions:
issues: write
pull-requests: write
# For OIDC auth
id-token: write
contents: read
name: Handle ${{ github.event_name }} ${{ github.event.action }} event with azure login
runs-on: ubuntu-latest
if: ${{ github.event_name == 'issues' && github.event.action == 'opened' }}
steps:
- name: 'Az CLI login'
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 'Run Azure CLI commands'
run: |
LABEL_SERVICE_API_KEY=$(az keyvault secret show \
--vault-name issue-labeler \
-n issue-labeler-func-key \
-o tsv \
--query value)
echo "::add-mask::$LABEL_SERVICE_API_KEY"
echo "LABEL_SERVICE_API_KEY=$LABEL_SERVICE_API_KEY" >> $GITHUB_ENV
# To run github-event-processor built from source, for testing purposes, uncomment everything
# in between the Start/End-Build From Source comments and comment everything in between the
# Start/End-Install comments
# Start-Install
- name: Install GitHub Event Processor
run: >
dotnet tool install
Azure.Sdk.Tools.GitHubEventProcessor
--version 1.0.0-dev.20240909.2
--add-source https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json
--global
shell: bash
# End-Install
# Testing checkout of sources from the Azure/azure-sdk-tools repository
# The ref: is the SHA from the pull request in that repository or the
# refs/pull/<PRNumber>/merge for the latest on any given PR. If the repository
# is a fork eg. <User>/azure-sdk-tools then the repository down below will
# need to point to that fork
# Start-Build
# - name: Checkout tools repo for GitHub Event Processor sources
# uses: actions/checkout@v3
# with:
# repository: Azure/azure-sdk-tools
# path: azure-sdk-tools
# ref: <refs/pull/<PRNumber>/merge> or <sha>
# - name: Build and install GitHubEventProcessor from sources
# run: |
# dotnet pack
# dotnet tool install --global --prerelease --add-source ../../../artifacts/packages/Debug Azure.Sdk.Tools.GitHubEventProcessor
# shell: bash
# working-directory: azure-sdk-tools/tools/github-event-processor/Azure.Sdk.Tools.GitHubEventProcessor
# End-Build
- name: Process Action Event
run: |
cat > payload.json << 'EOF'
${{ toJson(github.event) }}
EOF
github-event-processor ${{ github.event_name }} payload.json
shell: bash
env:
# This is a temporary secret generated by github
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LABEL_SERVICE_API_KEY: ${{ env.LABEL_SERVICE_API_KEY }}
event-handler:
permissions:
issues: write
pull-requests: write
name: Handle ${{ github.event_name }} ${{ github.event.action }} event
runs-on: ubuntu-latest
if: ${{ github.event_name != 'issues' || github.event.action != 'opened' }}
steps:
# To run github-event-processor built from source, for testing purposes, uncomment everything
# in between the Start/End-Build From Source comments and comment everything in between the
# Start/End-Install comments
# Start-Install
- name: Install GitHub Event Processor
run: >
dotnet tool install
Azure.Sdk.Tools.GitHubEventProcessor
--version 1.0.0-dev.20240909.2
--add-source https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json
--global
shell: bash
# End-Install
# Testing checkout of sources from the Azure/azure-sdk-tools repository
# The ref: is the SHA from the pull request in that repository or the
# refs/pull/<PRNumber>/merge for the latest on any given PR. If the repository
# is a fork eg. <User>/azure-sdk-tools then the repository down below will
# need to point to that fork
# Start-Build
# - name: Checkout tools repo for GitHub Event Processor sources
# uses: actions/checkout@v3
# with:
# repository: Azure/azure-sdk-tools
# path: azure-sdk-tools
# ref: <refs/pull/<PRNumber>/merge> or <sha>
# - name: Build and install GitHubEventProcessor from sources
# run: |
# dotnet pack
# dotnet tool install --global --prerelease --add-source ../../../artifacts/packages/Debug Azure.Sdk.Tools.GitHubEventProcessor
# shell: bash
# working-directory: azure-sdk-tools/tools/github-event-processor/Azure.Sdk.Tools.GitHubEventProcessor
# End-Build
- name: Process Action Event
run: |
cat > payload.json << 'EOF'
${{ toJson(github.event) }}
EOF
github-event-processor ${{ github.event_name }} payload.json
shell: bash
env:
# This is a temporary secret generated by github
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}