Merge pull request #17 from github/release-updates

Release Updates

.github/workflows/acceptance.yml

@@ -17,7 +17,7 @@ jobs:
       has_change: ${{ steps.diff.outputs.has_change}}
 
     steps:
-      - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - uses: actions/checkout@v3
 
       - id: fetch-base
         if: github.event_name == 'pull_request'
@@ -65,9 +65,9 @@ jobs:
         run: |
           echo "✅ Bypassing acceptance tests - they are not required for this change"
 
-      - name: Check out code
+      - name: checkout
         if: ${{ needs.changes.outputs.has_change == 'true' }}
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@v3
 
       # Use Docker layer caching for 'docker build' and 'docker-compose build' commands.
       # https://github.com/satackey/action-docker-layer-caching/releases/tag/v0.0.11

.github/workflows/build.yml

@@ -0,0 +1,41 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # [email protected]
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: build
+        run: |
+          GEM_NAME=$(ls | grep gemspec | cut -d. -f1)
+          echo "Attempting to build gem $GEM_NAME..."
+          gem build $GEM_NAME
+          if [ $? -eq 0 ]; then
+            echo "Gem built successfully!"
+          else
+            echo "Gem build failed!"
+            exit 1
+          fi

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@v3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/gem.yml

@@ -1,29 +1,61 @@
-name: Publish and Release Gem
+name: release
+
 on:
-  push:
-    branches: [ $default-branch ]
-    paths: [ "VERSION" ]
   workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - lib/version.rb
+
+permissions:
+  contents: write
+  packages: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - name: Setup Ruby
-        uses: ruby/setup-ruby@8a45918450651f5e4784b6031db26f4b9f76b251
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # [email protected]
         with:
           bundler-cache: true
 
-      - name: Run Tests
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: lint
+        run: bundle exec rubocop -c .rubocop.yml lib/ spec/
+
+      - name: test
         run: script/test
 
-      - name: Build Gem
+      - name: set GEM_NAME from gemspec
+        run: echo "GEM_NAME=$(ls | grep gemspec | cut -d. -f1)" >> $GITHUB_ENV
+
+        # builds the gem and saves the version to GITHUB_ENV
+      - name: build
+        run: echo "GEM_VERSION=$(gem build ${{ env.GEM_NAME }}.gemspec 2>&1 | grep Version | cut -d':' -f 2 | tr -d " \t\n\r")" >> $GITHUB_ENV
+
+      - name: publish to GitHub packages
         run: |
-          echo "GEM_VERSION=$(gem build entitlements-gitrepo-auditor-plugin.gemspec 2>&1 | grep Version | cut -d':' -f 2 | tr -d " \t\n\r")" >> $GITHUB_ENV
-      - name: Publish to GitHub Packages
+          export OWNER=$( echo ${{ github.repository }} | cut -d "/" -f 1 )
+          GEM_HOST_API_KEY=${{ secrets.GITHUB_TOKEN }} gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
+
+      - name: release
+        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # [email protected]
+        with:
+          artifacts: "${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem"
+          tag: "v${{ env.GEM_VERSION }}"
+          generateReleaseNotes: true
+
+      - name: Publish to RubyGems
         run: |
-          GEM_HOST_API_KEY=${{ secrets.GITHUB_TOKEN }} gem push --KEY github --host https://rubygems.pkg.github.com/github entitlements-gitrepo-auditor-plugin-${{ env.GEM_VERSION }}.gem
+          mkdir -p ~/.gem
+          echo -e "---\n:rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}" > ~/.gem/credentials
+          chmod 0600 ~/.gem/credentials
+          gem push ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
+          rm ~/.gem/credentials

.github/workflows/lint.yml

@@ -14,12 +14,11 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d # pin@v1.110.0
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
-          ruby-version: 3.1.2
           bundler-cache: true
 
       - name: rubocop

.github/workflows/test.yml

@@ -14,12 +14,11 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d # pin@v1.110.0
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
-          ruby-version: 3.1.2
           bundler-cache: true
 
       - name: rspec tests

.rubocop.yml

@@ -3,8 +3,9 @@ inherit_gem:
     - config/default.yml
 
 AllCops:
+  SuggestExtensions: false
   DisplayCopNames: true
-  TargetRubyVersion: 2.7.5
+  TargetRubyVersion: 3.1
   Exclude:
     - 'bin/*'
     - 'spec/acceptance/fixtures/**/*'

Gemfile.lock

@@ -1,19 +1,19 @@
 PATH
   remote: .
   specs:
-    entitlements-gitrepo-auditor-plugin (0.2.3)
+    entitlements-gitrepo-auditor-plugin (0.3.0)
       contracts (= 0.17)
       entitlements (= 0.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.6)
+    activesupport (7.0.7.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     concurrent-ruby (1.1.9)
@@ -36,7 +36,7 @@ GEM
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     json (2.6.3)
-    minitest (5.18.1)
+    minitest (5.19.0)
     net-ldap (0.18.0)
     octokit (4.25.1)
       faraday (>= 1, < 3)
@@ -52,7 +52,7 @@ GEM
     rainbow (3.1.1)
     rake (13.0.6)
     regexp_parser (2.8.1)
-    rexml (3.2.5)
+    rexml (3.2.6)
     rspec (3.8.0)
       rspec-core (~> 3.8.0)
       rspec-expectations (~> 3.8.0)

README.md

@@ -1,6 +1,6 @@
 # entitlements-gitrepo-auditor-plugin
 
-[![acceptance](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/lint.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
+[![acceptance](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/lint.yml) [![build](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/build.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/build.yml) [![release](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/gem.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/gem.yml) [![codeql](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/github/entitlements-gitrepo-auditor-plugin/actions/workflows/codeql-analysis.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
 
 `entitlements-gitrepo-auditor-plugin` is an [entitlements-app](https://github.com/github/entitlements-app) plugin allowing further auditing capabilities in entitlements by writing each deploy log to a separate GitHub repo.
 
@@ -71,3 +71,13 @@ auditors:
 ```
 
 At the end of each `entitlements-app` run, the `entitlements-gitrepo-auditor-plugin` will write a commit to the repo defined above with the details of the deployment.
+
+## Release 🚀
+
+To release a new version of this Gem, do the following:
+
+1. Update the version number in the [`lib/version.rb`](lib/version.rb) file
+2. Run `bundle install` to update the `Gemfile.lock` file with the new version
+3. Commit your changes, push them to GitHub, and open a PR
+
+Once your PR is approved and the changes are merged, a new release will be created automatically by the [`release.yml`](.github/workflows/gem.yml) workflow. The latest version of the Gem will be published to the GitHub Package Registry and RubyGems.

entitlements-gitrepo-auditor-plugin.gemspec

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
+require_relative "lib/version"
+
 Gem::Specification.new do |s|
   s.name = "entitlements-gitrepo-auditor-plugin"
-  s.version = File.read("VERSION").chomp
+  s.version = Entitlements::Version::VERSION
   s.summary = "Entitlements GitRepo Auditor"
-  s.description = ""
+  s.description = "Entitlements plugin for a robust audit log"
   s.authors = ["GitHub, Inc. Security Ops"]
   s.email = "[email protected]"
   s.license = "MIT"
-  s.files = Dir.glob("lib/**/*") + %w[VERSION]
+  s.files = Dir.glob("lib/**/*")
   s.homepage = "https://github.com/github/entitlements-gitrepo-auditor-plugin"
   s.executables = %w[]
 

lib/entitlements/auditor/gitrepo.rb

@@ -26,7 +26,7 @@ def setup
         @repo = Entitlements::Util::GitRepo.new(
           repo: config["repo"],
           sshkey: Base64.decode64(config["sshkey"]),
-          logger: logger
+          logger:
         )
         @repo.github = config["github_override"] if config["github_override"]
         @repo.send(operation, checkout_directory)
@@ -59,10 +59,10 @@ def commit(actions:, successful_actions:, provider_exception:)
         %w[update_files delete_files].each do |m|
           send(
             m.to_sym,
-            action_hash: action_hash,
-            successful_actions: successful_actions,
-            sync_changes: sync_changes,
-            valid_changes: valid_changes
+            action_hash:,
+            successful_actions:,
+            sync_changes:,
+            valid_changes:
           )
         end
 

lib/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Entitlements
+  module Version
+    VERSION = "0.3.0"
+  end
+end

spec/acceptance/Dockerfile.entitlements-gitrepo-auditor-plugin

@@ -22,7 +22,8 @@ RUN gem install bundler
 # Bootstrap files and caching for speed
 COPY "vendor/cache/" "/data/entitlements/vendor/cache/"
 COPY "script/" "/data/entitlements/script/"
-COPY [".rubocop.yml", ".ruby-version", "entitlements-gitrepo-auditor-plugin.gemspec", "Gemfile", "Gemfile.lock", "VERSION", "/data/entitlements/"]
+COPY [".rubocop.yml", ".ruby-version", "entitlements-gitrepo-auditor-plugin.gemspec", "Gemfile", "Gemfile.lock", "/data/entitlements/"]
+COPY "lib/version.rb" "/data/entitlements/lib/version.rb"
 RUN ./script/bootstrap
 
 # Source Files

spec/acceptance/tests/spec_helper.rb

@@ -63,7 +63,7 @@ def run(fixture_dir, args = [])
   command_parts = [binary, "--config-file", configfile] + args
   command = command_parts.map { |i| Shellwords.escape(i) }.join(" ")
   stdout, stderr, exitstatus = Open3.capture3(command)
-  OpenStruct.new({ stdout: stdout, stderr: stderr, exitstatus: exitstatus.exitstatus, success?: exitstatus.exitstatus == 0 })
+  OpenStruct.new({ stdout:, stderr:, exitstatus: exitstatus.exitstatus, success?: exitstatus.exitstatus == 0 })
 end
 
 def log(priority, pattern)