add sync workflows

ruflab · Oct 3, 2024 · 7ed54d7 · 7ed54d7
1 parent 62f82ed
commit 7ed54d7
Show file tree

Hide file tree

Showing 7 changed files with 374 additions and 0 deletions.
diff --git a/.github/workflows/dispatch-internal-pr-in-public.yml b/.github/workflows/dispatch-internal-pr-in-public.yml
@@ -0,0 +1,117 @@
+name: dispatch-internal-pr-in-public
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions: write-all
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    if: ${{ github.repository != 'ruflab/shimmer' && github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'public-clone' }}
+    steps:
+
+       - name: Get token
+         id: get-token
+         run: |
+           # Client ID as first argument
+           client_id=${{ secrets.APP_CLIENT_ID }}
+           app_id=${{ secrets.APP_ID }}
+
+           pem=$( cat <<'EOF'
+           ${{ secrets.APP_KEY }}
+           EOF
+           ) # file path of the private key as second argument
+
+           now=$(date +%s)
+           iat=$((${now} - 60)) # Issues 60 seconds in the past
+           exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+           b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+           header_json='{
+               "typ":"JWT",
+               "alg":"RS256"
+           }'
+           # Header encode
+           header=$( echo -n "${header_json}" | b64enc )
+
+           payload_json="{
+               \"iat\":${iat},
+               \"exp\":${exp},
+               \"iss\":\"${client_id}\"
+           }"
+           # Payload encode
+           payload=$( echo -n "${payload_json}" | b64enc )
+
+           # Signature
+           header_payload="${header}"."${payload}"
+           signature=$(
+           openssl dgst -sha256 -sign <(echo -n "${pem}") \
+           <(echo -n "${header_payload}") | b64enc
+           )
+
+           #echo $header_payload
+           #echo $signature
+
+           # Create JWT
+           JWT=$(printf '%s\n' "${header_payload}"."${signature}")
+           echo "::add-mask::$JWT"
+
+           resp=$(curl --request POST \
+            --url "https://api.github.com/app/installations/$app_id/access_tokens" \
+            --header "Accept: application/vnd.github+json" \
+            --header "Authorization: Bearer $JWT" \
+            --header "X-GitHub-Api-Version: 2022-11-28"
+           )
+           token=$(jq -r '.token' <<< $resp)
+           echo "::add-mask::$token"
+           if [[ -z "$token" ]]; then
+               echo "Could not fetch access token"
+               exit 1
+           fi
+           echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
+       - name: Dispatch
+         run: |
+          payload='{
+            "event_type": "on-priv-updated",
+            "client_payload": {
+              "base": "${{ github.event.pull_request.base.sha }}",
+              "branch": "${{ github.event.pull_request.head.ref }}",
+              "pr_id": "${{ github.event.pull_request.number }}"
+            }
+          }'
+          curl -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ steps.get-token.outputs.TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ secrets.PUBLIC_REPO }}/dispatches \
+            -d "$payload"
+
+       - uses: actions/checkout@v4
+         with:
+          token: ${{ steps.get-token.outputs.TOKEN }}
+       - name: Link to pr
+         run: |
+          title=$(jq -sRr @uri <<'EOF'
+          ${{ github.event.pull_request.title }}
+          EOF
+          )
+          body=$(jq -sRr @uri <<'EOF'
+          ${{ github.event.pull_request.body }}
+          EOF
+          )
+          publicBranch="internal-$featureBranch-$prId"
+          publicUrl="https://github.com/$pubRepo/compare/$publicBranch?expand=1&title=$title&body=$body"
+          git config user.name "github-actions"
+          git config user.email "[email protected]"
+          gh repo set-default ${{ github.repository }}
+          gh pr comment $prId -b "Open a PR on the public repo by clicking [HERE]($publicUrl) (please wait a few seconds for the branch to be automatically created)."
+          gh pr close $prId
+         env:
+          featureBranch: ${{ github.event.pull_request.head.ref }}
+          prId: ${{ github.event.pull_request.number }}
+          pubRepo: ${{ secrets.PUBLIC_REPO }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/dispatch-public-commits.yml b/.github/workflows/dispatch-public-commits.yml
@@ -0,0 +1,81 @@
+name: dispatch-public-commits
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  publish:
+    if: ${{ github.repository == 'ruflab/shimmer' }}
+    runs-on: ubuntu-latest
+    steps:
+       - name: Get token
+         id: get-token
+         run: |
+           # Client ID as first argument
+           client_id=${{ secrets.APP_CLIENT_ID }}
+           app_id=${{ secrets.APP_ID }}
+
+           pem=$( cat <<'EOF'
+           ${{ secrets.APP_KEY }}
+           EOF
+           ) # file path of the private key as second argument
+
+           now=$(date +%s)
+           iat=$((${now} - 60)) # Issues 60 seconds in the past
+           exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+           b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+           header_json='{
+               "typ":"JWT",
+               "alg":"RS256"
+           }'
+           # Header encode
+           header=$( echo -n "${header_json}" | b64enc )
+
+           payload_json="{
+               \"iat\":${iat},
+               \"exp\":${exp},
+               \"iss\":\"${client_id}\"
+           }"
+           # Payload encode
+           payload=$( echo -n "${payload_json}" | b64enc )
+
+           # Signature
+           header_payload="${header}"."${payload}"
+           signature=$(
+           openssl dgst -sha256 -sign <(echo -n "${pem}") \
+           <(echo -n "${header_payload}") | b64enc
+           )
+
+           #echo $header_payload
+           #echo $signature
+
+           # Create JWT
+           JWT=$(printf '%s\n' "${header_payload}"."${signature}")
+           echo "::add-mask::$JWT"
+
+           resp=$(curl --request POST \
+            --url "https://api.github.com/app/installations/$app_id/access_tokens" \
+            --header "Accept: application/vnd.github+json" \
+            --header "Authorization: Bearer $JWT" \
+            --header "X-GitHub-Api-Version: 2022-11-28"
+           )
+           token=$(jq -r '.token' <<< $resp)
+           echo "::add-mask::$token"
+           if [[ -z "$token" ]]; then
+               echo "Could not fetch access token"
+               exit 1
+           fi
+           echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
+       - name: Dispatch
+         run: |
+           curl -L \
+               -X POST \
+               -H "Accept: application/vnd.github+json" \
+               -H "Authorization: Bearer ${{ steps.get-token.outputs.TOKEN }}" \
+               -H "X-GitHub-Api-Version: 2022-11-28" \
+               "https://api.github.com/repos/${{ secrets.PRIVATE_REPO }}/dispatches" \
+               -d '{"event_type":"on-pub-updated","client_payload":{}}'
diff --git a/.github/workflows/docs-new-release.yml b/.github/workflows/docs-new-release.yml
@@ -12,6 +12,7 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'shimmer'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -11,6 +11,7 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'shimmer'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -54,6 +55,7 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    if: github.repository == 'shimmer'
     permissions:
       pages: write
       id-token: write

diff --git a/.github/workflows/fetch-internal-branch.yml b/.github/workflows/fetch-internal-branch.yml
@@ -0,0 +1,85 @@
+name: fetch-internal-branch
+
+on:
+  repository_dispatch:
+    types: ["on-priv-updated"]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get token
+        id: get-token
+        run: |
+          # Client ID as first argument
+          client_id=${{ secrets.APP_CLIENT_ID }}
+          app_id=${{ secrets.APP_ID }}
+
+          pem=$( cat <<'EOF'
+          ${{ secrets.APP_KEY }}
+          EOF
+          ) # file path of the private key as second argument
+
+          now=$(date +%s)
+          iat=$((${now} - 60)) # Issues 60 seconds in the past
+          exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+          header_json='{
+              "typ":"JWT",
+              "alg":"RS256"
+          }'
+          # Header encode
+          header=$( echo -n "${header_json}" | b64enc )
+
+          payload_json="{
+              \"iat\":${iat},
+              \"exp\":${exp},
+              \"iss\":\"${client_id}\"
+          }"
+          # Payload encode
+          payload=$( echo -n "${payload_json}" | b64enc )
+
+          # Signature
+          header_payload="${header}"."${payload}"
+          signature=$(
+          openssl dgst -sha256 -sign <(echo -n "${pem}") \
+          <(echo -n "${header_payload}") | b64enc
+          )
+
+          #echo $header_payload
+          #echo $signature
+
+          # Create JWT
+          JWT=$(printf '%s\n' "${header_payload}"."${signature}")
+          echo "::add-mask::$JWT"
+
+          resp=$(curl --request POST \
+           --url "https://api.github.com/app/installations/$app_id/access_tokens" \
+           --header "Accept: application/vnd.github+json" \
+           --header "Authorization: Bearer $JWT" \
+           --header "X-GitHub-Api-Version: 2022-11-28"
+          )
+          token=$(jq -r '.token' <<< $resp)
+          echo "::add-mask::$token"
+          if [[ -z "$token" ]]; then
+              echo "Could not fetch access token"
+              exit 1
+          fi
+          echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.get-token.outputs.TOKEN }}
+      - name: Add other remote
+        run: |
+          git remote add privrep https://github.com/${{ secrets.PRIVATE_REPO }}
+          featureBranch=${{ github.event.client_payload.branch }}
+          prId=${{ github.event.client_payload.pr_id }}
+          base_sha=${{ github.event.client_payload.base }}
+          localBranch="$featureBranch-$prId"
+          git fetch privrep $featureBranch
+          git checkout $base_sha
+          git switch -c $localBranch
+          git pull privrep $featureBranch --ff-only
+          git push origin $localBranch
diff --git a/.github/workflows/fetch-public-commits.yml b/.github/workflows/fetch-public-commits.yml
@@ -0,0 +1,87 @@
+name: fetch-public-commits
+
+on:
+  repository_dispatch:
+    types: ["on-pub-updated"]
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get token
+        id: get-token
+        run: |
+          # Client ID as first argument
+          client_id=${{ secrets.APP_CLIENT_ID }}
+          app_id=${{ secrets.APP_ID }}
+
+          pem=$( cat <<'EOF'
+          ${{ secrets.APP_KEY }}
+          EOF
+          ) # file path of the private key as second argument
+
+          now=$(date +%s)
+          iat=$((${now} - 60)) # Issues 60 seconds in the past
+          exp=$((${now} + 600)) # Expires 10 minutes in the future
+
+          b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+
+          header_json='{
+              "typ":"JWT",
+              "alg":"RS256"
+          }'
+          # Header encode
+          header=$( echo -n "${header_json}" | b64enc )
+
+          payload_json="{
+              \"iat\":${iat},
+              \"exp\":${exp},
+              \"iss\":\"${client_id}\"
+          }"
+          # Payload encode
+          payload=$( echo -n "${payload_json}" | b64enc )
+
+          # Signature
+          header_payload="${header}"."${payload}"
+          signature=$(
+          openssl dgst -sha256 -sign <(echo -n "${pem}") \
+          <(echo -n "${header_payload}") | b64enc
+          )
+
+          #echo $header_payload
+          #echo $signature
+
+          # Create JWT
+          JWT=$(printf '%s\n' "${header_payload}"."${signature}")
+          echo "::add-mask::$JWT"
+
+          resp=$(curl --request POST \
+           --url "https://api.github.com/app/installations/$app_id/access_tokens" \
+           --header "Accept: application/vnd.github+json" \
+           --header "Authorization: Bearer $JWT" \
+           --header "X-GitHub-Api-Version: 2022-11-28"
+          )
+          token=$(jq -r '.token' <<< $resp)
+          echo "::add-mask::$token"
+          if [[ -z "$token" ]]; then
+              echo "Could not fetch access token"
+              exit 1
+          fi
+          echo "TOKEN=$token" >> "$GITHUB_OUTPUT"
+      - uses: actions/checkout@v4
+        with:
+          ref: public-clone
+          token: ${{ steps.get-token.outputs.TOKEN }}
+      - name: Update public-clone branch
+        run: |
+          git remote add pubrep https://github.com/${{ secrets.PUBLIC_REPO }}
+          git pull pubrep main --ff-only
+          git push
+      - name: Update main branch
+        run: |
+          git config user.name "github-actions"
+          git config user.email "[email protected]"
+          git fetch origin main
+          git checkout -b main --track origin/main
+          git merge -m "merge public-clone branch" public-clone
+          git push