diff --git a/.github/workflows/dispatch-internal-pr-in-public.yml b/.github/workflows/dispatch-internal-pr-in-public.yml new file mode 100644 index 00000000..aa24b2ae --- /dev/null +++ b/.github/workflows/dispatch-internal-pr-in-public.yml @@ -0,0 +1,117 @@ +name: dispatch-internal-pr-in-public + +on: + pull_request_review: + types: [submitted] + +permissions: write-all + +jobs: + dispatch: + runs-on: ubuntu-latest + if: ${{ github.repository != 'ruflab/shimmer' && github.event.review.state == 'approved' && github.event.pull_request.base.ref == 'public-clone' }} + steps: + + - name: Get token + id: get-token + run: | + # Client ID as first argument + client_id=${{ secrets.APP_CLIENT_ID }} + app_id=${{ secrets.APP_ID }} + + pem=$( cat <<'EOF' + ${{ secrets.APP_KEY }} + EOF + ) # file path of the private key as second argument + + now=$(date +%s) + iat=$((${now} - 60)) # Issues 60 seconds in the past + exp=$((${now} + 600)) # Expires 10 minutes in the future + + b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + + header_json='{ + "typ":"JWT", + "alg":"RS256" + }' + # Header encode + header=$( echo -n "${header_json}" | b64enc ) + + payload_json="{ + \"iat\":${iat}, + \"exp\":${exp}, + \"iss\":\"${client_id}\" + }" + # Payload encode + payload=$( echo -n "${payload_json}" | b64enc ) + + # Signature + header_payload="${header}"."${payload}" + signature=$( + openssl dgst -sha256 -sign <(echo -n "${pem}") \ + <(echo -n "${header_payload}") | b64enc + ) + + #echo $header_payload + #echo $signature + + # Create JWT + JWT=$(printf '%s\n' "${header_payload}"."${signature}") + echo "::add-mask::$JWT" + + resp=$(curl --request POST \ + --url "https://api.github.com/app/installations/$app_id/access_tokens" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $JWT" \ + --header "X-GitHub-Api-Version: 2022-11-28" + ) + token=$(jq -r '.token' <<< $resp) + echo "::add-mask::$token" + if [[ -z "$token" ]]; then + echo "Could not fetch access token" + exit 1 + fi + echo "TOKEN=$token" >> "$GITHUB_OUTPUT" + - name: Dispatch + run: | + payload='{ + "event_type": "on-priv-updated", + "client_payload": { + "base": "${{ github.event.pull_request.base.sha }}", + "branch": "${{ github.event.pull_request.head.ref }}", + "pr_id": "${{ github.event.pull_request.number }}" + } + }' + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ steps.get-token.outputs.TOKEN }}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/repos/${{ secrets.PUBLIC_REPO }}/dispatches \ + -d "$payload" + + - uses: actions/checkout@v4 + with: + token: ${{ steps.get-token.outputs.TOKEN }} + - name: Link to pr + run: | + title=$(jq -sRr @uri <<'EOF' + ${{ github.event.pull_request.title }} + EOF + ) + body=$(jq -sRr @uri <<'EOF' + ${{ github.event.pull_request.body }} + EOF + ) + publicBranch="internal-$featureBranch-$prId" + publicUrl="https://github.com/$pubRepo/compare/$publicBranch?expand=1&title=$title&body=$body" + git config user.name "github-actions" + git config user.email "github-actions@github.com" + gh repo set-default ${{ github.repository }} + gh pr comment $prId -b "Open a PR on the public repo by clicking [HERE]($publicUrl) (please wait a few seconds for the branch to be automatically created)." + gh pr close $prId + env: + featureBranch: ${{ github.event.pull_request.head.ref }} + prId: ${{ github.event.pull_request.number }} + pubRepo: ${{ secrets.PUBLIC_REPO }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dispatch-public-commits.yml b/.github/workflows/dispatch-public-commits.yml new file mode 100644 index 00000000..0a9e3134 --- /dev/null +++ b/.github/workflows/dispatch-public-commits.yml @@ -0,0 +1,81 @@ +name: dispatch-public-commits + +on: + push: + branches: + - 'main' + +jobs: + publish: + if: ${{ github.repository == 'ruflab/shimmer' }} + runs-on: ubuntu-latest + steps: + - name: Get token + id: get-token + run: | + # Client ID as first argument + client_id=${{ secrets.APP_CLIENT_ID }} + app_id=${{ secrets.APP_ID }} + + pem=$( cat <<'EOF' + ${{ secrets.APP_KEY }} + EOF + ) # file path of the private key as second argument + + now=$(date +%s) + iat=$((${now} - 60)) # Issues 60 seconds in the past + exp=$((${now} + 600)) # Expires 10 minutes in the future + + b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + + header_json='{ + "typ":"JWT", + "alg":"RS256" + }' + # Header encode + header=$( echo -n "${header_json}" | b64enc ) + + payload_json="{ + \"iat\":${iat}, + \"exp\":${exp}, + \"iss\":\"${client_id}\" + }" + # Payload encode + payload=$( echo -n "${payload_json}" | b64enc ) + + # Signature + header_payload="${header}"."${payload}" + signature=$( + openssl dgst -sha256 -sign <(echo -n "${pem}") \ + <(echo -n "${header_payload}") | b64enc + ) + + #echo $header_payload + #echo $signature + + # Create JWT + JWT=$(printf '%s\n' "${header_payload}"."${signature}") + echo "::add-mask::$JWT" + + resp=$(curl --request POST \ + --url "https://api.github.com/app/installations/$app_id/access_tokens" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $JWT" \ + --header "X-GitHub-Api-Version: 2022-11-28" + ) + token=$(jq -r '.token' <<< $resp) + echo "::add-mask::$token" + if [[ -z "$token" ]]; then + echo "Could not fetch access token" + exit 1 + fi + echo "TOKEN=$token" >> "$GITHUB_OUTPUT" + - name: Dispatch + run: | + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ steps.get-token.outputs.TOKEN }}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${{ secrets.PRIVATE_REPO }}/dispatches" \ + -d '{"event_type":"on-pub-updated","client_payload":{}}' diff --git a/.github/workflows/docs-new-release.yml b/.github/workflows/docs-new-release.yml index 323327dc..f30fc6b7 100644 --- a/.github/workflows/docs-new-release.yml +++ b/.github/workflows/docs-new-release.yml @@ -12,6 +12,7 @@ permissions: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'shimmer' steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 7fa8cfd2..6d00e8a4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -11,6 +11,7 @@ permissions: jobs: build: runs-on: ubuntu-latest + if: github.repository == 'shimmer' steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -54,6 +55,7 @@ jobs: deploy: needs: build runs-on: ubuntu-latest + if: github.repository == 'shimmer' permissions: pages: write id-token: write diff --git a/.github/workflows/fetch-internal-branch.yml b/.github/workflows/fetch-internal-branch.yml new file mode 100644 index 00000000..db1d1d1b --- /dev/null +++ b/.github/workflows/fetch-internal-branch.yml @@ -0,0 +1,85 @@ +name: fetch-internal-branch + +on: + repository_dispatch: + types: ["on-priv-updated"] + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - name: Get token + id: get-token + run: | + # Client ID as first argument + client_id=${{ secrets.APP_CLIENT_ID }} + app_id=${{ secrets.APP_ID }} + + pem=$( cat <<'EOF' + ${{ secrets.APP_KEY }} + EOF + ) # file path of the private key as second argument + + now=$(date +%s) + iat=$((${now} - 60)) # Issues 60 seconds in the past + exp=$((${now} + 600)) # Expires 10 minutes in the future + + b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + + header_json='{ + "typ":"JWT", + "alg":"RS256" + }' + # Header encode + header=$( echo -n "${header_json}" | b64enc ) + + payload_json="{ + \"iat\":${iat}, + \"exp\":${exp}, + \"iss\":\"${client_id}\" + }" + # Payload encode + payload=$( echo -n "${payload_json}" | b64enc ) + + # Signature + header_payload="${header}"."${payload}" + signature=$( + openssl dgst -sha256 -sign <(echo -n "${pem}") \ + <(echo -n "${header_payload}") | b64enc + ) + + #echo $header_payload + #echo $signature + + # Create JWT + JWT=$(printf '%s\n' "${header_payload}"."${signature}") + echo "::add-mask::$JWT" + + resp=$(curl --request POST \ + --url "https://api.github.com/app/installations/$app_id/access_tokens" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $JWT" \ + --header "X-GitHub-Api-Version: 2022-11-28" + ) + token=$(jq -r '.token' <<< $resp) + echo "::add-mask::$token" + if [[ -z "$token" ]]; then + echo "Could not fetch access token" + exit 1 + fi + echo "TOKEN=$token" >> "$GITHUB_OUTPUT" + - uses: actions/checkout@v4 + with: + token: ${{ steps.get-token.outputs.TOKEN }} + - name: Add other remote + run: | + git remote add privrep https://github.com/${{ secrets.PRIVATE_REPO }} + featureBranch=${{ github.event.client_payload.branch }} + prId=${{ github.event.client_payload.pr_id }} + base_sha=${{ github.event.client_payload.base }} + localBranch="$featureBranch-$prId" + git fetch privrep $featureBranch + git checkout $base_sha + git switch -c $localBranch + git pull privrep $featureBranch --ff-only + git push origin $localBranch diff --git a/.github/workflows/fetch-public-commits.yml b/.github/workflows/fetch-public-commits.yml new file mode 100644 index 00000000..e2f24d5e --- /dev/null +++ b/.github/workflows/fetch-public-commits.yml @@ -0,0 +1,87 @@ +name: fetch-public-commits + +on: + repository_dispatch: + types: ["on-pub-updated"] + +jobs: + update: + runs-on: ubuntu-latest + steps: + - name: Get token + id: get-token + run: | + # Client ID as first argument + client_id=${{ secrets.APP_CLIENT_ID }} + app_id=${{ secrets.APP_ID }} + + pem=$( cat <<'EOF' + ${{ secrets.APP_KEY }} + EOF + ) # file path of the private key as second argument + + now=$(date +%s) + iat=$((${now} - 60)) # Issues 60 seconds in the past + exp=$((${now} + 600)) # Expires 10 minutes in the future + + b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + + header_json='{ + "typ":"JWT", + "alg":"RS256" + }' + # Header encode + header=$( echo -n "${header_json}" | b64enc ) + + payload_json="{ + \"iat\":${iat}, + \"exp\":${exp}, + \"iss\":\"${client_id}\" + }" + # Payload encode + payload=$( echo -n "${payload_json}" | b64enc ) + + # Signature + header_payload="${header}"."${payload}" + signature=$( + openssl dgst -sha256 -sign <(echo -n "${pem}") \ + <(echo -n "${header_payload}") | b64enc + ) + + #echo $header_payload + #echo $signature + + # Create JWT + JWT=$(printf '%s\n' "${header_payload}"."${signature}") + echo "::add-mask::$JWT" + + resp=$(curl --request POST \ + --url "https://api.github.com/app/installations/$app_id/access_tokens" \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer $JWT" \ + --header "X-GitHub-Api-Version: 2022-11-28" + ) + token=$(jq -r '.token' <<< $resp) + echo "::add-mask::$token" + if [[ -z "$token" ]]; then + echo "Could not fetch access token" + exit 1 + fi + echo "TOKEN=$token" >> "$GITHUB_OUTPUT" + - uses: actions/checkout@v4 + with: + ref: public-clone + token: ${{ steps.get-token.outputs.TOKEN }} + - name: Update public-clone branch + run: | + git remote add pubrep https://github.com/${{ secrets.PUBLIC_REPO }} + git pull pubrep main --ff-only + git push + - name: Update main branch + run: | + git config user.name "github-actions" + git config user.email "github-actions@github.com" + git fetch origin main + git checkout -b main --track origin/main + git merge -m "merge public-clone branch" public-clone + git push diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 565d97d1..da895c0b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -9,6 +9,7 @@ jobs: build: runs-on: ubuntu-latest + if: github.repository == 'shimmer' || github.event.push.ref != 'refs/heads/public-clone' || github.event.push.ref != 'refs/heads/main' steps: - uses: actions/checkout@v3