-
Notifications
You must be signed in to change notification settings - Fork 3
73 lines (63 loc) · 2.52 KB
/
autoapprove.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# This workflow auto approves the PR generated by the bump_version
# workflow, and moves the tag that was created in the PR's branch
# to develop.
name: github-actions auto-approve
on: pull_request_target
permissions:
pull-requests: write
contents: write
jobs:
approve-bot:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'semgrep-ci[bot]'}}
steps:
- name: Approve
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Watch untill PR checks are done
run: gh pr checks --required --watch "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Merge PR
run: gh pr merge --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Now we switch to semgrep-ci[bot] to actually be able to
# move the tag we created in bump_version.yml from the
# release branch to develop
- id: jwt
env:
EXPIRATION: 600
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
name: Get JWT for semgrep-ci GitHub App
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
- id: token
name: Get token for semgrep-ci GitHub App
run: |
TOKEN="$(curl -X POST \
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
jq -r .token)"
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
ref: develop
token: ${{ steps.token.outputs.token }}
- name: Move tag to develop branch
env:
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
run: |
CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
# We tagged the release branch first in bump_version.yml
# to allow tests to pass; now moving it to develop so
# it can be a part of its history
git push --delete origin "v${CURR_VERSION}"
git tag "v${CURR_VERSION}" HEAD
git push origin tag "v${CURR_VERSION}"