Workflow to auto-patch vendored Samba code

Since our vendored Samba code has a few patches, a good way to ensure we keep it in sync with upstream is to apply an auto-patch workflow where we take the original files and apply a series of patches to get the files to the final state. This way we ensure that we don't miss any of the changes that happen upstream. The implementation is self-explanatory for the most part, taking inspiration from our other automated PR workflows. Auto-merging is disabled to give maintainers the opportunity to review (and test) the changes before merging anything in. This means, in addition to vendoring the "final" versions in `./internal/policies/certificate`, we also need to vendor the upstream versions, and the series of patches to apply. As there's no reliable way to trigger this workflow only on upstream code changes (i.e. webhooks), the next best thing is to have the workflow run on schedule. We don't expect changes to the vendored part of our codebase given that it's been around 5-6 months since the last commits, so running it on a weekly cadence should suffice. I'm also leaving the `workflow_dispatch` trigger on in case we want to run it on demand. If the patching fails, the PR body will contain the hunks that failed to apply. In this case, the developer is expected to manually perform the actions of the workflow, updating the patches so they are applicable to the new Samba version. Fixes UDENG-1113
ubuntu · Aug 16, 2023 · ff32d16 · ff32d16
1 parent ac8b9f1
commit ff32d16
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 0 deletions.
diff --git a/.github/workflows/patch-vendored-samba.yaml b/.github/workflows/patch-vendored-samba.yaml
@@ -0,0 +1,91 @@
+name: Patch vendored Samba code
+
+on:
+  schedule:
+    - cron: '0 9 * * 1' # run on a weekly cadence
+  workflow_dispatch:
+
+env:
+  checkout_files: |
+    python/samba/gp/gp_cert_auto_enroll_ext.py
+    python/samba/gp/gpclass.py
+    python/samba/gp/util/logging.py
+
+jobs:
+  check-for-changes:
+    name: Check for changes in vendored code
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.compute-diff.outputs.changed }}
+      samba-ref: ${{ steps.compute-diff.outputs.samba-ref }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Checkout Samba files
+        uses: actions/checkout@v3
+        with:
+          repository: samba-team/samba
+          sparse-checkout: ${{ env.checkout_files }}
+          sparse-checkout-cone-mode: false
+          path: samba-git
+      - name: Check for changes
+        id: compute-diff
+        run: |
+          echo "samba-ref=$(git -C samba-git rev-parse HEAD)" >> $GITHUB_OUTPUT
+          for file in $checkout_files; do
+            if ! diff -q samba-git/$file .github/samba/$file; then
+              echo "changed=true" >> $GITHUB_OUTPUT
+              break
+            fi
+          done
+      - name: Upload
+        if: ${{ steps.compute-diff.outputs.changed == 'true' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: samba
+          path: |
+            samba-git
+            !samba-git/.git
+
+  patch-vendored-code:
+    name: Patch vendored code
+    runs-on: ubuntu-latest
+    needs: check-for-changes
+    if: ${{ needs.check-for-changes.outputs.changed == 'true' }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Replace with updated Samba source
+        uses: actions/download-artifact@v3
+        with:
+          path: .github
+      - name: Prepare patch working directory
+        run: cp -a .github/samba samba-patched
+      - name: Prepare pull request body
+        run: echo 'Automated changes to vendored Samba code - [`${{ needs.check-for-changes.outputs.samba-ref }}`](https://github.com/samba-team/samba/tree/${{ needs.check-for-changes.outputs.samba-ref }})' > samba-patched/pr-body
+      - name: Apply patch series
+        run: patch -f -d samba-patched -r rejected --no-backup-if-mismatch -p1 < <(cat .github/samba/_patches/*.patch)
+      - name: Add rejected hunks to PR body
+        if: ${{ failure() }}
+        run: |
+          if [ -f samba-patched/rejected ]; then
+            echo "### Rejected hunks:" >> samba-patched/pr-body
+            echo '```patch' >> samba-patched/pr-body
+            cat samba-patched/rejected >> samba-patched/pr-body
+            echo '```' >> samba-patched/pr-body
+          else
+            echo "No rejected hunks, please check job output for failure details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> samba-patched/pr-body
+          fi
+      - name: Replace vendored code
+        run: cp -a samba-patched/python/samba/* internal/policies/certificate/python/vendor_samba
+      - name: Create Pull Request
+        if: ${{ always() }}
+        uses: peter-evans/create-pull-request@v5
+        with:
+          commit-message: Auto update vendored Samba code
+          title: Auto update vendored Samba code
+          labels: automated pr
+          body-path: samba-patched/pr-body
+          add-paths: |
+            .github/samba/
+            internal/policies/certificate/python/vendor_samba/
+          branch: auto-update-samba
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -41,3 +41,4 @@ debian/adsys-windows
 node_modules
 package-lock.json
 package.json
+samba-patched/