From c0a5024363af00c8316ab116bfbc52ade1f1a93c Mon Sep 17 00:00:00 2001 From: Mate Molnar Date: Tue, 16 Jul 2024 15:58:10 +0200 Subject: [PATCH] BUILD-4175: use secrets from Vault * Fix SQ issue Unexpected string concatenation * Allow testing of the coverage update workflow by checking out all branches and referencing the SHA of the triggering event * Fix repository url for coverage update * Add a manual trigger for coverage update --- .github/workflows/update_coverage.yml | 23 +++++++++++++++---- .../src/deployment/pullRequestIndexing.ts | 2 +- rspec-tools/rspec_tools/coverage.py | 2 +- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml index 7ab51f4bb5..12f97a209d 100644 --- a/.github/workflows/update_coverage.yml +++ b/.github/workflows/update_coverage.yml @@ -2,20 +2,33 @@ name: Update rule coverage on: schedule: - cron: '17 2 * * *' + workflow_dispatch: jobs: update_coverage: runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + checks: read env: TMP_BRANCH: temporary/coverage_update steps: + - name: 'get secrets' + id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/github/token/SonarSource-rspec-coverage token | coverage_github_token; + development/kv/data/slack token | slack_token; + - uses: actions/checkout@v4 with: persist-credentials: true - ref: master + fetch-depth: 0 path: 'rspec' - token: ${{ secrets.COVERAGE_GITHUB_TOKEN }} + token: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }} - uses: actions/setup-python@v4 with: @@ -31,7 +44,7 @@ jobs: - name: 'Regenerate coverage information' env: - GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }} id: gen-coverage working-directory: 'rspec/rspec-tools' run: | @@ -84,7 +97,7 @@ jobs: if: always() && steps.create-temp-branch.conclusion == 'success' uses: dawidd6/action-delete-branch@v3 with: - github_token: ${{ secrets.GITHUB_TOKEN}} + github_token: ${{ secrets.GITHUB_TOKEN }} branches: ${{ env.TMP_BRANCH}} - name: 'Fail if the change breaks CI' @@ -96,7 +109,7 @@ jobs: - name: 'Notify on slack about the failure' if: ${{ failure() }} env: - SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }} + SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }} working-directory: 'rspec/rspec-tools' run: | pipenv run rspec-tools notify-failure-on-slack \ diff --git a/frontend/src/deployment/pullRequestIndexing.ts b/frontend/src/deployment/pullRequestIndexing.ts index 756baa3ef6..12b4e9fe8b 100644 --- a/frontend/src/deployment/pullRequestIndexing.ts +++ b/frontend/src/deployment/pullRequestIndexing.ts @@ -31,7 +31,7 @@ export async function process_incomplete_rspecs(tmpRepoDir: string, const repo = await (() => { if (!fs.existsSync(path.join(tmpRepoDir, '.git'))) { if (process.env.GITHUB_TOKEN) { - return Git.Clone.clone('https://' + process.env.GITHUB_TOKEN + '@github.com/SonarSource/rspec/', tmpRepoDir); + return Git.Clone.clone(`https://${process.env.GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir); } else { return Git.Clone.clone('https://github.com/SonarSource/rspec/', tmpRepoDir); } diff --git a/rspec-tools/rspec_tools/coverage.py b/rspec-tools/rspec_tools/coverage.py index c4d0399c46..2bba7e13d6 100644 --- a/rspec-tools/rspec_tools/coverage.py +++ b/rspec-tools/rspec_tools/coverage.py @@ -155,7 +155,7 @@ def checkout_repo(repo): git_url=f"https://github.com/SonarSource/{repo}" token=os.getenv('GITHUB_TOKEN') if token: - git_url=f"https://{token}@github.com/SonarSource/{repo}" + git_url=f"https://oauth2:{token}@github.com/SonarSource/{repo}" if not os.path.exists(repo): return Repo.clone_from(git_url, repo) else: