Skip to content

Commit

Permalink
Merge pull request #29325 from Expensify/revert-29233-revert-28773-re…
Browse files Browse the repository at this point in the history
…vert-28612-revert-28291-jpersaud_osbotify_reattempt

[NoQA] Reattempt using OSBotify installation token
  • Loading branch information
nkuoch authored Oct 11, 2023
2 parents 6542e09 + fe70e66 commit f681c2c
Show file tree
Hide file tree
Showing 6 changed files with 116 additions and 31 deletions.
53 changes: 53 additions & 0 deletions .github/actions/composite/setupGitForOSBotifyApp/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# This is a duplicate for setupGitForOSBotify except we are using a Github App now for Github Authentication.
# GitHub Apps have higher rate limits. The reason this is being duplicated is because the existing action is still in use
# in open PRs/branches that aren't up to date with main and it ends up breaking action workflows as a result.
name: "Setup Git for OSBotify"
description: "Setup Git for OSBotify"

inputs:
GPG_PASSPHRASE:
description: "Passphrase used to decrypt GPG key"
required: true
OS_BOTIFY_APP_ID:
description: "Application ID for OS Botify"
required: true
OS_BOTIFY_PRIVATE_KEY:
description: "OS Botify's private key"
required: true

outputs:
# Do not try to use this for committing code. Use `secrets.OS_BOTIFY_COMMIT_TOKEN` instead
OS_BOTIFY_API_TOKEN:
description: Token to use for GitHub API interactions.
value: ${{ steps.generateToken.outputs.token }}

runs:
using: composite
steps:
- name: Decrypt OSBotify GPG key
run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase=${{ inputs.GPG_PASSPHRASE }} --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
shell: bash

- name: Import OSBotify GPG Key
shell: bash
run: cd .github/workflows && gpg --import OSBotify-private-key.asc

- name: Set up git for OSBotify
shell: bash
run: |
git config user.signingkey 367811D53E34168C
git config commit.gpgsign true
git config user.name OSBotify
git config user.email [email protected]
- name: Enable debug logs for git
shell: bash
if: runner.debug == '1'
run: echo "GIT_TRACE=true" >> "$GITHUB_ENV"

- name: Generate a token
id: generateToken
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
with:
app_id: ${{ inputs.OS_BOTIFY_APP_ID }}
private_key: ${{ inputs.OS_BOTIFY_PRIVATE_KEY }}
8 changes: 5 additions & 3 deletions .github/workflows/cherryPick.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,17 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Set up git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Get previous app version
id: getPreviousVersion
uses: Expensify/App/.github/actions/javascript/getPreviousVersion@main
with:
SEMVER_LEVEL: 'PATCH'
SEMVER_LEVEL: "PATCH"

- name: Fetch history of relevant refs
run: |
Expand Down Expand Up @@ -119,7 +121,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: 'Announces a CP failure in the #announce Slack room'
- name: "Announces a CP failure in the #announce Slack room"
uses: 8398a7/action-slack@v3
if: ${{ failure() }}
with:
Expand Down
25 changes: 18 additions & 7 deletions .github/workflows/createNewVersion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,18 @@ on:
LARGE_SECRET_PASSPHRASE:
description: Passphrase used to decrypt GPG key
required: true
OS_BOTIFY_TOKEN:
description: Token for the OSBotify user
required: true
SLACK_WEBHOOK:
description: Webhook used to comment in slack
required: true
OS_BOTIFY_COMMIT_TOKEN:
description: OSBotify personal access token, used to workaround committing to protected branch
required: true
OS_BOTIFY_APP_ID:
description: Application ID for OS Botify App
required: true
OS_BOTIFY_PRIVATE_KEY:
description: OSBotify private key
required: true

jobs:
validateActor:
Expand All @@ -43,7 +49,7 @@ jobs:
id: getUserPermissions
run: echo "PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission | jq -r '.permission')" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

createNewVersion:
runs-on: macos-latest
Expand All @@ -65,18 +71,23 @@ jobs:
uses: actions/checkout@v3
with:
ref: main
token: ${{ secrets.OS_BOTIFY_TOKEN }}
# The OS_BOTIFY_COMMIT_TOKEN is a personal access token tied to osbotify
# This is a workaround to allow pushes to a protected branch
token: ${{ secrets.OS_BOTIFY_COMMIT_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Generate version
id: bumpVersion
uses: Expensify/App/.github/actions/javascript/bumpVersion@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
SEMVER_LEVEL: ${{ inputs.SEMVER_LEVEL }}

- name: Commit new version
Expand Down
33 changes: 19 additions & 14 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,18 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/staging'
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Checkout staging branch
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
ref: staging
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Tag version
run: git tag "$(npm run print-version --silent)"
Expand All @@ -30,16 +32,19 @@ jobs:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/production'
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- uses: actions/checkout@v3
- name: Checkout
uses: actions/checkout@v3
with:
ref: production
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
token: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Get current app version
run: echo "PRODUCTION_VERSION=$(npm run print-version --silent)" >> "$GITHUB_ENV"
Expand All @@ -49,7 +54,7 @@ jobs:
uses: Expensify/App/.github/actions/javascript/getDeployPullRequestList@main
with:
TAG: ${{ env.PRODUCTION_VERSION }}
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
IS_PRODUCTION_DEPLOY: true

- name: Generate Release Body
Expand All @@ -64,4 +69,4 @@ jobs:
tag_name: ${{ env.PRODUCTION_VERSION }}
body: ${{ steps.getReleaseBody.outputs.RELEASE_BODY }}
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
24 changes: 18 additions & 6 deletions .github/workflows/finishReleaseCycle.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ jobs:
outputs:
isValid: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && !fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS) }}
steps:
- uses: ./.github/actions/composite/setupGitForOSBotifyApp
id: setupGitForOSBotify
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Validate actor is deployer
id: isDeployer
run: |
Expand All @@ -21,13 +28,13 @@ jobs:
echo "IS_DEPLOYER=false" >> "$GITHUB_OUTPUT"
fi
env:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}

- name: Reopen and comment on issue (not a team member)
if: ${{ !fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
Sorry, only members of @Expensify/Mobile-Deployers can close deploy checklists.
Expand All @@ -38,14 +45,14 @@ jobs:
id: checkDeployBlockers
uses: Expensify/App/.github/actions/javascript/checkDeployBlockers@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}

- name: Reopen and comment on issue (has blockers)
if: ${{ fromJSON(steps.isDeployer.outputs.IS_DEPLOYER) && fromJSON(steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS || 'false') }}
uses: Expensify/App/.github/actions/javascript/reopenIssueWithComment@main
with:
GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
GITHUB_TOKEN: ${{ steps.setupGitForOSBotify.outputs.OS_BOTIFY_API_TOKEN }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
COMMENT: |
This issue either has unchecked items or has not yet been marked with the `:shipit:` emoji of approval.
Expand All @@ -70,9 +77,12 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
id: setupGitForOSBotify
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update production branch
run: |
Expand Down Expand Up @@ -109,9 +119,11 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch to trigger staging deploy
run: |
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/preDeploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,11 @@ jobs:
token: ${{ secrets.OS_BOTIFY_TOKEN }}

- name: Setup Git for OSBotify
uses: Expensify/App/.github/actions/composite/setupGitForOSBotify@main
uses: ./.github/actions/composite/setupGitForOSBotifyApp
with:
GPG_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
OS_BOTIFY_APP_ID: ${{ secrets.OS_BOTIFY_APP_ID }}
OS_BOTIFY_PRIVATE_KEY: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }}

- name: Update staging branch from main
run: |
Expand Down

0 comments on commit f681c2c

Please sign in to comment.