From 96d73a75be1053ff1bda465d0d27435df4821f7d Mon Sep 17 00:00:00 2001
From: Aaron Lu <50029043+aalu1418@users.noreply.github.com>
Date: Wed, 21 Feb 2024 08:08:41 -0700
Subject: [PATCH] feature: gha commit signing (#594)

* commit signing for solana image bump

* commit signing for e2e test dep bump

* add changes check

* testing shared logic

* shared logic for testing deps

* disable on push
---
 .github/workflows/dependency-updates.yml | 138 +++++++----------------
 .github/workflows/open-pr.yml            |  74 ++++++++++++
 2 files changed, 116 insertions(+), 96 deletions(-)
 create mode 100644 .github/workflows/open-pr.yml

diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml
index 04cf968e5..52ac166c6 100644
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -6,102 +6,48 @@ on:
   
 jobs:
   E2E-Solana-Image:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3 # checkout branch that it is called from
-      - name: Check for solana image updates
-        id: solImage
-        run: |
-          make upgrade-e2e-solana-image
-          image=$(curl https://api.github.com/repos/solana-labs/solana/releases/latest | jq -r '.tag_name')
-          echo "image=$image" >> "$GITHUB_OUTPUT"
-      - name: Check if PR exists
-        id: check
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          prs=$(gh pr list \
-              --repo "$GITHUB_REPOSITORY" \
-              --head "bump/solana-${{ steps.solImage.outputs.image }}" \
-              --json title \
-              --jq 'length')
-          if ((prs > 0)); then
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Create pull request
-        if: '!steps.check.outputs.skip'
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
-        with:
-          title: "[automated] bump solana image to ${{ steps.solImage.outputs.image }}"
-          branch: bump/solana-${{ steps.solImage.outputs.image }}
-          author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
-          reviewers: aalu1418
-          commit-message: "[automated] bump solana dependencies"
-          body: |
-            Latest Solana mainnet release is [\"${{ steps.solImage.outputs.image }}\"](https://github.com/solana-labs/solana/releases/latest)
-            (run CI by closing + reopening PR)
+    uses: ./.github/workflows/open-pr.yml
+    with:
+      reviewers: aalu1418
+      run: |
+        make upgrade-e2e-solana-image
+        image=$(curl https://api.github.com/repos/solana-labs/solana/releases/latest | jq -r '.tag_name')
+
+        # outputs
+        echo "name=bump/solana-$image" >> "$GITHUB_OUTPUT"
+        echo "prTitle=[automated] bump solana image to $image" >> "$GITHUB_OUTPUT"
+        echo "prBody=(run CI by closing + reopening PR) Latest Solana mainnet release is [$image](https://github.com/solana-labs/solana/releases/latest)" >> "$GITHUB_OUTPUT"
+        echo "commitString=[automated] bump solana dependencies" >> "$GITHUB_OUTPUT"
+    secrets: inherit
   E2E-Testing-Dependencies:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Setup go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: "go.mod"
-          check-latest: true
-          cache: true
-      # ------ Get CTF version from core ------------
-      - uses: actions/checkout@v3
-        with: 
-          repository: smartcontractkit/chainlink
-          ref: develop
-          path: ./chainlink
-      - name: Check CTF version in core
-        id: coreCTF
-        working-directory: ./chainlink
-        run: |
-          cd integration-tests
-          version=$(go list -m github.com/smartcontractkit/chainlink-testing-framework | awk '{print $NF}')
-          echo "chainlink/integration-tests CTF: $version"
-          echo "version=$version" >> "$GITHUB_OUTPUT"
-          cd ../../
-          rm -rf chainlink
-      # -------- Compare to chainlink-solana/integration-tests --------------
-      - name: Check CTF version in chainlink-solana
-        id: solanaCTF
-        run: |
-          cd integration-tests
-          version=$(go list -m github.com/smartcontractkit/chainlink-testing-framework | awk '{print $NF}')
-          echo "chainlink-solana/integrationt-tests CTF: $version"
-          echo "version=$version" >> "$GITHUB_OUTPUT"
-      - name: Update integration test dependencies
-        if: ${{ steps.coreCTF.outputs.version != steps.solanaCTF.outputs.version }}
-        run: |
+    uses: ./.github/workflows/open-pr.yml
+    with:
+      reviewers: aalu1418
+      run: |
+
+        # get CTF version in core
+        git clone https://github.com/smartcontractkit/chainlink.git temp-chainlink
+        cd temp-chainlink/integration-tests
+        coreVersion=$(go list -m github.com/smartcontractkit/chainlink-testing-framework | awk '{print $NF}')
+        cd ../../
+        rm -rf temp-chainlink
+        echo "chainlink/integration-tests CTF: $coreVersion"
+
+        # get CTF version in solana
+        cd integration-tests
+        solVersion=$(go list -m github.com/smartcontractkit/chainlink-testing-framework | awk '{print $NF}')
+        echo "chainlink-solana/integration-tests CTF: $solVersion"
+        cd ../
+        
+        # compare versions
+        if [[ $coreVersion != $solVersion ]]; then
           make upgrade-e2e-core-deps
           make gomodtidy
-      # --------- Build PR if necessary --------------------
-      - name: Check if PR exists
-        id: check
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          prs=$(gh pr list \
-              --repo "$GITHUB_REPOSITORY" \
-              --head "bump/e2e-test-deps-${{ steps.coreCTF.outputs.version }}" \
-              --json title \
-              --jq 'length')
-          if ((prs > 0)); then
-              echo "skip=true" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Create pull request
-        if: '!steps.check.outputs.skip'
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
-        with:
-          title: "[automated] bump e2e test deps to match chainlink/integration-tests"
-          branch: bump/e2e-test-deps-${{ steps.coreCTF.outputs.version }}
-          author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
-          reviewers: aalu1418
-          commit-message: "[automated] bump e2e <> core/integration-tests dependencies"
-          body: | 
-            chainlink/integration-tests uses chainlink-testing-framework@${{ steps.coreCTF.outputs.version }}
-            (run CI by closing + reopening PR)
+        fi
+
+        # outputs
+        echo "name=bump/e2e-deps-$coreVersion" >> "$GITHUB_OUTPUT"
+        echo "prTitle=[automated] bump e2e test deps to match chainlink/integration-tests" >> "$GITHUB_OUTPUT"
+        echo "prBody=(run CI by closing + reopening PR) chainlink/integration-tests uses chainlink-testing-framework@$coreVersion" >> "$GITHUB_OUTPUT"
+        echo "commitString=[automated] bump e2e <> core/integration-tests dependencies" >> "$GITHUB_OUTPUT"
+    secrets: inherit
diff --git a/.github/workflows/open-pr.yml b/.github/workflows/open-pr.yml
new file mode 100644
index 000000000..f9f1fc20a
--- /dev/null
+++ b/.github/workflows/open-pr.yml
@@ -0,0 +1,74 @@
+name: Open PR With Signed Commit
+
+on:
+  workflow_call:
+    inputs:
+      run:
+        required: true
+        type: string
+      reviewers:
+        required: false
+        type: string
+
+jobs:
+  create-commits-and-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3 # checkout branch that it is called from
+      - uses: actions/setup-go@v3
+        with:
+          go-version-file: "go.mod"
+          check-latest: true
+          cache: true
+      - name: Run changes
+        id: run
+        run: ${{ inputs.run }}
+      - run: |
+          echo "must have branch name output set"
+          exit 1 
+        if: '!steps.run.outputs.name'
+      - name: Check if changes + PR exists
+        id: check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          prs=$(gh pr list \
+              --repo "$GITHUB_REPOSITORY" \
+              --head "${{ steps.run.outputs.name }}" \
+              --json title \
+              --jq 'length')
+          if ((prs > 0)) || [ -z "$(git status --porcelain)" ]; then
+              echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+      - name: "Create new branch if needed"
+        id: branch
+        if: '!steps.check.outputs.skip'
+        env:
+          SHA: ${{ github.head_ref || github.ref_name }}
+        run: |
+          echo "original=$SHA" >> "$GITHUB_OUTPUT"
+          git branch "${{ steps.run.outputs.name }}" 
+          git push origin "${{ steps.run.outputs.name }}" 
+      - uses: planetscale/ghcommit-action@v0.1.33
+        if: '!steps.check.outputs.skip'
+        with:
+          commit_message: ${{ steps.run.outputs.commitString }}
+          repo: ${{ github.repository }}
+          branch: "${{ steps.run.outputs.name }}" 
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Cleanup branch"
+        if: '!steps.check.outputs.skip'
+        run: |
+          git reset --hard
+          git branch --set-upstream-to=origin/${{ steps.run.outputs.name }} 
+          git pull
+      - name: Create pull request
+        if: '!steps.check.outputs.skip'
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        with:
+          title: ${{ steps.run.outputs.prTitle }}
+          base: ${{ steps.branch.outputs.original }}
+          branch: ${{ steps.run.outputs.name }} 
+          reviewers: ${{ inputs.reviewers }}
+          body: ${{ steps.run.outputs.prBody }}