From a69a78db465bfe0de65726b07b07779ec9d0362a Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Fri, 12 Jan 2024 08:36:25 -0500
Subject: [PATCH] Run Argo CD app sync after image is published from PR
 (#11750)

* Run Argo CD app sync after image is published from PR

* Add test file

* Set name to capitlized to avoid masking

* Use gh cli instead of curl to get PR labels

* Fix comment

* Fix jq to work with gh cli

* Set GH token as an env var for the cli

* Combine labels to one line, comma delimited

* Make comment valid
---
 .github/workflows/build-publish-pr.yml | 50 ++++++++++++++++++++++++--
 test.txt                               |  0
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 test.txt

diff --git a/.github/workflows/build-publish-pr.yml b/.github/workflows/build-publish-pr.yml
index cdc9cf3f11c..fd5533c1b5b 100644
--- a/.github/workflows/build-publish-pr.yml
+++ b/.github/workflows/build-publish-pr.yml
@@ -2,8 +2,8 @@ name: "Build and Publish from PR"
 
 ##
 # This workflow builds and publishes a Docker image for Chainlink from a PR.
-# It doesn't use an environment, has its own special IAM role, does not sign
-# the image, and publishes to a special ECR repo.
+# It has its own special IAM role, does not sign the image, and publishes to
+# a special ECR repo.
 ##
 
 on:
@@ -13,6 +13,7 @@ jobs:
   build-publish-untrusted:
     if: ${{ ! startsWith(github.ref_name, 'release/') }}
     runs-on: ubuntu-20.04
+    environment: sdlc
     permissions:
       id-token: write
       contents: read
@@ -53,6 +54,51 @@ jobs:
           dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
           dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
 
+      - name: Get PR labels
+        id: pr-labels
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.number }}
+        run: |
+          RESPONSE=$(gh pr view ${PR_NUMBER} --json labels)
+          # Check if the labels command was successful
+          if [[ $? -ne 0 ]]; then
+            echo "Error fetching labels"
+            exit 1
+          fi
+          echo "RESPONSE=${RESPONSE}"
+          LABELS=$(echo "$RESPONSE" | jq -r '.labels | map(.name) | join(", ")')
+          # Check if any labels were found
+          if [[ -z "${LABELS:-}" ]]; then
+            echo "No labels found"
+          else
+            echo "labels=${LABELS}" | tee -a "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Setup GAP
+        if: contains(steps.pr-labels.outputs.labels, 'crib')
+        uses: smartcontractkit/.github/actions/setup-gap@main
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-role-arn: ${{ secrets.AWS_OIDC_IAM_ROLE_PUBLISH_PR_ARN }}
+          api-gateway-host: ${{ secrets.AWS_API_GW_HOST_ARGO_SAND }}
+          use-argocd: "true"
+          argocd-user: ${{ secrets.ARGOCD_USER_SAND }}
+          argocd-pass: ${{ secrets.ARGOCD_PASS_SAND }}
+
+      # Run an Argo CD sync after the image is built.
+      - name: Argo CD App Sync
+        if: contains(steps.pr-labels.outputs.labels, 'crib')
+        shell: bash
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+        run: |
+          argocd app sync \
+            --plaintext \
+            --grpc-web \
+            --async \
+            "crib-chainlink-${PR_NUMBER}"
+
       - name: Collect Metrics
         if: always()
         id: collect-gha-metrics
diff --git a/test.txt b/test.txt
new file mode 100644
index 00000000000..e69de29bb2d