2021-07-16 12:48:47 +03:00 · 2021-07-16 12:48:47 +03:00 · f569c38ea9
commit f569c38ea9
parent e778771f2b
10 changed files with 164 additions and 252 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -48,21 +48,3 @@ jobs:
      - uses: codespell-project/actions-codespell@master
        with:
          skip: ./.git,build
-
-  schutzbot:
-    name: "🍌 Trigger Schutzbot"
-    runs-on: ubuntu-latest
-    container:
-      image: docker.io/library/python:3.7
-    steps:
-      - uses: actions/checkout@v2
-      - name: Trigger Schutzbot
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          WEBHOOK_PAYLOAD: ${{ toJSON(github.event) }}
-          SQS_REGION: us-east-1
-          SQS_QUEUE_URL: "https://sqs.us-east-1.amazonaws.com/933752197999/schutzbot_webhook_sqs-staging"
-        run: |
-          #!/bin/bash
-          pip3 install boto3 botocore
-          schutzbot/send_webhook.py
--- a/.github/workflows/trigger-gitlab.yml
+++ b/.github/workflows/trigger-gitlab.yml
@ -0,0 +1,57 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+on: [push, pull_request_target]
+
+jobs:
+  pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Query author repository permissions
+        uses: octokit/request-action@v2.x
+        id: user_permission
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # restrict running of tests to users with admin or write permission for the repository
+      # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
+      # store output if user is allowed in allowed_user job output so it has to be checked in downstream job
+      - name: Check if user does have correct permissions
+        if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission)
+        id: check_user_perm
+        run: |
+          echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'"
+          echo "::set-output name=allowed_user::true"
+
+    outputs:
+      allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }}
+
+  trigger-gitlab:
+    needs: pr-info
+    if: needs.pr-info.outputs.allowed_user == 'true'
+    runs-on: ubuntu-latest
+    env:
+      SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+        with:
+          # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${SCHUTZBOT_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:osbuild/ci/koji-osbuild.git
+          if [ ${{ github.event.pull_request.number }} ]; then
+            git checkout -b PR-${{ github.event.pull_request.number }}
+          fi
+
+          git push -f ci