Create update-required-checks script

This also removes the .github/workflows/update-required-checks.yml workflow. This script needs to be run locally by someone who has admin privileges on the repo.
2022-05-09 14:45:37 -07:00 · 2022-05-09 14:45:37 -07:00 · 827fd55c21
commit 827fd55c21
parent dd56e95b46
2 changed files with 35 additions and 45 deletions
--- a/.github/workflows/script/update-required-checks.sh
+++ b/.github/workflows/script/update-required-checks.sh
@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Update the required checks based on the current branch.
+# Typically, this will be main.
+
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "Failed: No GitHub token found. This script requires admin access to `github/codeql-action`."
+  exit 1
+fi
+
+if [ "$#" -eq 1 ]; then
+  # If we were passed an argument, pass it as a query to fzf
+  GITHUB_SHA="$@"
+elif [ "$#" -gt 1 ]; then
+  echo "Usage: $0 [SHA]"
+  echo "Update the required checks based on the SHA, or main."
+elif [ -z "$GITHUB_SHA" ]; then
+  # If we don't have a SHA, use main
+  GITHUB_SHA="$(git rev-parse main)"
+fi
+
+echo "Getting checks for $GITHUB_SHA"
+
+# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
+CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')"
+
+echo "$CHECKS" | jq
+
+echo "{\"contexts\": ${CHECKS}}" > checks.json
+
+for BRANCH in main releases/v2 releases/v1; do
+  echo "Updating $BRANCH"
+  gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json
+done
+
+rm checks.json
--- a/.github/workflows/update-required-checks.yml
+++ b/.github/workflows/update-required-checks.yml
@ -1,45 +0,0 @@
-
-# This job updates the required checks on the codeql-action repository based on the
-# checks performed on the most recent commit.
-
-name: Update required checks
-on:
-  schedule:
-    # 23:01 on Saturdays
-    - cron: "1 23 * * 6"
-  workflow_dispatch:
-
-jobs:
-  update-required-checks:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Dump environment
-      run: env
-
-    - name: Dump GitHub context
-      env:
-        GITHUB_CONTEXT: '${{ toJson(github) }}'
-      run: echo "$GITHUB_CONTEXT"
-
-    - name: Update checks
-      env:
-        GITHUB_TOKEN: "${{ secrets.CODEQL_CI_TOKEN }}"
-      run: |
-        # Update the required checks based on the current branch.
-        # Typically, this will be main.
-        echo "Getting checks for $GITHUB_SHA"
-
-        # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-        CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update-") | not)] | sort')"
-
-        echo "::group::New Checks"
-        echo "$CHECKS" | jq
-        echo "::endgroup::"
-
-        echo "{\"contexts\": ${CHECKS}}" > checks.json
-        echo "Updating main"
-        gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json
-        echo "Updating v2"
-        gh api -X "PATCH" repos/github/codeql-action/branches/releases/v2/protection/required_status_checks --input checks.json
-        echo "Updating v1"
-        gh api -X "PATCH" repos/github/codeql-action/branches/releases/v1/protection/required_status_checks --input checks.json