From 827fd55c21c6d7c60c6f221390ca78a7568fbd6d Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Mon, 9 May 2022 14:45:37 -0700 Subject: [PATCH] Create update-required-checks script This also removes the .github/workflows/update-required-checks.yml workflow. This script needs to be run locally by someone who has admin privileges on the repo. --- .../script/update-required-checks.sh | 35 +++++++++++++++ .github/workflows/update-required-checks.yml | 45 ------------------- 2 files changed, 35 insertions(+), 45 deletions(-) create mode 100755 .github/workflows/script/update-required-checks.sh delete mode 100644 .github/workflows/update-required-checks.yml diff --git a/.github/workflows/script/update-required-checks.sh b/.github/workflows/script/update-required-checks.sh new file mode 100755 index 0000000000..13a825f994 --- /dev/null +++ b/.github/workflows/script/update-required-checks.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# Update the required checks based on the current branch. +# Typically, this will be main. + +if [ -z "$GITHUB_TOKEN" ]; then + echo "Failed: No GitHub token found. This script requires admin access to `github/codeql-action`." + exit 1 +fi + +if [ "$#" -eq 1 ]; then + # If we were passed an argument, pass it as a query to fzf + GITHUB_SHA="$@" +elif [ "$#" -gt 1 ]; then + echo "Usage: $0 [SHA]" + echo "Update the required checks based on the SHA, or main." +elif [ -z "$GITHUB_SHA" ]; then + # If we don't have a SHA, use main + GITHUB_SHA="$(git rev-parse main)" +fi + +echo "Getting checks for $GITHUB_SHA" + +# Ignore any checks with "https://", CodeQL, LGTM, and Update checks. +CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')" + +echo "$CHECKS" | jq + +echo "{\"contexts\": ${CHECKS}}" > checks.json + +for BRANCH in main releases/v2 releases/v1; do + echo "Updating $BRANCH" + gh api --silent -X "PATCH" "repos/github/codeql-action/branches/$BRANCH/protection/required_status_checks" --input checks.json +done + +rm checks.json diff --git a/.github/workflows/update-required-checks.yml b/.github/workflows/update-required-checks.yml deleted file mode 100644 index d55abc8798..0000000000 --- a/.github/workflows/update-required-checks.yml +++ /dev/null @@ -1,45 +0,0 @@ - -# This job updates the required checks on the codeql-action repository based on the -# checks performed on the most recent commit. - -name: Update required checks -on: - schedule: - # 23:01 on Saturdays - - cron: "1 23 * * 6" - workflow_dispatch: - -jobs: - update-required-checks: - runs-on: ubuntu-latest - steps: - - name: Dump environment - run: env - - - name: Dump GitHub context - env: - GITHUB_CONTEXT: '${{ toJson(github) }}' - run: echo "$GITHUB_CONTEXT" - - - name: Update checks - env: - GITHUB_TOKEN: "${{ secrets.CODEQL_CI_TOKEN }}" - run: | - # Update the required checks based on the current branch. - # Typically, this will be main. - echo "Getting checks for $GITHUB_SHA" - - # Ignore any checks with "https://", CodeQL, LGTM, and Update checks. - CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update-") | not)] | sort')" - - echo "::group::New Checks" - echo "$CHECKS" | jq - echo "::endgroup::" - - echo "{\"contexts\": ${CHECKS}}" > checks.json - echo "Updating main" - gh api -X "PATCH" repos/github/codeql-action/branches/main/protection/required_status_checks --input checks.json - echo "Updating v2" - gh api -X "PATCH" repos/github/codeql-action/branches/releases/v2/protection/required_status_checks --input checks.json - echo "Updating v1" - gh api -X "PATCH" repos/github/codeql-action/branches/releases/v1/protection/required_status_checks --input checks.json