Sync Audit Log data #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Sync Audit Log data | |
# **What it does**: This updates our Audit Logs schema. | |
# **Why we have it**: We want our Audit Logs up to date. | |
# **Who does it impact**: Docs engineering, people reading Audit Logs. | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST | |
permissions: | |
contents: write | |
pull-requests: write | |
# This allows a subsequently queued workflow run to interrupt previous runs | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
jobs: | |
update-audit-log-files: | |
if: github.repository == 'github/docs-internal' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: ./.github/actions/node-npm-setup | |
- name: Run updater script | |
env: | |
# need to use a token from a user with access to github/audit-log-allowlists for this step | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
run: | | |
npm run audit-log-sync | |
- name: Get the audit-log-allowlists SHA being synced | |
id: audit-log-allowlists | |
run: | | |
COMMIT_SHA=$(cat src/audit-logs/lib/config.json | jq -r '.sha') | |
echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_OUTPUT | |
echo "Commit SHA from audit-log-allowlists: $COMMIT_SHA" | |
if [ -z $COMMIT_SHA ]; then | |
echo "audit-log-allowlists commit SHA is empty!" | |
exit 1 | |
fi | |
- name: Create and merge pull request | |
env: | |
# Needed for gh | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
run: | | |
# If nothing to commit, exit now. It's fine. No orphans. | |
changes=$(git diff --name-only | wc -l) | |
untracked=$(git status --untracked-files --short | wc -l) | |
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then | |
echo "There are no changes to commit or untracked files. Exiting..." | |
exit 0 | |
fi | |
git config --global user.name "docs-bot" | |
git config --global user.email "[email protected]" | |
branchname=audit-logs-schema-update-${{ steps.audit-log-allowlists.outputs.COMMIT_SHA }} | |
remotesha=$(git ls-remote --heads origin $branchname) | |
if [ -n "$remotesha" ]; then | |
# output is not empty, it means the remote branch exists | |
echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..." | |
exit 0 | |
fi | |
git checkout -b $branchname | |
git add . | |
git commit -m "Add updated audit log event data" | |
git push origin $branchname | |
echo "Creating pull request..." | |
gh pr create \ | |
--title "Update audit log event data" \ | |
--body '👋 humans. This PR updates the audit log event data with the latest changes. (Synced from github/audit-log-allowlists) | |
If CI does not pass or other problems arise, contact #docs-engineering on slack.' \ | |
--repo github/docs-internal \ | |
--label audit-log-pipeline | |
# can't approve your own PR, approve with Actions | |
unset GITHUB_TOKEN | |
gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}" | |
gh pr review --approve | |
# Actions can't merge the PR so back to docs-bot to merge the PR | |
unset GITHUB_TOKEN | |
gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}" | |
gh pr merge --auto --delete-branch | |
- uses: ./.github/actions/slack-alert | |
if: ${{ failure() && github.event_name != 'workflow_dispatch' }} | |
with: | |
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} |