telia-oss · bgandon · Jul 19, 2022 · May 30, 2023 · May 30, 2023 · May 30, 2023
@@ -0,0 +1,30 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          tags: loggregatorbot/github-pr-resource:latest
+
@@ -0,0 +1,37 @@
+name: Go
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: "go.mod"
+      - run: go test --race ./...
+
+  vet:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: "go.mod"
+      - run: go vet ./...
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: "go.mod"
+      - uses: golangci/[email protected]
@@ -0,0 +1,14 @@
+name: Trigger Concourse git resource
+on: [ push, workflow_dispatch ]
+jobs:
+  trigger-resource-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger resource check
+        uses: gstackio/trigger-concourse-resource-check-action@v1
+        with:
+          concourse-url:           https://ci.gstack.io
+          concourse-team:          gk-plat-devs
+          concourse-pipeline:      github-pr-resource
+          concourse-resource:      git
+          concourse-webhook-token: ${{ secrets.GK_CONCOURSE_WEBHOOK_TOKEN }}
@@ -0,0 +1,14 @@
+name: Trigger Concourse pull-request resource
+on: [ push, pull_request, workflow_dispatch ]
+jobs:
+  trigger-resource-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger resource check
+        uses: gstackio/trigger-concourse-resource-check-action@v1
+        with:
+          concourse-url:           https://ci.gstack.io
+          concourse-team:          gk-plat-devs
+          concourse-pipeline:      github-pr-resource
+          concourse-resource:      git-pull-requests
+          concourse-webhook-token: ${{ secrets.GK_CONCOURSE_WEBHOOK_TOKEN }}
@@ -1,19 +1,18 @@
-FROM golang:1.14 as builder
+FROM golang AS builder
 ADD . /go/src/github.com/telia-oss/github-pr-resource
 WORKDIR /go/src/github.com/telia-oss/github-pr-resource
-RUN curl -sL https://taskfile.dev/install.sh | sh
+RUN curl -sL https://taskfile.dev/install.sh | sh /dev/stdin v3.33.1
 RUN ./bin/task build
 
-FROM alpine:3.11 as resource
+FROM alpine AS resource
 COPY --from=builder /go/src/github.com/telia-oss/github-pr-resource/build /opt/resource
 RUN apk add --update --no-cache \
     git \
     git-lfs \
     openssh \
+    git-crypt \
     && chmod +x /opt/resource/*
 COPY scripts/askpass.sh /usr/local/bin/askpass.sh
-ADD scripts/install_git_crypt.sh install_git_crypt.sh
-RUN ./install_git_crypt.sh && rm ./install_git_crypt.sh
 
 FROM resource
 LABEL MAINTAINER=telia-oss
@@ -1,8 +1,7 @@
 ## Github PR resource
 
-[![Build Status](https://travis-ci.org/telia-oss/github-pr-resource.svg?branch=master)](https://travis-ci.org/telia-oss/github-pr-resource)
-[![Go Report Card](https://goreportcard.com/badge/github.com/telia-oss/github-pr-resource)](https://goreportcard.com/report/github.com/telia-oss/github-pr-resource)
-[![Docker Automated build](https://img.shields.io/docker/automated/teliaoss/github-pr-resource.svg)](https://hub.docker.com/r/teliaoss/github-pr-resource/)
+[![Go Report Card](https://goreportcard.com/badge/github.com/cloudfoundry-community/github-pr-resource)](https://goreportcard.com/report/github.com/cloudfoundry-community/github-pr-resource)
+[![Docker Automated build](https://img.shields.io/docker/automated/loggregatorbot/github-pr-resource.svg)](https://hub.docker.com/r/loggregatorbot/github-pr-resource/)
 
 [graphql-api]: https://developer.github.com/v4
 [original-resource]: https://github.com/jtarchie/github-pullrequest-resource
@@ -22,7 +21,7 @@ Make sure to check out [#migrating](#migrating) to learn more.
 | Parameter                   | Required | Example                          | Description                                                                                                                                                                                                                                                                                |
 |-----------------------------|----------|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `repository`                | Yes      | `itsdalmo/test-repository`       | The repository to target.                                                                                                                                                                                                                                                                  |
-| `access_token`              | Yes      |                                  | A Github Access Token with repository access (required for setting status on commits). N.B. If you want github-pr-resource to work with a private repository. Set `repo:full` permissions on the access token you create on GitHub. If it is a public repository, `repo:status` is enough. |
+| `access_token`              | Yes      |                                  | A Github Access Token with repository access (required for setting status on commits). N.B. If you want github-pr-resource to work with a private repository. Set `repo:full` permissions on the access token you create on GitHub. If it is a public repository, `repo:status` is enough. When using `trusted_teams`, the `read:org` scope has to be enabled. |
 | `v3_endpoint`               | No       | `https://api.github.com`         | Endpoint to use for the V3 Github API (Restful).                                                                                                                                                                                                                                           |
 | `v4_endpoint`               | No       | `https://api.github.com/graphql` | Endpoint to use for the V4 Github API (Graphql).                                                                                                                                                                                                                                           |
 | `paths`                     | No       | `["terraform/*/*.tf"]`           | Only produce new versions if the PR includes changes to files that match one or more glob patterns or prefixes.                                                                                                                                                                            |
@@ -32,6 +31,8 @@ Make sure to check out [#migrating](#migrating) to learn more.
 | `disable_forks`             | No       | `true`                           | Disable triggering of the resource if the pull request's fork repository is different to the configured repository.                                                                                                                                                                        |
 | `ignore_drafts`             | No       | `false`                          | Disable triggering of the resource if the pull request is in Draft status.                                                                                                                                                                                                                 |
 | `required_review_approvals` | No       | `2`                              | Disable triggering of the resource if the pull request does not have at least `X` approved review(s).                                                                                                                                                                                      |
+| `trusted_teams`             | No       | `["wg-cf-on-k8s-bots"]`          | PRs from members of the trusted teams always trigger the resource regardless of the PR approval status. |
+| `trusted_users`             | No       | `["dependabot"]`                 | PRs from trusted users always trigger the resource regardless of the PR approval status. |
 | `git_crypt_key`             | No       | `AEdJVENSWVBUS0VZAAAAA...`       | Base64 encoded git-crypt key. Setting this will unlock / decrypt the repository with git-crypt. To get the key simply execute `git-crypt export-key -- - | base64` in an encrypted repository.                                                                                             |
 | `base_branch`               | No       | `master`                         | Name of a branch. The pipeline will only trigger on pull requests against the specified branch.                                                                                                                                                                                            |
 | `labels`                    | No       | `["bug", "enhancement"]`         | The labels on the PR. The pipeline will only trigger on pull requests having at least one of the specified labels.                                                                                                                                                                         |
@@ -72,9 +73,9 @@ generate notifications over the webhook. So if you have a repository with little
 | `skip_download`      | No       | `true`   | Use with `get_params` in a `put` step to do nothing on the implicit get.           |
 | `integration_tool`   | No       | `rebase` | The integration tool to use, `merge`, `rebase` or `checkout`. Defaults to `merge`. |
 | `git_depth`          | No       | `1`      | Shallow clone the repository using the `--depth` Git option                        |
-| `submodules`       | No       | `true` | Recursively clone git submodules. Defaults to false.                        |
+| `submodules`         | No       | `true`   | Recursively clone git submodules. Defaults to false.                               |
 | `list_changed_files` | No       | `true`   | Generate a list of changed files and save alongside metadata                       |
-| `fetch_tags`       | No       | `true`     | Fetch tags from remote repository                                                  |
+| `fetch_tags`         | No       | `true`   | Fetch tags from remote repository                                                  |
 
 Clones the base (e.g. `master` branch) at the latest commit, and merges the pull request at the specified commit
 into master. This ensures that we are both testing and setting status on the exact commit that was requested in
@@ -89,6 +90,19 @@ The information in `metadata.json` is also available as individual files in the
 is available as `.git/resource/base_sha`. For a complete list of available (individual) metadata files, please check the code
 [here](https://github.com/telia-oss/github-pr-resource/blob/master/in.go#L66).
 
+- `author`: the user login of the pull request author
+- `author_email`: the e-mail address of the pull request author
+- `base_name`: the base branch of the pull request
+- `base_sha`: the commit of the base branch of the pull request
+- `head_name`: the branch associated with the pull request
+- `head_sha`: the latest commit hash of the branch associated with the pull request
+- `message`: the message of the last commit of the pull request, as designated by `head_sha`
+- `pr`: the pull request ID number
+- `state`: the state of the pull request, e.g. `OPEN`
+- `title`: the title of the pull request
+- `url`: the URL for the pull request
+
+
 When specifying `skip_download` the pull request volume mounted to subsequent tasks will be empty, which is a problem
 when you set e.g. the pending status before running the actual tests. The workaround for this is to use an alias for
 the `put` (see https://github.com/telia-oss/github-pr-resource/issues/32 for more details).
@@ -136,7 +150,7 @@ resource_types:
 - name: pull-request
   type: docker-image
   source:
-    repository: teliaoss/github-pr-resource
+    repository: loggregatorbot/github-pr-resource
 
 resources:
 - name: pull-request
@@ -243,6 +257,32 @@ If you are coming from [jtarchie/github-pullrequest-resource][original-resource]
   - `merge.*`
   - `label`
 
+#### Metadata stored in the `.git` directory
+
+The original resource stores [a bunch of metadata][metadata] related to the
+pull request as `git config`, or plain files in the `.git` directory. This
+resource provide most metadata with possibly different names, and the files
+are to be found in the `.git/reource` directory.
+
+If you were using the metadata stored in Git config, you need to update your
+code. For example `git config --get pullrequest.url` in some Bash code can be
+replaced by `echo $(< .git/resource/url)`.
+
+Here is the list of changes:
+
+- `.git/id` -> `.git/resource/pr`
+- `.git/url` -> `.git/resource/url`
+- `.git/base_branch` -> `.git/resource/base_name`
+- `.git/base_sha` -> `.git/resource/base_sha`
+- `.git/branch` -> `.git/resource/head_name`
+- `.git/head_sha` -> `.git/resource/head_sha`
+- `.git/userlogin` -> `.git/resource/author`
+- `.git/body` -> _no equivalent_
+
+[metadata]: https://github.com/jtarchie/github-pullrequest-resource#in-clone-the-repository-at-the-given-pull-request-ref
+
+#### Possibly incompatible resource history
+
 Note that if you are migrating from the original resource on a Concourse version prior to `v5.0.0`, you might
 see an error `failed to unmarshal request: json: unknown field "ref"`. The solution is to rename the resource
 so that the history is wiped. See [#64](https://github.com/telia-oss/github-pr-resource/issues/64) for details.
@@ -2,7 +2,7 @@ version: '2'
 
 vars:
   BUILD_DIR: build
-  DOCKER_REPO: teliaoss/github-pr-resource
+  DOCKER_REPO: loggregatorbot/github-pr-resource
 
 tasks:
   default:

@@ -10,6 +10,8 @@ import (
 	"github.com/shurcooL/githubv4"
 )
 
+var trustedTeamMembers map[string]bool = map[string]bool{}
+
 // Check (business logic)
 func Check(request CheckRequest, manager Github) (CheckResponse, error) {
 	var response CheckResponse
@@ -44,11 +46,6 @@ Loop:
 			continue
 		}
 
-		// Filter out commits that are too old.
-		if !p.UpdatedDate().Time.After(request.Version.CommittedDate) {
-			continue
-		}
-
 		// Filter out pull request if it does not contain at least one of the desired labels
 		if len(request.Source.Labels) > 0 {
 			labelFound := false
@@ -78,8 +75,14 @@ Loop:
 			continue
 		}
 
-		// Filter pull request if it does not have the required number of approved review(s).
-		if p.ApprovedReviewCount < request.Source.RequiredReviewApprovals {
+		prAuthorTrusted, err := userTrusted(p.Author.Login, request.Source.TrustedUsers, request.Source.TrustedTeams, manager)
+		if err != nil {
+			return nil, fmt.Errorf("failed to list users in team %v: %s", request.Source.TrustedTeams, err)
+		}
+
+		prApproved := p.ApprovedReviewCount >= request.Source.RequiredReviewApprovals
+
+		if !prAuthorTrusted && !prApproved {
 			continue
 		}
 
@@ -121,6 +124,7 @@ Loop:
 				continue Loop
 			}
 		}
+
 		response = append(response, NewVersion(p))
 	}
 
@@ -135,12 +139,42 @@ Loop:
 	if len(response) != 0 && request.Version.PR == "" {
 		response = CheckResponse{response[len(response)-1]}
 	}
+
 	return response, nil
 }
 
+func userTrusted(user string, trustedUsers, trustedTeams []string, manager Github) (bool, error) {
+	for _, u := range trustedUsers {
+		if user == u {
+			return true, nil
+		}
+	}
+
+	if trustedTeamMembers[user] {
+		return true, nil
+	}
+
+	for _, team := range trustedTeams {
+		teamMembers, err := manager.ListTeamMembers(team)
+		if err != nil {
+			return false, fmt.Errorf("failed to list team members of team %q: %s", trustedTeams, err)
+		}
+
+		for _, u := range teamMembers {
+			trustedTeamMembers[u] = true
+		}
+
+		if trustedTeamMembers[user] {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 // ContainsSkipCI returns true if a string contains [ci skip] or [skip ci].
 func ContainsSkipCI(s string) bool {
-	re := regexp.MustCompile("(?i)\\[(ci skip|skip ci)\\]")
+	re := regexp.MustCompile(`(?i)\[(ci skip|skip ci)\]`)
 	return re.MatchString(s)
 }