Sync Audit Log data #47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Audit Log data | |
| # **What it does**: This updates our Audit Logs schema. | |
| # **Why we have it**: We want our Audit Logs up to date. | |
| # **Who does it impact**: Docs engineering, people reading Audit Logs. | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| # **IMPORTANT:** Do not change the FREEZE environment variable set here! | |
| # This workflow runs on a recurring basis. To temporarily disable it (e.g., | |
| # during a docs deployment freeze), add an Actions Secret to the repo settings | |
| # called `FREEZE` with a value of `true`. To re-enable Audit Logs updates, simply | |
| # delete that Secret from the repo settings. The environment variable here | |
| # will duplicate that Secret's value for later evaluation. | |
| env: | |
| FREEZE: ${{ secrets.FREEZE }} | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| jobs: | |
| update-audit-log-files: | |
| if: github.repository == 'github/docs-internal' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - if: ${{ env.FREEZE == 'true' }} | |
| run: | | |
| echo 'The repo is currently frozen! Exiting this workflow.' | |
| exit 1 # prevents further steps from running | |
| - name: Checkout | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | |
| - uses: ./.github/actions/node-npm-setup | |
| - name: Run updater script | |
| env: | |
| # need to use a token from a user with access to github/audit-log-allowlists for this step | |
| GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
| run: | | |
| src/audit-logs/scripts/sync.js | |
| - name: Get the audit-log-allowlists SHA being synced | |
| id: audit-log-allowlists | |
| run: | | |
| COMMIT_SHA=$(cat src/audit-logs/lib/config.json | jq -r '.sha') | |
| echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_OUTPUT | |
| echo "Commit SHA from audit-log-allowlists: $COMMIT_SHA" | |
| if [ -z $COMMIT_SHA ]; then | |
| echo "audit-log-allowlists commit SHA is empty!" | |
| exit 1 | |
| fi | |
| - name: Create and merge pull request | |
| env: | |
| # Needed for gh | |
| GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
| run: | | |
| # If nothing to commit, exit now. It's fine. No orphans. | |
| changes=$(git diff --name-only | wc -l) | |
| untracked=$(git status --untracked-files --short | wc -l) | |
| if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then | |
| echo "There are no changes to commit after running src/rest/scripts/update-files.js. Exiting..." | |
| exit 0 | |
| fi | |
| git config --global user.name "docs-bot" | |
| git config --global user.email "77750099+docs-bot@users.noreply.github.com" | |
| branchname=audit-logs-schema-update-${{ steps.audit-log-allowlists.outputs.COMMIT_SHA }} | |
| remotesha=$(git ls-remote --heads origin $branchname) | |
| if [ -n "$remotesha" ]; then | |
| # output is not empty, it means the remote branch exists | |
| echo "Branch $branchname already exists in 'github/docs-internal'. Exiting..." | |
| exit 0 | |
| fi | |
| git checkout -b $branchname | |
| git add . | |
| git commit -m "Add updated audit log event data" | |
| git push origin $branchname | |
| echo "Creating pull request..." | |
| gh pr create \ | |
| --title "Update audit log event data" \ | |
| --body '👋 humans. This PR updates the audit log event data with the latest changes. (Synced from github/audit-log-allowlists) | |
| If CI does not pass or other problems arise, contact #docs-engineering on slack.' \ | |
| --repo github/docs-internal \ | |
| --label audit-log-pipeline | |
| # can't approve your own PR, approve with Actions | |
| unset GITHUB_TOKEN | |
| gh auth login --with-token <<< "${{ secrets.GITHUB_TOKEN }}" | |
| gh pr review --approve | |
| # Actions can't merge the PR so back to docs-bot to merge the PR | |
| unset GITHUB_TOKEN | |
| gh auth login --with-token <<< "${{ secrets.DOCS_BOT_PAT_WORKFLOW_READORG }}" | |
| gh pr merge --auto --delete-branch | |
| - name: Send Slack notification if workflow fails | |
| uses: someimportantcompany/github-actions-slack-message@1d367080235edfa53df415bd8e0bbab480f29bad | |
| if: ${{ failure() && env.FREEZE != 'true' }} | |
| with: | |
| channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
| bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} | |
| color: failure | |
| text: The last sync-audit-logs run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions/workflows/sync-audit-logs.yml |