-
Notifications
You must be signed in to change notification settings - Fork 519
142 lines (127 loc) · 5.52 KB
/
update-policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
---
name: Update Policy Library
on:
schedule:
- cron: '0 8 * * 1-5'
workflow_dispatch: {}
env:
remote_repository: "Azure/Enterprise-Scale"
branch_name: "patch-policy-library"
az_accounts_minimum_version: "2.2.3"
pr_title: "feat: Update Policy Library (automated)"
pr_body: "This is an automated 'pull_request' containing updates to the library templates stored in '/infra-as-code/bicep/modules/policy/definitions/lib' & '/infra-as-code/bicep/modules/policy/assignments/lib'.\nPlease review the 'files changed' tab to review changes."
permissions:
contents: read
jobs:
update-templates:
name: Update Policy Library
if: github.repository == 'Azure/ALZ-Bicep'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Local repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ${{ github.repository }}
fetch-depth: 0
- name: Remote repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ env.remote_repository }}
path: ${{ env.remote_repository }}
ref: main
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Configure local git
run: |
git config user.name github-actions
git config user.email [email protected]
working-directory: ${{ github.repository }}
- name: Create and checkout branch
run: |
BRANCH_URL="repos/${{ github.repository }}/branches"
JQ_FILTER=".[] | select(.name == \"${{ env.branch_name }}\").name"
CHECK_BRANCH_ORIGIN=$(gh api $BRANCH_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_BRANCH_ORIGIN" ]
then
echo "Checkout local branch (create new, no origin)..."
git checkout -b ${{ env.branch_name }}
else
echo "Checkout local branch (create new, track from origin)..."
git checkout -b ${{ env.branch_name }} --track origin/${{ env.branch_name }}
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: Update Policy Library
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
Write-Information "==> Running script..." -InformationAction Continue
${{ github.repository }}/.github/scripts/Invoke-LibraryUpdate.ps1 `
-AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
-TargetPath ${{ github.workspace }}/${{ github.repository }} `
-SourcePath ${{ github.workspace }}/${{ env.remote_repository }} `
-Reset
azPSVersion: "latest"
- name: Install ALZ PowerShell Module
shell: pwsh
run: |
Install-Module -Name 'ALZ' -Force
- name: Update Policy Definition Bicep Input Files
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
cd ${{ github.workspace }}/${{ github.repository }}
Write-Information "==> Running script..." -InformationAction Continue
.github/scripts/Invoke-PolicyToBicep.ps1
azPSVersion: "latest"
- name: Check for changes
id: git_status
run: |
CHECK_GIT_STATUS=($(git status -s))
git status -s
echo "changes=${#CHECK_GIT_STATUS[@]}" >> $GITHUB_OUTPUT
working-directory: ${{ github.repository }}
- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add infra-as-code/bicep/modules/policy/definitions/lib
git add infra-as-code/bicep/modules/policy/assignments/lib
git config --global core.autocrlf input
git commit -m '${{ env.pr_title }}'
git push origin ${{ env.branch_name }}
working-directory: ${{ github.repository }}
- name: Create pull request
if: steps.git_status.outputs.changes > 0
run: |
HEAD_LABEL="${{ github.repository_owner }}:${{ env.branch_name }}"
BASE_LABEL="${{ github.repository_owner }}:$(echo '${{ github.ref }}' | sed 's:refs/heads/::')"
PULL_REQUEST_URL="repos/${{ github.repository }}/pulls"
JQ_FILTER=".[] | select(.head.label == \"$HEAD_LABEL\") | select(.base.label == \"$BASE_LABEL\") | .url"
CHECK_PULL_REQUEST_URL=$(gh api $PULL_REQUEST_URL | jq -r "$JQ_FILTER")
if [ -z "$CHECK_PULL_REQUEST_URL" ]
then
CHECK_PULL_REQUEST_URL=$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ env.branch_name }}" \
--draft)
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
else
echo "Existing PR found: $CHECK_PULL_REQUEST_URL"
fi
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}