Create a slash PR bot to run our ./build.sh command (#2353)

* Test adding slash commands * Add id to Slash Command Dispatch to enable error output * Add workflow_dispatch to help-command * Use PAT for help command * Add inputs for help command * Add repository and comment-id to Slash command dispatcher * Add issue number * Add issue-number in slash-command-dispatch * try to disable extra options * Set work of the workflows in the branch * Add build command * Add a differentiation text to see where the command ran * rename job * Install dependencies in build-command * Set python version 3.11.1 * Do not fail if no changes to commit * add input comment id to send comment * Update build-command.yml * Try adding comments when updating files or not * Add comment when starting building build.sh * Adding comment before script start * Fix reference-style link in first comment * Try without the tokens * Echo git diff * Echo HAS_CHANGES * Echo HAS_CHANGES return value * Missing quote * Add a comment to have changes * Set output from return value instead of content of output * [build-command] Update generated files * Modify build command to test no changes * Update help command * Remove test comment from help command * Update help command * Revert go changes for making comments * [build-command] Update generated files * Fix comments * Makes changes to retrigger the linters * Ignore checkov error CKV_GHA_7 for the commands workflow. * Update changelog * Update contributing page for slash bot commands * Add language to fenced code blocks --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
oxsecurity · Feb 19, 2023 · eb68498 · eb68498
1 parent 619de88
commit eb68498
Show file tree

Hide file tree

Showing 5 changed files with 213 additions and 0 deletions.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -57,6 +57,22 @@ _(if you have a permission denied issue on Windows, please check [this solution]
 6. Push and [submit a pull request][pr]
 7. Pat yourself on the back and wait for your pull request to be reviewed and merged.
 
+Maintainers with write access can also comment on pull requests with a command to run the build script on the PR, for example:
+```text
+/build
+```
+
+Available commands can be listed with the help command by posting the following comment:
+```text
+/help
+```
+Which returns:
+> Command | Description
+> --- | ---
+> /build | Updates the Dockerfile, documentation, and other files from the yml descriptors
+> /build [ref=...]| Same as /build, but executes workflow in any branch using the ref named argument. The reference can be a branch, tag, or a commit SHA. This can be useful to test workflows in PR branches before merging.
+> /help | Returns this help message
+
 ### Without write access
 
 1. [Fork][fork] and clone the repository

diff --git a/.github/workflows/build-command.yml b/.github/workflows/build-command.yml
@@ -0,0 +1,122 @@
+name: build-command
+on:
+  workflow_dispatch:
+    # checkov:skip=CKV_GHA_7:We are only triggering these workflows by users with write access manually, it is expected. 
+    # Error was: 
+    # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. 
+    # GitHub Actions workflow_dispatch inputs MUST be empty. 
+    inputs:
+      repository:
+        description: 'The repository from which the slash command was dispatched'
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        required: true
+      issue-number:
+       description: 'The issue number in which the slash command was made'
+       required: true
+      actor:
+       description: 'The user who executed the slash command'
+       required: true
+  repository_dispatch:
+    types: [build-command]
+jobs:
+  build-sh:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create URL to the run output
+        id: vars
+        run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
+      - name: Create comment
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          ## These are if we want to use repository_dispatch (default)
+          # repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          # comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          # issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+          body: |
+            > [Command run output](${{ steps.vars.outputs.run-url }})
+            > Build command workflow started.
+            > Installing dependencies
+      - name: Dump the client payload context
+        env:
+          PAYLOAD_CONTEXT: ${{ toJson(github.event.client_payload) }}
+        run: echo "$PAYLOAD_CONTEXT"
+      # Checkout the pull request branch
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.PAT }}
+          repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.client_payload.pull_request.head.ref }}
+      - name: Setup Python
+        uses: actions/[email protected]
+        with:
+          # Version range or exact version of Python or PyPy to use, using SemVer's version range syntax. Reads from .python-version if unset.
+          python-version: 3.11.1 # optional
+          # Used to specify a package manager for caching in the default directory. Supported values: pip, pipenv, poetry.
+          cache: pip # optional
+      - run: pip install -r requirements.dev.txt
+      - name: Create comment starting build.sh
+        if: steps.check-changes.outputs.has-changes != '1'
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          body: |
+            > Running script `./build.sh`
+      - name: Run build script
+        run: ./build.sh
+      - name: Check if changes were made
+        id: check-changes
+        run: |
+          git diff --quiet && git diff --staged --quiet
+          HAS_CHANGES=$?
+          echo "has-changes=$HAS_CHANGES" >> $GITHUB_OUTPUT
+          echo "$HAS_CHANGES"
+      # Commit changes to the PR branch
+      - name: Commit changes to the PR branch
+        if: steps.check-changes.outputs.has-changes == '1'
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git diff --quiet && git diff --staged --quiet || (git commit -am "[build-command] Update generated files")
+          git push
+      - name: Add reaction
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          reaction-type: hooray
+      - name: Create final comment updated files
+        if: steps.check-changes.outputs.has-changes == '1'
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          body: |
+            > Build command workflow completed updating files.
+      - name: Create final comment no updated files
+        if: steps.check-changes.outputs.has-changes != '1'
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          body: |
+            > Build command workflow completed without updating files.
diff --git a/.github/workflows/help-command.yml b/.github/workflows/help-command.yml
@@ -0,0 +1,44 @@
+name: help-command
+on:
+  workflow_dispatch:
+    # checkov:skip=CKV_GHA_7:We are only triggering these workflows by users with write access manually, it is expected. 
+    # Error was: 
+    # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. 
+    # GitHub Actions workflow_dispatch inputs MUST be empty. 
+    inputs:
+      repository:
+        description: 'The repository from which the slash command was dispatched'
+        required: true
+      comment-id:
+        description: 'The comment-id of the slash command'
+        required: true
+      issue-number:
+       description: 'The issue number in which the slash command was made'
+       required: true
+      actor:
+       description: 'The user who executed the slash command'
+       required: true
+  repository_dispatch:
+    types: [help-command]
+jobs:
+  help:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update comment
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          ## Use token if we want to use a PAT instead of GITHUB_TOKEN, GITHUB_TOKEN acts as github-actions[bot]
+          # token: ${{ secrets.PAT }}
+          ## These are if we want to use repository_dispatch (default)
+          # repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          # comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          repository: ${{ github.event.inputs.repository }}
+          comment-id: ${{ github.event.inputs.comment-id }}
+          issue-number: ${{ github.event.inputs.issue-number }}
+          body: |
+            > Command | Description
+            > --- | ---
+            > /build | Updates the Dockerfile, documentation, and other files from the yml descriptors
+            > /build [ref=...]| Same as /build, but executes workflow in any branch using the ref named argument. The reference can be a branch, tag, or a commit SHA. This can be useful to test workflows in PR branches before merging.
+            > /help | Returns this help message
+          reaction-type: hooray
diff --git a/.github/workflows/slash-command-dispatch.yml b/.github/workflows/slash-command-dispatch.yml
@@ -0,0 +1,30 @@
+name: Slash Command Dispatch
+on:
+  issue_comment:
+    types: [created]
+jobs:
+  slashCommandDispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v3
+        id: scd
+        with:
+          token: ${{ secrets.PAT }}
+          commands: |
+            build
+            help
+          issue-type: pull-request
+          dispatch-type: workflow
+          static-args: |
+            repository=${{ github.repository }}
+            comment-id=${{ github.event.comment.id }}
+            issue-number=${{ github.event.issue.number }}
+            actor=${{ github.actor }}
+      - name: Edit comment with error message
+        if: steps.scd.outputs.error-message
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          comment-id: ${{ github.event.comment.id }}
+          body: |
+            > ${{ steps.scd.outputs.error-message }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
   - Use docker/build-push-action to build docker images and akhilerm/tag-push-action to release by retagging and pushing beta images instead of rebuilding them
   - Authenticate to GitHub API during docker build to avoid reaching limits
   - Remove apk go package install in images where possible to decrease image sizes, by @echoix in <https://github.com/oxsecurity/megalinter/pull/2318>
+  - Create a slash PR bot to run `./build.sh` command manually on PRs, by @echoix in <https://github.com/oxsecurity/megalinter/pull/2353>
 
 - Fixes
   - Replace deprecated spectral package, by @bdovaz in by @bdovaz in <https://github.com/oxsecurity/megalinter/pull/2340>