Skip to content

ci: file issue if sigstore test fails #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 17, 2023
Merged

ci: file issue if sigstore test fails #538

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/test-sigstore.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ permissions: {}
jobs:
test-sigstore:
runs-on: ubuntu-latest
if: github.repository_owner == 'secure-systems-lab' # only run upstream
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jku: I think we want this line in the kms workflow as well, even more than here actually. Because kms just fails in a fork that does not have GCP configured. Usually it even fails two times in a fork, once for the missing GCP config, and once for trying to submit an issue, which are disabled by default. It's not a big deal, but adds an ❌

Sigstore tests should pass in a fork, I just restricted the workflow to not unnecessarily spam sigstore certificate logs.


permissions:
id-token: 'write' # ambient credential is used to sign
Expand All @@ -35,3 +36,25 @@ jobs:
export CERT_ID=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/.github/workflows/test-sigstore.yml@${GITHUB_REF}
export CERT_ISSUER=https://token.actions.githubusercontent.com
tox -e sigstore

- name: File an issue on failure
if: ${{ failure() }}
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
with:
script: |
const repo = context.repo.owner + "/" + context.repo.repo
const issues = await github.rest.search.issuesAndPullRequests({
q: "Sigstore+tests+failed+in:title+state:open+type:issue+repo:" + repo,
})
if (issues.data.total_count > 0) {
console.log("Issue open already, not creating.")
} else {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Sigstore tests failed",
body: "Hey, it seems Sigstore tests have failed, please see - [workflow run](" +
"https://github.com/" + repo + "/actions/runs/" + context.runId + ")"
})
console.log("New issue created.")
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an almost exact copy of the "file an issue" step from test-kms.yml, which, in turn looks a lot like that step in check-upstream-ed25519.yml.

Unfortunately, I couldn't find a low-profile way of re-using the code. Composite actions requires a separate repo and a reusable workflow spins up a dedicated runner, which both seems overkill for a dozen lines of GitHub script.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As an aside: I found out recently that apparently the gh tool is installed on the actions builders: I'm not a heavy user of that tool but... I'm pretty sure it could be used for this and that the result might be simpler than the javascript here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Comment on lines +42 to +60
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what a qh version would like like. Haven't tried it in an action yet, only locally. I think it's cool, but I'm not sure if it is substantially easier to maintain than the JavaScript.

Suggested change
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
with:
script: |
const repo = context.repo.owner + "/" + context.repo.repo
const issues = await github.rest.search.issuesAndPullRequests({
q: "Sigstore+tests+failed+in:title+state:open+type:issue+repo:" + repo,
})
if (issues.data.total_count > 0) {
console.log("Issue open already, not creating.")
} else {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Sigstore tests failed",
body: "Hey, it seems Sigstore tests have failed, please see - [workflow run](" +
"https://github.com/" + repo + "/actions/runs/" + context.runId + ")"
})
console.log("New issue created.")
}
run: |
title="Sigstore tests failed"
issue_count=$(gh issue list --search "${title} in:title is:issue is:open" \
--json id --jq length)
if [ "${issue_count}" == "0" ]
then
gh issue create \
--title "${title}" \
--body "Hey, it seems Sigstore tests have failed, \
please see - [workflow run](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID})."
else
echo "Issue open already, not creating."
fi

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, but we could save it in a script and re-use that.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, maybe not worth it 🤷 your call.

You will need an env variable to forward the token to the tool (GH_TOKEN: ${{ github.token }} I think) so that makes it yet a little more complicated