forked from github/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
132 lines (113 loc) · 5.37 KB
/
sync-codeql-cli.yml
File metadata and controls
132 lines (113 loc) · 5.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Sync CodeQl CLI
# **What it does**: This workflow is run manually approximately every two weeks.
# When run, this workflow syncs the CodeQL CLI automated pipeline with the semmle-code
# repository, and creates a pull request if there are updates.
# **Why we have it**: So we can automate CodeQL CLI documentation.
# **Who does it impact**: Anyone making CodeQL CLI changes in `github/semmle-code`, and wanting to get them published on the docs site.
on:
workflow_dispatch:
inputs:
SOURCE_BRANCH:
description: 'Branch to pull the source files from in the semmle-code repo.'
type: string
required: true
default: 'main'
permissions:
contents: write
pull-requests: write
# **IMPORTANT:** Do not change the FREEZE environment variable set here!
# This workflow runs on a recurring basis. To temporarily disable it (e.g.,
# during a docs deployment freeze), add an Actions Secret to the repo settings
# called `FREEZE` with a value of `true`. To re-enable Audit Logs updates, simply
# delete that Secret from the repo settings. The environment variable here
# will duplicate that Secret's value for later evaluation.
env:
FREEZE: ${{ secrets.FREEZE }}
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
generate-codeql-files:
if: github.repository == 'github/docs-internal'
runs-on: ubuntu-latest
steps:
- if: ${{ env.FREEZE == 'true' }}
run: |
echo 'The repo is currently frozen! Exiting this workflow.'
exit 1 # prevents further steps from running
- name: Checkout repository code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
# Check out a nested repository inside of previous checkout
- name: Checkout semmle-code repo
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
# By default, only the most recent commit of the `main` branch
# will be checked out
token: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }}
repository: github/semmle-code
path: semmle-code
ref: ${{ inputs.SOURCE_BRANCH }}
- uses: ./.github/actions/node-npm-setup
- name: Get the semmle-code SHA being synced
id: semmle-code
run: |
cd semmle-code
OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
echo "Copied files from github/semmle-code repo. Commit SHA: $OPENAPI_COMMIT_SHA"
- name: Install pandoc
run: |
# Remove all previous pandoc versions
sudo apt-get purge --auto-remove pandoc
# Download pandoc
wget https://github.com/jgm/pandoc/releases/download/3.0.1/pandoc-3.0.1-1-amd64.deb
# Install pandoc
sudo dpkg -i pandoc-3.0.1-1-amd64.deb
# Output the pandoc version installed
pandoc -v
rm pandoc-3.0.1-1-amd64.deb
- name: Sync the CodeQL CLI data
run: |
src/codeql-cli/scripts/sync.js
git status
echo "Deleting the cloned github/semmle-code repo..."
rm -rf semmle-code
- name: Create pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)
untracked=$(git status --untracked-files --short | wc -l)
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
echo "There are no changes to commit after running src/codeql/scripts/sync.js. Exiting..."
exit 0
fi
git config --global user.name "docs-bot"
git config --global user.email "77750099+docs-bot@users.noreply.github.com"
branchname=codeql-cli-update-${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }}
branchCheckout=$(git checkout -b $branchname)
if [[! $? -eq 0 ]]; then
echo "Branch $branchname already exists in `github/docs-internal`. Exiting..."
exit 0
fi
git add .
git commit -m "Update CodeQL CLI data"
git push origin $branchname
echo "Creating pull request..."
gh pr create \
--title "Update CodeQL CLI manual" \
--body '👋 humans. This PR updates the CodeQL CLI manual Markdown pages with the latest changes. (Synced from semmle-code@${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }})
If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
--repo github/docs-internal \
--label codeql-cli-pipeline
- name: Send Slack notification if workflow fails
uses: someimportantcompany/github-actions-slack-message@1d367080235edfa53df415bd8e0bbab480f29bad
if: ${{ failure() && env.FREEZE != 'true' }}
with:
channel: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
bot-token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}
color: failure
text: The last Sync CodeQL CLI run for ${{github.repository}} failed. See https://github.com/${{github.repository}}/actions/workflows/sync-codeql-cli.yml