Fix: CDS-1756 reduce custom-resource function permissions scope #186
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync integration-definitions | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| refToBuild: | |
| description: 'Branch, tag or commit SHA1' | |
| required: true | |
| type: string | |
| push: | |
| branches: [master, main] | |
| paths: | |
| - "**/template.yaml" | |
| env: | |
| LAST_COMMIT_MESSAGE: "${{ github.event.head_commit.message }}" | |
| jobs: | |
| upload_files: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has_file_from_the_list_changed: ${{ env.has_template_from_the_list_changed }} | |
| name: upload files | |
| env: | |
| integration_list: "firehose-logs,firehose-metrics,resource-metadata,aws-shipper-lambda" | |
| steps: | |
| - name: checkout when trigger is from push | |
| uses: actions/checkout@v4 | |
| if: "${{ inputs.refToBuild == null }}" | |
| with: | |
| fetch-depth: 0 | |
| - name: checkout when trigger manually | |
| uses: actions/checkout@v4 | |
| if: "${{ inputs.refToBuild != null }}" | |
| with: | |
| ref: ${{ inputs.refToBuild }} | |
| - name: Create template-directory and changed-integration-file | |
| run: | | |
| mkdir template-directory | |
| touch changed-integration.txt | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v41 | |
| - name: Move integrations files | |
| run: | | |
| changed_files_string="${{ steps.changed-files.outputs.all_changed_files }}" | |
| read -ra changed_files_array <<< "$changed_files_string" | |
| for changed_file in "${changed_files_array[@]}"; do | |
| integration=$(echo "$changed_file" | xargs -n1 dirname | xargs -n1 basename) | |
| if [[ $changed_file == **"/$integration/template.yaml" ]]; then | |
| if echo "$integration_list" | grep -q "$integration"; then | |
| mv $changed_file template-directory/${integration}-template.yaml | |
| echo $integration >> changed-integration.txt | |
| fi | |
| fi | |
| done | |
| if [ -z "$(ls -A "./template-directory")" ]; then | |
| echo "[INFO] No file in the integrations list where changed." | |
| echo "has_template_from_the_list_changed=false" >> $GITHUB_ENV | |
| else | |
| echo "has_template_from_the_list_changed=true" >> $GITHUB_ENV | |
| fi | |
| - name: Upload template-directory | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: template-directory | |
| path: ./template-directory/ | |
| - name: Upload changed-integration | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: changed-integration | |
| path: ./changed-integration.txt | |
| - name: Upload replace_template script | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: replace_template | |
| path: scripts/replace_template.sh | |
| - name: Upload custom_lambda_code | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: custom_lambda_code | |
| path: scripts/custom_lambda_code.yaml | |
| create_pr: | |
| runs-on: ubuntu-latest | |
| if: "${{ needs.upload_files.outputs.has_file_from_the_list_changed != 'false' }}" | |
| needs: upload_files | |
| steps: | |
| - name: Checkout destination repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: coralogix/integration-definitions | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Create template-directory | |
| run: mkdir ./template-directory | |
| - name: Download template-directory | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: template-directory | |
| path: ./template-directory | |
| - name: Download replace_template file | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: replace_template | |
| path: ./ | |
| - name: Download custom_lambda_code file | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: custom_lambda_code | |
| path: ./ | |
| - name: Download changed-integration file | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: changed-integration | |
| path: ./ | |
| - name: apply changes to the files | |
| run: | | |
| branch_name="sync-CloudFormation-branch-$(date +"%m-%d-%H-%M")" | |
| echo $branch_name | |
| git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git pull origin master | |
| git fetch origin | |
| git switch -c ${branch_name} --track origin/master | |
| pr_exists=$(gh pr list --base master --head "${branch_name}" --json number -q '.[].number') | |
| if [[ -z "$pr_exists" ]]; then | |
| git push --set-upstream origin ${branch_name} | |
| fi | |
| sync_branch_exists=$(git ls-remote --heads origin "${branch_name}" | wc -l) | |
| if [[ $sync_branch_exists -ne 0 ]]; then | |
| git pull origin ${branch_name} --rebase | |
| fi | |
| chmod +x replace_template.sh | |
| while read line; do | |
| ./replace_template.sh template-directory/${line}-template.yaml | |
| template_version=$(cat template-directory/${line}-template.yaml | grep "SemanticVersion" | grep -oE '[^ ]+$') | |
| if [ "$line" == "aws-shipper-lambda" ];then | |
| mkdir -p integrations/shared/aws-shipper/v${template_version} | |
| mv template-directory/${line}-template.yaml integrations/shared/aws-shipper/v${template_version}/template.yaml | |
| else | |
| mkdir -p integrations/${line}/v${template_version} | |
| mv template-directory/${line}-template.yaml integrations/${line}/v${template_version}/template.yaml | |
| fi | |
| if [ -f integrations/${line}/manifest.yaml ]; then | |
| echo " - revision: ${template_version} | |
| template: !CloudFormationTemplate v${template_version}/template.yaml | |
| field_definitions: v${template_version}/fields.yaml" >> integrations/${line}/manifest.yaml | |
| fi | |
| done < changed-integration.txt | |
| rm replace_template.sh | |
| rm custom_lambda_code.yaml | |
| rm -rf template-directory | |
| rm changed-integration.txt | |
| git add . | |
| echo "branch_name=$branch_name" >> $GITHUB_ENV | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - name: commit change | |
| uses: planetscale/[email protected] | |
| with: | |
| commit_message: "Copy file from cloudformation repository" | |
| repo: coralogix/integration-definitions | |
| branch: ${{env.branch_name}} | |
| file_pattern: '*.yaml *.md' | |
| env: | |
| GITHUB_TOKEN: ${{secrets.GH_TOKEN}} | |
| - name: Create pull request | |
| run: | | |
| pr_url="" | |
| pr_name="sync from CF" # give the pr a defult name | |
| last_pr_from_serverless=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/coralogix-aws-serverless/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].title') | |
| last_pr_from_shipper=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/coralogix-aws-shipper/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].title') | |
| if [[ "${{ env.LAST_COMMIT_MESSAGE }}" == "$last_pr_from_serverless" ]]; then | |
| pr_name=$last_pr_from_serverless | |
| pr_url=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/coralogix-aws-serverless/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].html_url') | |
| elif [[ "${{ env.LAST_COMMIT_MESSAGE }}" == "$last_pr_from_shipper" ]]; then | |
| pr_name=$last_pr_from_shipper | |
| pr_url=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/coralogix-aws-shipper/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].html_url') | |
| else # get the last pr from CF in case that the trigger to the sync was from CF | |
| pr_name=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/cloudformation-coralogix-aws/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].title') | |
| pr_url=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" \ | |
| "https://api.github.com/repos/coralogix/cloudformation-coralogix-aws/pulls?state=closed&base=master&sort=updated&direction=desc" \ | |
| | jq -r '.[0].html_url') | |
| fi | |
| pr_exists=$(gh pr list --base master --head "${{env.branch_name}}" --json number -q '.[].number') | |
| if [[ -n "$pr_exists" ]]; then | |
| echo "Pull request already exists: #$pr_exists" | |
| else | |
| gh pr create --base master --head "${{env.branch_name}}" --title "${pr_name}" --body "This pull request syncs the changes from the cloudformation repo to this repo. link to the original PR $pr_url " | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} |