Initial implementation of the frizbee action#2
Conversation
1eb5a37 to
6e737d6
Compare
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
76f5bef to
16688a0
Compare
11d6634 to
ce0a2d7
Compare
| icon: "at-sign" | ||
| color: "green" | ||
| inputs: | ||
| GITHUB_TOKEN: |
There was a problem hiding this comment.
This is already there from the GITHUB environment
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
ce0a2d7 to
5898d4f
Compare
There was a problem hiding this comment.
Is this checked in accidently? We should not need minder
There was a problem hiding this comment.
The tests.yml workflow and everything under the tests directory are test files to test the action with. My thought was to leave them there until we make this ready and remove them afterwards. I should have mentioned this explicitly.
| } | ||
|
|
||
| // cloneRepository clones the repository and returns a billy.Filesystem interface to interact with it | ||
| func cloneRepository(url, owner, accessToken string) (billy.Filesystem, *git.Repository, error) { |
There was a problem hiding this comment.
I wonder if there is an alternative approach to cloning? This might take a long time if there are large blobs in the repo.
I guess a lot of this is based on the approach, is this intercepting PR's or a workflow that is scheduled?
There was a problem hiding this comment.
The use case for this is when the actions runs from a scheduled run. We can do something else once we add support for checking the contents of a PR patch too.
There was a problem hiding this comment.
Intercepting the PRs would have the added benefit of not requiring as high privileges I think.
About cloning, I view it as acceptable for because the action is not typically run on infra we pay for :-) we can then optimize the clone with something like git sparse checkout since the action configuration already tells us which files or directories to look at.
| description: "Docker Compose files to correct" | ||
| required: false | ||
| default: "" | ||
| open_pr: |
There was a problem hiding this comment.
what would happen if open_pr is false, I guess it would never work?
There was a problem hiding this comment.
If open_pr is false it would run the action, parse the files, and output what it did, perhaps fail the run if fail_on_unpinned is set, but it won't create a PR.
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
cf31c95 to
5602ab2
Compare
|
The Trivy scan failure is because of an indirect dependency. |
|
Example PR: Example test runs with different configurations -
|
if the dep can't be updated, then we need to add a trivy ignore (let me know if you want me to do that) |
| @@ -1,5 +1,4 @@ | |||
| FROM golang:alpine3.19@sha256:0466223b8544fb7d4ff04748acc4d75a608234bf4e79563bff208d2060c0dd79 | |||
There was a problem hiding this comment.
do you know if dependabot automatically bumps these? I think it's easier to use the golang:goversion images to see what go version are we using (I don't particulary care about the OS version, we're not installing anything anyway)
| dockerfiles: | ||
| description: "Dockerfiles to correct" | ||
| required: false | ||
| default: "Dockerfile" |
There was a problem hiding this comment.
as discussed on meet, I think a list of files or dirs would be more useful, e.g. in minder we have:
./docker/reminder/Dockerfile
./docker/minder/Dockerfile
but the default is sensible, great!
|
|
||
| The default `GITHUB_TOKEN` doesn't have the necessary permissions (`workflows`) to open a PR. | ||
| In case you want to use the `open_pr` feature, you will need to create a new token with the correct scope, add it as a secret | ||
| and pass it to the action through the `GITHUB_TOKEN` environment variable. |
There was a problem hiding this comment.
do we have a way to tell the user in a nice way (some introspection of the token, e.g. hitting the /user endpoint with it)
| import ( | ||
| "context" | ||
| "errors" | ||
| "fmt" |
There was a problem hiding this comment.
for later: we should lint the code before it gets too big
|
|
||
| func main() { | ||
| // This is a placeholder for the main function | ||
| ctx := context.Background() |
There was a problem hiding this comment.
do you think it makes sense to provide a sensible timeout here (a couple of minutes maybe?) to avoid running the action for too long? Or is it better set somewhere in the action config?
| // initAction initializes the frizbee action - reads the environment variables, creates the GitHub client, etc. | ||
| func initAction(ctx context.Context) (*action.FrizbeeAction, error) { | ||
| // Get the GitHub token from the environment | ||
| token := os.Getenv("GITHUB_TOKEN") |
There was a problem hiding this comment.
would it make testing the function later easier to pass the tokens etc as parameters?
| } | ||
|
|
||
| // Clone the repository | ||
| fs, repo, err := cloneRepository(fmt.Sprintf("https://github.com/%s", repoFullName), repoOwner, token) |
There was a problem hiding this comment.
not sure if there's any use-case, but we might want to use the GH API to get the clone URL rather than constructing it ourselves.
| log.Fatalf("failed to close file %s: %v", path, err) // nolint:errcheck | ||
| } | ||
| }() | ||
| _, err = fmt.Fprintf(f, "%s", content) |
There was a problem hiding this comment.
why not io.WriteString and skip the formatting parameter?
| // Commit the change | ||
| _, err = worktree.Commit(fmt.Sprintf("Update %s by pinning its image references", path), &git.CommitOptions{ | ||
| Author: &object.Signature{ | ||
| Name: "github-actions[bot]", |
There was a problem hiding this comment.
should we use a specific author name?
| // createPR creates a new pull request with the changes made so far | ||
| func (fa *FrizbeeAction) createPR(ctx context.Context) error { | ||
| // Create a new branch for the PR | ||
| branchName := "frizbee-action-patch" |
| for _, pr := range openPrs { | ||
| if pr.GetHead().GetRef() == branchName { | ||
| fmt.Printf("PR %d already exists\n", pr.GetNumber()) | ||
| return nil |
There was a problem hiding this comment.
shouldn't we update a PR if it exists?
jhrozek
left a comment
There was a problem hiding this comment.
I left a couple of comments inline, but I say let's merge this, get the codebase rolling and then iterate (we can either go back to the comments here and just reply to them or create issues)
|
I am happy if you folks think its is in decent shape. I have a feeling I prefer a scheduled run dependabot style type experience as default, but happy to discuss more if need be. |
|
Let's merge this so we can get it rolling and I'll file separate issues for the comments @lukehinds and @jhrozek made so we keep and address their feedback 👍 Thank you both! |
Initial implementation of the Frizbee Action.
Details:
Todo:
workflowspermissions which limits the action to open PRs against the workflow files. To resolve this, the user would have to create a new token with the correct permissions and assign it to the action.stacklok/frizbee-action@v0.0.1test.ymlworkflow and atestsfolder with a bunch of example files. Let me know if you want these deleted now or we can keep them until we are okay with the functionality of the initial version.Fixes: stacklok/frizbee#149