feat(automate): automate version bump for pre-commit repo (#12)

yosefAlsuhaibani · Yosef Alsuhaibani · Andre Kuhlenschmidt · web-flow · commit ab2cd5513699 · 2024-08-16T17:13:19.000-04:00
* Do text subst * take arg * Attempt at script1 * write second script * Update scripts to branch + aproximation of what a workflow could look like? * Use right flag to checkout branch + change file name * Commit via workflow not via script * fix workflow file * change file name & remove dup * Add v before version * No idea if this works * Don't commit * hello world * bogus * Add work from other fork * consistant + remove useless checkout * Restirct autoapprove to only semgrep-ci[bot] * Make script less fragile? * Split workflow into two * add conditonal * add back github actions bot * spacing * actually call the right script * Add changes to tag-version * Update scripts/tag-version.sh Co-authored-by: Cooper Pierce <cooper@semgrep.com> * Add shebang * Sync frm test fork. (#24) * Add work from other fork * Hardcode configs + remove inc * adding remotes command * going to version 2 of checkout * using version 4 of checkout * using with submodules: true * remove fake reviwer` * add gh token * aaa * Add autoapprove bot * Remove approvals and merge from bump_version * remove bogus reviewer * wack script * Fix bump ver * Restore state? * change name * fix typo * Bump setup to 1.82.0 * Bump pre-commit yaml to 1.81.0 (#16) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * Bump pre-commit yaml to 1.84.1 (#18) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * Bump setup to 1.33.22 (#19) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * simplify workflow * Make 2nd step its own workflow * no dup name * maybe fix error * remove dup key * don't hardcode bump yaml * Bump setup to 3.33.3 (#21) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * Change trigger hook * Bump setup to 2.22.2 (#22) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * remove dispatch * try on:push * Bump setup to 3.33.3 (#23) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * Bump setup to 1.84.1 (#24) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * push a tag * make sed portable * reset version * commit all files * Bump setup to 1.84.1 (#26) Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> * Cooper edit * sync * actually get token * perms * Bump setup to 1.84.0 (#29) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * Don't negate? * Bump setup to 1.84.1 (#30) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * escape properlly? * Bump setup to 1.84.0 (#31) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * remove conditional * Bump setup to 1.84.1 (#32) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * add back conditional * fake file * Change ext * Bump setup to 1.84.0 (#34) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * Update autoapprove? * Fix checks * add --squash * del tag and tag * Bump setup to 1.84.1 (#37) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * add ref: develop * Bump setup to 1.84.0 (#38) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * Bump setup to 1.84.1 (#39) Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * Remove tag-version script and workflow * Add a small comment why we change ids * Don't push bogus changes * bogus --------- Co-authored-by: Yosef Alsuhaibani <yosefalsuhaibani@Yosefs-MacBook-Pro-2.local> Co-authored-by: Andre Kuhlenschmidt <andre@semgrep.com> Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> Co-authored-by: semgrep-ci[bot] <106279034+semgrep-ci[bot]@users.noreply.github.com> Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com> * Remove test files * Only autoapprove via login == semgrep-ci[bot] * Add comments --------- Co-authored-by: Yosef Alsuhaibani <yosefalsuhaibani@Yosefs-MacBook-Pro-2.local> Co-authored-by: Andre Kuhlenschmidt <andre@semgrep.com> Co-authored-by: Cooper Pierce <cooper@semgrep.com> Co-authored-by: semgrep-ci[bot] <semgrep-ci[bot]@users.noreply.github.com> Co-authored-by: semgrep-ci[bot] <106279034+semgrep-ci[bot]@users.noreply.github.com> Co-authored-by: yosefAlsuhaibani <yosefAlsuhaibani@users.noreply.github.com>
diff --git a/.github/workflows/autoapprove.yml b/.github/workflows/autoapprove.yml
@@ -0,0 +1,73 @@
+# This workflow auto approves the PR generated by the bump_version
+# workflow, and moves the tag that was created in the PR's branch
+# to develop.
+
+name: github-actions auto-approve
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  approve-bot:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'semgrep-ci[bot]'}}
+    steps:
+      - name: Approve
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Watch untill PR checks are done
+        run: gh pr checks --required --watch  "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Merge PR
+        run: gh pr merge --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Now we switch to semgrep-ci[bot] to actually be able to
+      # move the tag we created in bump_version.yml from the
+      # release branch to develop
+
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          ref: develop
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Move tag to develop branch
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+          # We tagged the release branch first in bump_version.yml
+          # to allow tests to pass; now moving it to develop so
+          # it can be a part of its history
+          git push --delete origin "v${CURR_VERSION}"
+          git tag "v${CURR_VERSION}" HEAD
+          git push origin tag "v${CURR_VERSION}"
diff --git a/.github/workflows/bump_version.yml b/.github/workflows/bump_version.yml
@@ -0,0 +1,86 @@
+# This workflow is called by the start release workflow to bump this
+# repo's semgrep version to the newly release version; triggered by
+# the start-release workflow.
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      checks: write
+    env:
+      NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
+    steps:
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Bump version in this repo
+        run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}"
+
+      - name: Commit and push
+        id: commit
+        env:
+          BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
+          SUBJECT: "Bump setup to ${{ github.event.inputs.version }}"
+        run: |
+          git config user.name ${{ github.actor }}
+          git config user.email ${{ github.actor }}@users.noreply.github.com
+          git checkout -b $BRANCH
+          git commit -am "$SUBJECT"
+          git tag "v${NEW_SEMGREP_VERSION}" HEAD
+          git remote -vv
+          git push --set-upstream origin $BRANCH
+          git push origin tag "v$NEW_SEMGREP_VERSION"
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+
+      - name: Create PR
+        id: open-pr
+        env:
+          SOURCE: "${{ steps.commit.outputs.branch }}"
+          TARGET: "${{ github.event.repository.default_branch }}"
+          TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}"
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+          VERSION: "${{ inputs.version }}"
+        run: |
+          # check if the branch already has a pull request open
+          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
+              # pull request already open
+              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
+              echo "cancelling release"
+              exit 1
+          fi
+          # open new pull request with the body of from the local template.
+          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
+            --base "${TARGET}" --head "${SOURCE}")
+
+name: bump-version
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version of semgrep to use"
+        required: true
+        type: string
diff --git a/scripts/bump-version.sh b/scripts/bump-version.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+VERSION=$1
+OLD_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+
+# Do text substitution in setup.py & README.md
+sed "s/$OLD_VERSION/$VERSION/" setup.py > tmp
+mv tmp setup.py
+sed "s/$OLD_VERSION/$VERSION/" README.md > tmp
+mv tmp README.md
+sed "s/$OLD_VERSION/$VERSION/" .pre-commit-config.yaml > tmp
+mv tmp .pre-commit-config.yaml
