PSCE-309 - Adds sync-upstreams GitHub Action and usage documentation (#…

…148)

* refactor: updates entrypoint bash scripts to use common.sh

To reduce code duplication in the bash script, common logic
is added to common.sh for reuse.

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

* feat: adds sync-upstreams action and documentation

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

* fix: uses abs path to common.sh in entrypoint scripts

The working directory is subject to change and the entrypoint
scripts need to source `common.sh` from the location in the container.

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

* chore: updates README.md files based on PR feedback

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

---------

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>

Dockerfile

@@ -52,10 +52,13 @@ FROM python-base AS final
 COPY --from=dependencies $PYSETUP_PATH $PYSETUP_PATH
 
 # Add wrappers for entrypoints that provide support for the actions
+COPY ./actions/common.sh /
 COPY ./actions/autosync/auto-sync-entrypoint.sh /
 COPY ./actions/rules-transform/rules-transform-entrypoint.sh /
 COPY ./actions/create-cd/create-cd-entrypoint.sh /
-RUN chmod +x /auto-sync-entrypoint.sh /rules-transform-entrypoint.sh /create-cd-entrypoint.sh
+COPY ./actions/sync-upstreams/sync-upstreams-entrypoint.sh /
+
+RUN chmod +x /auto-sync-entrypoint.sh /rules-transform-entrypoint.sh /create-cd-entrypoint.sh /sync-upstreams-entrypoint.sh
 
 ENTRYPOINT ["python3.9", "-m" , "trestlebot"]
 CMD ["--help"]

actions/README.md

@@ -2,7 +2,7 @@
 
 ## Introduction
 
-This document provides instructions and examples for creating and using GitHub Actions in the "trestle-bot" project. GitHub Actions are used to automate various tasks related to workspace management and checks.
+This document provides instructions and examples for creating and using GitHub Actions in the `trestle-bot` project. GitHub Actions are used to automate various tasks related to workspace management and checks.
 
 ## Directory Structure
 
@@ -21,9 +21,10 @@ For more details, consult the [GitHub Actions documentation](https://docs.github
 
 ## Examples
 
-Here are examples of workflow snippets that demonstrate how to use these actions in the "trestle-bot" project. Each example includes a clear explanation of its purpose and the steps involved.
+Here are examples of workflow snippets that demonstrate how to use these actions in the `trestle-bot` project.
+See each action README for more details about the inputs and outputs.
 
-### Create a New Component
+### Create a New Component Definition
 
 ```yaml
 name: create
@@ -104,7 +105,40 @@ jobs:
           branch: ${{ github.head_ref }}
 ```
 
-## Component Regeneration
+## Propagate changes from upstream sources
+
+### Storing and syncing upstream content
+
+> Note: The upstream repo must be a valid trestle workspace.
+
+```yaml
+name: Sync Upstream
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  upstream-sync:
+    name: Sync upstream content
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run trestlebot
+      id: trestlebot
+      uses: RedHatProductSecurity/trestle-bot/actions/sync-upstreams@main
+      with:
+        branch: "sync-upstream-${{ github.run_id }}"
+        target_branch: "main"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        sources: |
+          https://github.com/myorg/myprofiles@main
+```
+
+### Component Definition Regeneration
 
 This example demonstrates how to use outputs and also includes labeling pull requests.
 
@@ -121,8 +155,8 @@ on:
       - 'catalogs/**'
 
 jobs:
-  regeneration-content:
-    name: Regeneration the component definition
+  regenerate-content:
+    name: Regenerate the component definition
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -144,4 +178,4 @@ jobs:
       with:   
         pr-number: |
             ${{ steps.trestlebot.outputs.pr_number }} 
-```
+```

actions/autosync/auto-sync-entrypoint.sh

@@ -2,22 +2,10 @@
 
 set -eu
 
-# Manage newest git versions (related to CVE https://github.blog/2022-04-12-git-security-vulnerability-announced/)
-#
-if [ -z ${GITHUB_WORKSPACE+x} ]; then
-  echo "Setting git safe.directory default: /github/workspace ..."
-  git config --global --add safe.directory /github/workspace
-else
-  echo "Setting git safe.directory GITHUB_WORKSPACE: $GITHUB_WORKSPACE ..."
-  git config --global --add safe.directory "$GITHUB_WORKSPACE"
-fi
+# shellcheck disable=SC1091
+source /common.sh
 
-if [ -z ${INPUT_REPOSITORY+x} ]; then
-    echo "Skipping setting working directory as safe directory"
-else
-   echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
-   git config --global --add safe.directory "$INPUT_REPOSITORY"
-fi
+set_git_safe_directory
 
 # Initialize the command variable
 command="trestlebot-autosync \
@@ -63,20 +51,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-exec 3>&1
-output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
-
-commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
-
-if [ -n "$commit" ]; then
-    echo "changes=true" >> "$GITHUB_OUTPUT"
-    echo "commit=$commit" >> "$GITHUB_OUTPUT"
-else
-    echo "changes=false" >> "$GITHUB_OUTPUT"
-fi
-
-pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
-
-if [ -n "$pr_number" ]; then 
-   echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-fi
+execute_command "${command}"

actions/common.sh

@@ -0,0 +1,45 @@
+# shellcheck disable=SC2148
+
+# common.sh
+# This file is sourced by other scripts and contains common functions
+
+# Manage newest git versions (related to CVE https://github.blog/2022-04-12-git-security-vulnerability-announced/)
+#
+function set_git_safe_directory() {
+    if [[ -z "${GITHUB_WORKSPACE+x}" ]]; then
+    echo "Setting git safe.directory default: /github/workspace ..."
+    git config --global --add safe.directory /github/workspace
+    else
+    echo "Setting git safe.directory GITHUB_WORKSPACE: $GITHUB_WORKSPACE ..."
+    git config --global --add safe.directory "$GITHUB_WORKSPACE"
+    fi
+
+    if [[ -z "${INPUT_REPOSITORY+x}" ]]; then
+        echo "Skipping setting working directory as safe directory"
+    else
+    echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
+    git config --global --add safe.directory "$INPUT_REPOSITORY"
+    fi
+}
+
+# Execute the command and set the output variables for GitHub Actions
+function execute_command() {
+    local command=$1
+    exec 3>&1
+    output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
+
+    commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
+
+    if [ -n "$commit" ]; then
+        echo "changes=true" >> "$GITHUB_OUTPUT"
+        echo "commit=$commit" >> "$GITHUB_OUTPUT"
+    else
+        echo "changes=false" >> "$GITHUB_OUTPUT"
+    fi
+
+    pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
+
+    if [ -n "$pr_number" ]; then 
+    echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
+    fi
+}

actions/create-cd/create-cd-entrypoint.sh

@@ -2,22 +2,10 @@
 
 set -eu
 
-# Manage newest git versions (related to CVE https://github.blog/2022-04-12-git-security-vulnerability-announced/)
-#
-if [ -z ${GITHUB_WORKSPACE+x} ]; then
-  echo "Setting git safe.directory default: /github/workspace ..."
-  git config --global --add safe.directory /github/workspace
-else
-  echo "Setting git safe.directory GITHUB_WORKSPACE: $GITHUB_WORKSPACE ..."
-  git config --global --add safe.directory "$GITHUB_WORKSPACE"
-fi
+# shellcheck disable=SC1091
+source /common.sh
 
-if [ -z ${INPUT_REPOSITORY+x} ]; then
-    echo "Skipping setting working directory as safe directory"
-else
-   echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
-   git config --global --add safe.directory "$INPUT_REPOSITORY"
-fi
+set_git_safe_directory
 
 # Initialize the command variable
 command="trestlebot-create-cd \
@@ -54,20 +42,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-exec 3>&1
-output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
-
-commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
-
-if [ -n "$commit" ]; then
-    echo "changes=true" >> "$GITHUB_OUTPUT"
-    echo "commit=$commit" >> "$GITHUB_OUTPUT"
-else
-    echo "changes=false" >> "$GITHUB_OUTPUT"
-fi
-
-pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
-
-if [ -n "$pr_number" ]; then 
-   echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-fi
+execute_command "${command}"

actions/rules-transform/rules-transform-entrypoint.sh

@@ -2,22 +2,10 @@
 
 set -eu
 
-# Manage newest git versions (related to CVE https://github.blog/2022-04-12-git-security-vulnerability-announced/)
-#
-if [ -z ${GITHUB_WORKSPACE+x} ]; then
-  echo "Setting git safe.directory default: /github/workspace ..."
-  git config --global --add safe.directory /github/workspace
-else
-  echo "Setting git safe.directory GITHUB_WORKSPACE: $GITHUB_WORKSPACE ..."
-  git config --global --add safe.directory "$GITHUB_WORKSPACE"
-fi
+# shellcheck disable=SC1091
+source /common.sh
 
-if [ -z ${INPUT_REPOSITORY+x} ]; then
-    echo "Skipping setting working directory as safe directory"
-else
-   echo "Setting git safe.directory default: $INPUT_REPOSITORY ..."
-   git config --global --add safe.directory "$INPUT_REPOSITORY"
-fi
+set_git_safe_directory
 
 # Initialize the command variable
 command="trestlebot-rules-transform \
@@ -49,20 +37,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-exec 3>&1
-output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
-
-commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
-
-if [ -n "$commit" ]; then
-    echo "changes=true" >> "$GITHUB_OUTPUT"
-    echo "commit=$commit" >> "$GITHUB_OUTPUT"
-else
-    echo "changes=false" >> "$GITHUB_OUTPUT"
-fi
-
-pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
-
-if [ -n "$pr_number" ]; then 
-   echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-fi
+execute_command "${command}"