Skip to content

update platform/alz #140

update platform/alz

update platform/alz #140

Workflow file for this run

---
name: update platform/alz
# yamllint disable-line rule:truthy
on:
schedule:
- cron: "0 8 * * 1-5"
workflow_dispatch: {}
permissions:
contents: write
env:
alzlibtool_version: "0.22.0"
remote_repository: "Azure/Enterprise-Scale"
alzlib_repository: "Azure/alzlib"
library_dir: "platform/alz"
pr_title: "feat: update platform/alz library (automated)"
pr_body: |-
This is an automated 'pull_request' containing updates to the library templates stored in 'platform/alz'.\n
Please review the 'files changed' tab to review changes.
jobs:
update-lib:
name: update
runs-on: ubuntu-latest
environment: libupdate
steps:
- name: Install alzlibtool
run: |
curl -L https://github.com/Azure/alzlib/releases/download/v${{ env.alzlibtool_version }}/alzlib_0.22.0_linux_amd64.tar.gz | tar -xvz
sudo cp alzlibtool /usr/local/bin
- name: Local repository checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ github.repository }}
fetch-depth: 0
- name: Remote repository checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ env.remote_repository }}
path: ${{ env.remote_repository }}
ref: main
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
- name: Configure local git
run: |
git config user.name github-actions
git config user.email action@github.com
working-directory: ${{ github.repository }}
- name: Create and checkout branch
id: branch
run: |
BRANCH="platform-alz-${{ github.run_number }}"
echo "name=$BRANCH" >> "$GITHUB_OUTPUT"
git checkout -b "$BRANCH"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: Update library policy definitions
run: |
alzlibtool convert policydefinition -o \
"${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policyDefinitions" \
"${{ github.workspace }}/${{ github.repository }}/${{ env.library_dir }}/policy_definitions"
- name: Update library policy set definitions
run: |
alzlibtool convert policysetdefinition -o \
"${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policySetDefinitions" \
"${{ github.workspace }}/${{ github.repository }}/${{ env.library_dir }}/policy_set_definitions"
- name: Update library policy definitions in archetype definitions
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
Write-Information "==> Running policy definitions in archetype definitions script..." -InformationAction Continue
${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyDefinitions.ps1 `
-TargetPath "${{ github.workspace }}/${{ github.repository }}" `
-SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
azPSVersion: "latest"
- name: Update library policy assignments and archetypes
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue
${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
-TargetPath "${{ github.workspace }}/${{ github.repository }}" `
-SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
azPSVersion: "latest"
- name: Check for changes
id: git_status
run: |
mapfile -t "CHECK_GIT_STATUS" < <(git status -s ${{ env.library_dir }})
printf "%s\n" "${CHECK_GIT_STATUS[@]}"
echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/${{ github.repository }}
- name: Regerate README.md
if: steps.git_status.outputs.changes > 0
run: |
alzlibtool document library . >README.md
working-directory: ${{ github.repository }}
- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add ${{ env.library_dir }}
git commit -m '${{ env.pr_title }}'
git push origin ${{ steps.branch.outputs.name }}
working-directory: ${{ github.repository }}
- name: Create pull request
if: steps.git_status.outputs.changes > 0
id: pr
run: |
PR="$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ steps.branch.outputs.name }}" \
--draft)"
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
echo number=$(gh pr view $PR_URL --json number | jq -r '.number') >> "$GITHUB_OUTPUT"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: close and comment out of date prs
if: steps.git_status.outputs.changes > 0
run: |
PULL_REQUESTS=$(gh pr list --search 'feat: update platform/alz library (automated)' --json number,headRefName)
echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}