-
Notifications
You must be signed in to change notification settings - Fork 11
134 lines (117 loc) · 5.33 KB
/
update-alz.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
---
name: update platform/alz
# yamllint disable-line rule:truthy
on:
schedule:
- cron: "0 8 * * 1-5"
workflow_dispatch: {}
permissions:
contents: write
env:
remote_repository: "Azure/Enterprise-Scale"
alzlib_repository: "Azure/alzlib"
library_dir: "platform/alz"
pr_title: "feat: update platform/alz library (automated)"
pr_body: |-
This is an automated 'pull_request' containing updates to the library templates stored in 'platform/alz'.\n
Please review the 'files changed' tab to review changes.
jobs:
update-lib:
name: update
runs-on: ubuntu-latest
environment: libupdate
steps:
- name: Local repository checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: ${{ github.repository }}
fetch-depth: 0
- name: Remote repository checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ env.remote_repository }}
path: ${{ env.remote_repository }}
ref: main
- name: setup go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: 'stable'
- name: install alzlibtool
run: go install github.com/Azure/alzlib/cmd/alzlibtool@v0.21.3
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
- name: Configure local git
run: |
git config user.name github-actions
git config user.email action@github.com
working-directory: ${{ github.repository }}
- name: Create and checkout branch
id: branch
run: |
BRANCH="platform-alz-${{ github.run_number }}"
echo "name=$BRANCH" >> "$GITHUB_OUTPUT"
git checkout -b "$BRANCH"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: Update library policy definitions
run: |
alzlibtool convert policydefinition -o \
"${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policyDefinitions" \
"${{ github.workspace }}/${{ github.repository }}/${{ env.library_dir }}/policy_definitions"
- name: Update library policy set definitions
run: |
alzlibtool convert policysetdefinition -o \
"${{ github.workspace }}/${{ env.remote_repository }}/src/resources/Microsoft.Authorization/policySetDefinitions" \
"${{ github.workspace }}/${{ github.repository }}/${{ env.library_dir }}/policy_set_definitions"
- name: Update library policy assignments and archetypes
uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0
with:
inlineScript: |
Write-Information "==> Running policy assignments and archetypes script..." -InformationAction Continue
${{ github.repository }}/platform/alz/scripts/Invoke-LibraryUpdatePolicyAssignmentArchetypes.ps1 `
-AlzToolsPath "${{ github.workspace }}/${{ env.remote_repository }}/src/Alz.Tools/" `
-TargetPath "${{ github.workspace }}/${{ github.repository }}" `
-SourcePath "${{ github.workspace }}/${{ env.remote_repository }}"
azPSVersion: "latest"
- name: Check for changes
id: git_status
run: |
mapfile -t "CHECK_GIT_STATUS" < <(git status -s ${{ env.library_dir }})
printf "%s\n" "${CHECK_GIT_STATUS[@]}"
echo "changes=${#CHECK_GIT_STATUS[@]}" >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/${{ github.repository }}
- name: Add files, commit and push
if: steps.git_status.outputs.changes > 0
run: |
echo "Pushing changes to origin..."
git add ${{ env.library_dir }}
git commit -m '${{ env.pr_title }}'
git push origin ${{ steps.branch.outputs.name }}
working-directory: ${{ github.repository }}
- name: Create pull request
if: steps.git_status.outputs.changes > 0
id: pr
run: |
PR="$(gh pr create \
--title "${{ env.pr_title }}" \
--body "${{ env.pr_body }}" \
--base "${{ github.ref }}" \
--head "${{ steps.branch.outputs.name }}" \
--draft)"
echo "Created new PR: $CHECK_PULL_REQUEST_URL"
echo number=$(gh pr view $PR_URL --json number | jq -r '.number') >> "$GITHUB_OUTPUT"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
- name: close and comment out of date prs
if: steps.git_status.outputs.changes > 0
run: |
PULL_REQUESTS=$(gh pr list --search 'feat: update platform/alz library (automated)' --json number,headRefName)
echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}"
working-directory: ${{ github.repository }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}