Kaghiya/identity brokered auth #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: GitHub Event Processor | |
on: | |
issues: | |
types: [edited, labeled, opened, reopened, unlabeled] | |
# issue_comment is used for both issues and pull_requests | |
# github.event.issue.pull_request will be non-null on pull request comments | |
issue_comment: | |
types: [created] | |
# synchronize is the pull_request_target event when changes are pushed | |
# pull request merged is the closed event with github.event.pull_request.merged = true | |
pull_request_target: | |
types: [closed, labeled, opened, reopened, review_requested, synchronize, unlabeled] | |
# This removes all unnecessary permissions, the ones needed will be set below. | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
permissions: {} | |
jobs: | |
event-handler: | |
permissions: | |
issues: write | |
pull-requests: write | |
# For OIDC auth | |
id-token: write | |
contents: read | |
name: Handle ${{ github.event_name }} ${{ github.event.action }} event | |
runs-on: ubuntu-latest | |
steps: | |
- name: 'Az CLI login' | |
if: ${{ github.event_name == 'issues' && github.event.action == 'opened' }} | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: 'Run Azure CLI commands' | |
if: ${{ github.event_name == 'issues' && github.event.action == 'opened' }} | |
run: | | |
LABEL_SERVICE_API_KEY=$(az keyvault secret show \ | |
--vault-name issue-labeler \ | |
-n issue-labeler-func-key \ | |
-o tsv \ | |
--query value) | |
echo "::add-mask::$LABEL_SERVICE_API_KEY" | |
echo "LABEL_SERVICE_API_KEY=$LABEL_SERVICE_API_KEY" >> $GITHUB_ENV | |
# To run github-event-processor built from source, for testing purposes, uncomment everything | |
# in between the Start/End-Build From Source comments and comment everything in between the | |
# Start/End-Install comments | |
# Start-Install | |
- name: Install GitHub Event Processor | |
run: > | |
dotnet tool install | |
Azure.Sdk.Tools.GitHubEventProcessor | |
--version 1.0.0-dev.20230713.2 | |
--add-source https://pkgs.dev.azure.com/azure-sdk/public/_packaging/azure-sdk-for-net/nuget/v3/index.json | |
--global | |
shell: bash | |
# End-Install | |
# Testing checkout of sources from the Azure/azure-sdk-tools repository | |
# The ref: is the SHA from the pull request in that repository or the | |
# refs/pull/<PRNumber>/merge for the latest on any given PR. If the repository | |
# is a fork eg. <User>/azure-sdk-tools then the repository down below will | |
# need to point to that fork | |
# Start-Build | |
# - name: Checkout tools repo for GitHub Event Processor sources | |
# uses: actions/checkout@v3 | |
# with: | |
# repository: Azure/azure-sdk-tools | |
# path: azure-sdk-tools | |
# ref: <refs/pull/<PRNumber>/merge> or <sha> | |
# - name: Build and install GitHubEventProcessor from sources | |
# run: | | |
# dotnet pack | |
# dotnet tool install --global --prerelease --add-source ../../../artifacts/packages/Debug Azure.Sdk.Tools.GitHubEventProcessor | |
# shell: bash | |
# working-directory: azure-sdk-tools/tools/github-event-processor/Azure.Sdk.Tools.GitHubEventProcessor | |
# End-Build | |
- name: Process Action Event | |
run: | | |
cat > payload.json << 'EOF' | |
${{ toJson(github.event) }} | |
EOF | |
github-event-processor ${{ github.event_name }} payload.json | |
shell: bash | |
env: | |
# This is a temporary secret generated by github | |
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
LABEL_SERVICE_API_KEY: ${{ env.LABEL_SERVICE_API_KEY }} |