Skip to content

[Security Solution][Serverless] Github tickets / notifications #43435

[Security Solution][Serverless] Github tickets / notifications

[Security Solution][Serverless] Github tickets / notifications #43435

name: Add QA labels to Fleet issues
on:
# pull_request_target allows running actions on PRs from forks with a read/write GITHUB_TOKEN, but it will not allow
# running workflows defined in the PRs itself, only workflows already merged into the target branch. This avoids
# potential vulnerabilities that could allow someone to open a PR and retrieve secrets.
# It's important that this workflow never runs any checkout actions which could be used to circumvent this protection.
# See these links for more information:
# - https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
# - https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
pull_request_target:
types:
- closed
jobs:
fetch_issues_to_label:
runs-on: ubuntu-latest
# Only run on PRs that were merged for the Fleet team
if: |
github.event.pull_request.merged_at &&
contains(github.event.pull_request.labels.*.name, 'Team:Fleet')
outputs:
issue_ids: ${{ steps.issues_to_label.outputs.value }}
label_ids: ${{ steps.label_ids.outputs.value }}
steps:
- uses: octokit/graphql-action@8ad880e4d437783ea2ab17010324de1075228110 # v2.3.2
id: closing_issues
with:
query: |
query closingIssueNumbersQuery($prnumber: Int!) {
repository(owner: "elastic", name: "kibana") {
pullRequest(number: $prnumber) {
closingIssuesReferences(first: 10) {
nodes {
id
labels(first: 20) {
nodes {
id
name
}
}
}
}
}
}
}
prnumber: ${{ github.event.number }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: sergeysova/jq-action@a3f0d4ff59cc1dddf023fc0b325dd75b10deec58 # v2.3.0
id: issues_to_label
with:
# Map to the issues' node id
cmd: echo $CLOSING_ISSUES | jq -c '.repository.pullRequest.closingIssuesReferences.nodes | map(.id)'
multiline: true
env:
CLOSING_ISSUES: ${{ steps.closing_issues.outputs.data }}
- uses: sergeysova/jq-action@a3f0d4ff59cc1dddf023fc0b325dd75b10deec58 # v2.3.0
id: label_ids
with:
# Get list of version labels on pull request and map to label's node id, append 'QA:Ready For Testing' id ("MDU6TGFiZWwyNTQ1NjcwOTI4")
cmd: echo $PR_LABELS | jq -c 'map(select(.name | test("v[0-9]+\\.[0-9]+\\.[0-9]+")) | .node_id) + ["MDU6TGFiZWwyNTQ1NjcwOTI4"]'
multiline: true
env:
PR_LABELS: ${{ toJSON(github.event.pull_request.labels) }}
label_issues:
needs: fetch_issues_to_label
runs-on: ubuntu-latest
# For each issue closed by the PR x each label to apply, run this job
if: |
fromJSON(needs.fetch_issues_to_label.outputs.issue_ids).length > 0 &&
fromJSON(needs.fetch_issues_to_label.outputs.label_ids).length > 0
strategy:
matrix:
issueId: ${{ fromJSON(needs.fetch_issues_to_label.outputs.issue_ids) }}
labelId: ${{ fromJSON(needs.fetch_issues_to_label.outputs.label_ids) }}
name: Label issue ${{ matrix.issueId }} with ${{ matrix.labelId }}
steps:
- uses: octokit/graphql-action@8ad880e4d437783ea2ab17010324de1075228110 # v2.3.2
id: add_labels_to_closed_issue
with:
query: |
mutation add_label($issueid: ID!, $labelid:ID!) {
addLabelsToLabelable(input: {labelableId: $issueid, labelIds: [$labelid]}) {
clientMutationId
}
}
issueid: ${{ matrix.issueId }}
labelid: ${{ matrix.labelId }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}