Skip to content

Commit

Permalink
Add global permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
mdedetrich committed Apr 27, 2022
1 parent 228964c commit ee76cd7
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 4 deletions.
1 change: 1 addition & 0 deletions src/main/scala/sbtghactions/GenerativeKeys.scala
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ trait GenerativeKeys {
lazy val githubWorkflowJobSetup = settingKey[Seq[WorkflowStep]]("The automatically-generated checkout, setup, and cache steps which are common to all jobs which touch the build (default: autogenerated)")

lazy val githubWorkflowEnv = settingKey[Map[String, String]](s"A map of static environment variable assignments global to the workflow (default: { GITHUB_TOKEN: $${{ secrets.GITHUB_TOKEN }} })")
lazy val githubWorkflowPermissions = settingKey[Map[String, String]](s"A map of static permissions for the global workflow (default: {})")
lazy val githubWorkflowAddedJobs = settingKey[Seq[WorkflowJob]]("A list of additional jobs to add to the CI workflow (default: [])")
}

Expand Down
25 changes: 24 additions & 1 deletion src/main/scala/sbtghactions/GenerativePlugin.scala
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,21 @@ object GenerativePlugin extends AutoPlugin {
s"""$key: ${wrap(value)}"""
}
s"""$prefix:
${indent(rendered.mkString("\n"), 1)}"""
}

def compilePermissions(permissions: Map[String, String]): String =
if (permissions.isEmpty) {
""
} else {
val rendered = permissions map {
case (key, value) =>
if (!isSafeString(key) || key.indexOf(' ') >= 0)
sys.error(s"'$key' is not a valid permission name")

s"""$key: ${wrap(value)}"""
}
s"""permissions:
${indent(rendered.mkString("\n"), 1)}"""
}

Expand Down Expand Up @@ -421,15 +436,21 @@ ${indent(job.steps.map(compileStep(_, sbt, declareShell = declareShell)).mkStrin
paths: Paths,
prEventTypes: List[PREventType],
env: Map[String, String],
permissions: Map[String, String],
jobs: List[WorkflowJob],
sbt: String)
: String = {

val renderedPermissionsPre = compilePermissions(permissions)
val renderedEnvPre = compileEnv(env)
val renderedEnv = if (renderedEnvPre.isEmpty)
""
else
renderedEnvPre + "\n\n"
val renderedPerm = if (renderedPermissionsPre.isEmpty)
""
else
renderedPermissionsPre + "\n\n"

val renderedTypesPre = prEventTypes.map(compilePREventType).mkString("[", ", ", "]")
val renderedTypes = if (prEventTypes.sortBy(_.toString) == PREventType.Defaults)
Expand Down Expand Up @@ -467,7 +488,7 @@ on:
push:
branches: [${branches.map(wrap).mkString(", ")}]$renderedTags$renderedPaths

${renderedEnv}jobs:
${renderedPerm}${renderedEnv}jobs:
${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
"""
}
Expand Down Expand Up @@ -504,6 +525,7 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
githubWorkflowTargetPaths := Paths.None,

githubWorkflowEnv := Map("GITHUB_TOKEN" -> s"$${{ secrets.GITHUB_TOKEN }}"),
githubWorkflowPermissions := Map.empty[String, String],
githubWorkflowAddedJobs := Seq())

private lazy val internalTargetAggregation = settingKey[Seq[File]]("Aggregates target directories from all subprojects")
Expand Down Expand Up @@ -698,6 +720,7 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
githubWorkflowTargetPaths.value,
githubWorkflowPREventTypes.value.toList,
githubWorkflowEnv.value,
githubWorkflowPermissions.value,
githubWorkflowGeneratedCI.value.toList,
sbt)
}
Expand Down
15 changes: 12 additions & 3 deletions src/test/scala/sbtghactions/GenerativePluginSpec.scala
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ class GenerativePluginSpec extends Specification {
|${" " * 2}
|""".stripMargin

compileWorkflow("test", List("main"), Nil, Paths.None, PREventType.Defaults, Map(), Nil, "sbt") mustEqual expected
compileWorkflow("test", List("main"), Nil, Paths.None, PREventType.Defaults, Map(), Map(), Nil, "sbt") mustEqual expected
}

"produce the appropriate skeleton around a zero-job workflow with non-empty tags" in {
Expand All @@ -64,7 +64,7 @@ class GenerativePluginSpec extends Specification {
|${" " * 2}
|""".stripMargin

compileWorkflow("test", List("main"), List("howdy"), Paths.None, PREventType.Defaults, Map(), Nil, "sbt") mustEqual expected
compileWorkflow("test", List("main"), List("howdy"), Paths.None, PREventType.Defaults, Map(), Map(), Nil, "sbt") mustEqual expected
}

"respect non-default pr types" in {
Expand All @@ -82,7 +82,7 @@ class GenerativePluginSpec extends Specification {
|${" " * 2}
|""".stripMargin

compileWorkflow("test", List("main"), Nil, Paths.None, List(PREventType.ReadyForReview, PREventType.ReviewRequested, PREventType.Opened), Map(), Nil, "sbt") mustEqual expected
compileWorkflow("test", List("main"), Nil, Paths.None, List(PREventType.ReadyForReview, PREventType.ReviewRequested, PREventType.Opened), Map(), Map(), Nil, "sbt") mustEqual expected
}

"compile a one-job workflow targeting multiple branch patterns with a environment variables" in {
Expand All @@ -95,6 +95,9 @@ class GenerativePluginSpec extends Specification {
| push:
| branches: [main, backport/v*]
|
|permissions:
| id-token: write
|
|env:
| GITHUB_TOKEN: $${{ secrets.GITHUB_TOKEN }}
|
Expand All @@ -119,6 +122,9 @@ class GenerativePluginSpec extends Specification {
PREventType.Defaults,
Map(
"GITHUB_TOKEN" -> s"$${{ secrets.GITHUB_TOKEN }}"),
Map(
"id-token" -> "write"
),
List(
WorkflowJob(
"build",
Expand Down Expand Up @@ -168,6 +174,7 @@ class GenerativePluginSpec extends Specification {
Paths.None,
PREventType.Defaults,
Map(),
Map(),
List(
WorkflowJob(
"build",
Expand Down Expand Up @@ -212,6 +219,7 @@ class GenerativePluginSpec extends Specification {
Paths.None,
PREventType.Defaults,
Map(),
Map(),
List(
WorkflowJob(
"build",
Expand Down Expand Up @@ -263,6 +271,7 @@ class GenerativePluginSpec extends Specification {
Paths.None,
PREventType.Defaults,
Map(),
Map(),
List(
WorkflowJob(
"build",
Expand Down

0 comments on commit ee76cd7

Please sign in to comment.