extract steps commenting and merging PR from chart-verifier job

github-actions[bot] · github-actions[bot] · commit 3f4df5fff6fc · 2024-09-20T20:44:37.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -190,18 +190,22 @@ jobs:
     runs-on: ubuntu-22.04
     needs: [setup, validate-submission]
 
-    if: ${{ always() }}
-
     outputs:
       report_content: ${{ steps.check_report.outputs.report_content }}
       redhat_to_community: ${{ steps.check_report.outputs.redhat_to_community }}
-      message_file: ${{ steps.pr_comment.outputs.message-file }}
-      message_text_base64: ${{ steps.encode_pr_comment.outputs.message-text-base64 }}
+      # message_file: ${{ steps.pr_comment.outputs.message-file }}
+      # message_text_base64: ${{ steps.encode_pr_comment.outputs.message-text-base64 }}
       # web_catalog_only: ${{ steps.check_pr_content.outputs.web_catalog_only }}
       # chart_entry_name: ${{ steps.check_pr_content.outputs.chart-entry-name }}
       # release_tag: ${{ steps.check_pr_content.outputs.release_tag }}
       # ocp-version-range: ${{ steps.get-ocp-range.outputs.ocp-version-range }}
 
+      community_manual_review_required: ${{ steps.check_report.outputs.community_manual_review_required }}
+      install-oc-outcome: ${{ steps.install-oc.outcome }}
+      verifier_error_message: ${{ steps.check-verifier-result.outputs.verifier_error_message }}
+      run-verifier-outcome: ${{ steps.run-verifier.outcome }}
+      check_report-outcome: ${{ steps.check_report.outcome }}
+      ocp-version-range: ${{ steps.get-ocp-range.outputs.ocp-version-range }}
 
     steps:
       - name: Checkout
@@ -231,13 +235,12 @@ jobs:
 
       - name: Download submission information
         uses: actions/download-artifact@v4
-        if: ${{ ! contains(join(needs.*.result, ','), 'failure') }}
         with:
           name: submission
 
       - name: Remove 'authorized-request' label from PR
         uses: actions/github-script@v7
-        if: ${{ needs.setup.outputs.run_build == 'true' && contains( github.event.pull_request.labels.*.name, 'authorized-request') && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' && contains( github.event.pull_request.labels.*.name, 'authorized-request') }}
         continue-on-error: true
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -252,15 +255,14 @@ jobs:
 
       - name: install chart verifier for action
         uses: redhat-actions/openshift-tools-installer@v1
-        if: ${{ ! contains(join(needs.*.result, ','), 'failure') }}
         with:
           source: github
           skip_cache: true
           chart-verifier: "${{ needs.setup.outputs.verifier-action-image }}"
 
       # TODO: check what needs to stay here vs what could go to validate-submission
       - name: determine verify requirements
-        if: ${{ needs.setup.outputs.run_build == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
         id: verify_requires
         env:
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
@@ -270,30 +272,30 @@ jobs:
 
       - name: Install oc
         id: install-oc
-        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
         uses: redhat-actions/openshift-tools-installer@v1
         with:
           oc: latest
 
       - name: Set cluster login params
         id: login-params
-        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
         run: |
           #calculate cluster params
           API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
           echo "API_SERVER=${API_SERVER}" >> $GITHUB_OUTPUT
 
       - uses: redhat-actions/oc-login@v1
         id: oc_login
-        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
         with:
           openshift_server_url: ${{ steps.login-params.outputs.API_SERVER }}
           openshift_token: ${{ secrets.CLUSTER_TOKEN }}
           insecure_skip_tls_verify: ${{ needs.setup.outputs.insecure_skip_tls_verify }}
 
       - name: create service account
         id: create_service_account
-        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
         env:
           API_SERVER: ${{ steps.login-params.outputs.API_SERVER }}
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
@@ -304,7 +306,7 @@ jobs:
 
       - uses: redhat-actions/chart-verifier@v1
         id: run-verifier
-        if: ${{ steps.verify_requires.outputs.report_needed == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ steps.verify_requires.outputs.report_needed == 'true' }}
         with:
             chart_uri: ${{ steps.verify_requires.outputs.verify_uri }}
             verify_args: ${{ steps.verify_requires.outputs.verify_args }}
@@ -313,43 +315,44 @@ jobs:
 
       - name: check-verifier-result
         id: check-verifier-result
-        if: ${{ always() && steps.run-verifier.outcome == 'failure' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ always() && steps.run-verifier.outcome == 'failure' }}
         run: |
           error_message="The chart verifier returned an error when trying to obtain a verification report for the chart."
           echo "verifier_error_message=$error_message" >> $GITHUB_OUTPUT
 
       - name: Get profile version set in report provided by the user
         id: get-profile-version
-        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }}
         uses: mikefarah/yq@master
         with:
           cmd: yq '.metadata.tool.profile.version' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }}
 
       - name: Get the range of Kubernetes versions set in the report provided by the user
         id: get-kube-range
-        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }}
         continue-on-error: true
         uses: mikefarah/yq@master
         with:
           cmd: yq '.metadata.chart.kubeversion' ${{ format('./pr-branch/{0}', steps.verify_requires.outputs.provided_report_relative_path) }}
 
       - name: Get the corresponding range of OCP versions
         id: get-ocp-range
-        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' && steps.verify_requires.outputs.report_provided == 'true' }}
         continue-on-error: true
         uses: ./.github/actions/get-ocp-range
         with:
           kube-version-range: ${{ steps.get-kube-range.outputs.result }}
 
       - name: Only ignore errors in get-ocp-range for profile in version v1.0
-        if: ${{ (steps.get-kube-range.outcome == 'failure' || steps.get-ocp-range.outcome == 'failure') && steps.get-profile-version.outputs.result != 'v1.0' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ (steps.get-kube-range.outcome == 'failure' || steps.get-ocp-range.outcome == 'failure') && steps.get-profile-version.outputs.result != 'v1.0' }}
         run: |
           echo "::error file=.github/workflows/build.yaml::Failure in get-ocp-range, mandatory for profile version ${{ steps.get-profile-version.outputs.result }}"
           exit 1
 
+      # check the report that was generated when running chart-verifier / or provided by PR ??
       - name: Check Report
         id: check_report
-        if: ${{ needs.setup.outputs.run_build == 'true' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
         env:
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
           VENDOR_TYPE: ${{ needs.validate-submission.outputs.category }}
@@ -370,55 +373,91 @@ jobs:
           cd ..
 
       - name: Delete Namespace
-        if: ${{ always() && steps.oc_login.conclusion == 'success' && ! contains(join(needs.*.result, ','), 'failure') }}
+        if: ${{ always() && steps.oc_login.conclusion == 'success' }}
         env:
           KUBECONFIG: /tmp/ci-kubeconfig
         run: |
           API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
           oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} --insecure-skip-tls-verify=${{ needs.setup.outputs.insecure_skip_tls_verify }}
           ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }}
 
-      # TODO
+      # TODO: test remove altogether: rght now only ensure report.yaml file exists
       - name: Save PR artifact
         env:
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
         if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
         run: |
           ve1/bin/pr-artifact --directory=./pr --pr-number=${{ github.event.number }} --api-url=${{ github.event.pull_request._links.self.href }}
 
-  # manage-gh-pr:
-  #   name: Comment and merge PR
-  #   runs-on: ubuntu-22.04
-  #   needs: [setup, validate-submission, chart-verifier]
+  manage-gh-pr:
+    name: Comment and merge PR
+    runs-on: ubuntu-22.04
+    needs: [setup, validate-submission, chart-verifier]
+
+    outputs:
+      message_file: ${{ steps.pr_comment.outputs.message-file }}
+      message_text_base64: ${{ steps.encode_pr_comment.outputs.message-text-base64 }}
+
+    # Run manage-pr as long as setup was successfull, independently from potential errors in validate-submission or chart-verifier
+    if: ${{ always() && needs.setup.result == 'success' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Checkout PR Branch
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          path: "pr-branch"
+
+      - name: Set up Python 3.x Part 1
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
 
-  #   # outputs:
-  #   # if: ${{ always() && contains(join(needs.*.result, ','), 'success') }}
+      - name: Set up Python 3.x Part 2
+        run: |
+          # set up python
+          python3 -m venv ve1
+          cd scripts
+          ../ve1/bin/pip3 install -r requirements.txt
+          ../ve1/bin/pip3 install .
+          cd ..
+
+      - name: Download submission information
+        uses: actions/download-artifact@v4
+        with:
+          name: submission
 
-  #   steps:
       - name: Prepare PR comment
         id: pr_comment
-        if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
         env:
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
           PR_CONTENT_ERROR_MESSAGE: ${{ needs.validate-submission.outputs.pr-content-error-message }}
           OWNERS_ERROR_MESSAGE: ${{ needs.validate-submission.outputs.owners-error-message }}
-          COMMUNITY_MANUAL_REVIEW: ${{ steps.check_report.outputs.community_manual_review_required }}
-          OC_INSTALL_RESULT: ${{ steps.install-oc.outcome }}
-          VERIFIER_ERROR_MESSAGE: ${{ steps.check-verifier-result.outputs.verifier_error_message }}
+          COMMUNITY_MANUAL_REVIEW: ${{ needs.chart-verifier.outputs.community_manual_review_required }}
+          OC_INSTALL_RESULT: ${{ needs.chart-verifier.outputs.install-oc-outcome || 'skipped' }}
+          VERIFIER_ERROR_MESSAGE: ${{ needs.chart-verifier.outputs.verifier_error_message }}
         run: |
-          ve1/bin/pr-comment ${{ needs.validate-submission.outputs.validate-submission-outcome }} ${{ steps.run-verifier.outcome }} ${{ steps.check_report.conclusion }}
+          ve1/bin/pr-comment ${{ needs.validate-submission.outputs.validate-submission-outcome }} \
+            ${{ needs.chart-verifier.outputs.run-verifier-outcome || 'skipped' }} \
+            ${{ needs.chart-verifier.outputs.check_report-outcome || 'skipped'}}
 
       # Note(komish): This step is a temporary fix for the metrics step in the next job
       # which expects the PR comment to exist at the specified filesystem location.
       - name: Encode PR Comment for Metrics
         id: encode_pr_comment
-        if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
         run: |
           commentBase64=$(base64 --wrap=0 ${{ steps.pr_comment.outputs.message-file }})
           echo "message-text-base64=${commentBase64}" | tee -a $GITHUB_OUTPUT
         
       - name: Comment on PR
-        if: ${{ always() && needs.setup.outputs.run_build == 'true' }}
+        if: ${{ needs.setup.outputs.run_build == 'true' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -434,7 +473,8 @@ jobs:
             });
 
       - name: Add 'authorized-request' label to PR
-        if: ${{ always() && needs.validate-submission.outputs.validate-submission-outcome == 'success' && steps.run-verifier.outcome != 'failure' && needs.setup.outputs.run_build == 'true' }}
+        if: ${{ needs.validate-submission.outputs.validate-submission-outcome == 'success' && needs.chart-verifier.outputs.run-verifier-outcome != 'failure' && needs.setup.outputs.run_build == 'true' }}
+        # if: ${{ needs.validate-submission.outputs.validate-submission-outcome == 'success' && needs.chart-verifier.outputs.run-verifier-outcome || 'skipped' == 'success' && needs.setup.outputs.run_build == 'true' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -453,7 +493,8 @@ jobs:
 
       - name: Approve PR
         id: approve_pr
-        if: ${{ steps.check_report.conclusion == 'success' }}
+        if: ${{ needs.chart-verifier.outputs.check_report-outcome == 'success' }}
+        # if: ${{ needs.chart-verifier.outputs.check_report-outcome || 'skipped' == 'success' }}
         uses: hmarr/auto-approve-action@v3
         with:
           # The token we use for this changes for the Sandbox repository because the sandbox repository
@@ -463,15 +504,15 @@ jobs:
 
       - name: Merge PR
         id: merge_pr
-        if: ${{ steps.approve_pr.conclusion == 'success' }}
+        if: ${{ steps.approve_pr.outcome == 'success' }}
         uses: pascalgn/automerge-action@v0.16.2
         env:
           GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
           MERGE_METHOD: squash
           MERGE_LABELS: ""
 
       - name: Check for PR merge
-        if: ${{ steps.merge_pr.conclusion == 'success' }}
+        if: ${{ steps.merge_pr.outcome == 'success' }}
         env:
           BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
         run: |
@@ -481,7 +522,7 @@ jobs:
   release:
     name: Release Chart
     runs-on: ubuntu-22.04
-    needs: [setup, validate-submission, chart-verifier]
+    needs: [setup, validate-submission, chart-verifier, manage-gh-pr]
 
     steps:
       - name: Checkout
@@ -535,7 +576,7 @@ jobs:
           REPORT_CONTENT: ${{ needs.chart-verifier.outputs.report_content }}
           REDHAT_TO_COMMUNITY: ${{ needs.chart-verifier.outputs.redhat_to_community }}
           WEB_CATALOG_ONLY: ${{ needs.validate-submission.outputs.web_catalog_only }}
-          OCP_VERSION_RANGE: ${{ steps.get-ocp-range.outputs.ocp-version-range }}
+          OCP_VERSION_RANGE: ${{ needs.chart-verifier.outputs.ocp-version-range }}
         id: prepare-chart-release
         run: |
           # export WEB_CATALOG_ONLY=`jq .is_web_catalog_only ${{ github.env.SUBMISSION_PATH }}`
@@ -628,8 +669,8 @@ jobs:
       - name: Retrieve PR comment for metrics
         if: ${{ always() && needs.setup.outputs.run_build == 'true' && github.repository != 'openshift-helm-charts/sandbox' }}
         run: |
-          mkdir -p $(dirname ${{ needs.chart-verifier.outputs.message_file }})
-          echo ${{ needs.chart-verifier.outputs.message_text_base64 }} | base64 -d | tee ${{ needs.chart-verifier.outputs.message_file }}
+          mkdir -p $(dirname ${{ needs.manage-gh-pr.outputs.message_file }})
+          echo ${{ needs.manage-gh-pr.outputs.message_text_base64 }} | base64 -d | tee ${{ needs.manage-gh-pr.outputs.message_file }}
 
       - name: Add metrics
         id: add_metrics
@@ -652,7 +693,7 @@ jobs:
               echo "add PR run metric"
               ve1/bin/metrics --write-key="${WRITE_KEY}" \
                               --metric-type="pull_request" \
-                              --message-file="${{ needs.chart-verifier.outputs.message_file }}" \
+                              --message-file="${{ needs.manage-gh-pr.outputs.message_file }}" \
                               --pr-number="${{ github.event.number }}" \
                               --pr-action="${{ github.event.action }}" \
                               --repository="${GITHUB_REPOSITORY}" \
diff --git a/scripts/src/pullrequest/prepare_pr_comment.py b/scripts/src/pullrequest/prepare_pr_comment.py
@@ -1,6 +1,7 @@
 import os
 import sys
 
+from submission import validate
 from tools import gitutils
 
 
@@ -207,9 +208,18 @@ def main():
     pr_content_result = sys.argv[1]
     run_verifier_result = sys.argv[2]
     verify_result = sys.argv[3]
-    issue_number = open("./pr/NR").read().strip()
-    vendor_label = open("./pr/vendor").read().strip()
-    chart_name = open("./pr/chart").read().strip()
+
+    submission_path = os.environ.get("SUBMISSION_PATH")
+    s = validate.read_submission_from_file(articact_path=submission_path)
+    issue_number = s.get_pr_number()
+    vendor_label = s.chart.organization
+    chart_name = s.chart.name
+
+    # s = validate.read_submission_from_file(articact_path=submission_path)
+
+    # issue_number = open("./pr/NR").read().strip()
+    # vendor_label = open("./pr/vendor").read().strip()
+    # chart_name = open("./pr/chart").read().strip()
 
     community_manual_review = os.environ.get("COMMUNITY_MANUAL_REVIEW", False)
     oc_install_result = os.environ.get("OC_INSTALL_RESULT")
diff --git a/scripts/src/submission/submission.py b/scripts/src/submission/submission.py
@@ -538,6 +538,9 @@ def is_valid_web_catalog_only(self, repo_path=""):
 
         return True, ""
 
+    def get_pr_number(self):
+        return self.api_url.split("/")[-1]
+
 
 def get_file_type(file_path):
     """Determine the category of a given file
@@ -578,7 +581,7 @@ def get_file_type(file_path):
     return "unknwown", None
 
 
-def download_index_data(repository, branch="gh-pages"):
+def download_index_data(repository: str, branch: str = "gh-pages") -> dict:
     """Download the helm repository index"""
     r = requests.get(
         f"https://raw.githubusercontent.com/{repository}/{branch}/index.yaml"
