-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
action.yml
90 lines (84 loc) · 4.57 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: "Enforce License Compliance"
inputs:
fossa_api_key:
required: false
runs:
using: "composite"
steps:
- if: github.repository_owner != 'getsentry' && github.repository_owner != 'codecov'
shell: bash
run: echo "This action should only run on getsentry and codecov repos" && exit 1
- name: 'Pick a FOSSA API key and install FOSSA cli'
id: set_key
shell: bash
env:
PREFERRED: ${{ inputs.fossa_api_key }}
run: |
# FOSSA has two kinds of API keys (aka tokens), a full-privilege key
# and a low-privilege "push-only" key. The practical difference is that
# the full key provides more feedback on `fossa test` failure. We have
# a full key stored in org-wide GitHub Secrets, but a) we can't access
# it in an action, only in a workflow (hence the input here) and b) it
# isn't available even in a workflow when run in a PR from a fork. If
# for any reason it's missing we fall back to a push-only key attached
# to a low-privilege account, which is safe (enough) to expose publicly
# here in this file and gives us at least basic pass/fail.
#
# See also: https://docs.fossa.com/docs/api-reference#api-tokens
FALLBACK="9fc50c40b136c68873ad05aec573cf3e"
echo "key=${PREFERRED:-$FALLBACK}" >> "$GITHUB_OUTPUT"
# Install specific version of fossa-cli to guarantee stability of parsing fossa job outputs
VERSION="v3.8.20"
curl -H 'Cache-Control: no-cache' "https://raw.githubusercontent.com/fossas/fossa-cli/$VERSION/install-latest.sh" | bash -s -- "$VERSION"
- name: 'Checkout Code'
uses: actions/checkout@v3
- name: 'Run `fossa analyze`'
id: analyze
continue-on-error: true
env:
FOSSA_API_KEY: ${{ steps.set_key.outputs.key }}
GITHUB_PR_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
GITHUB_PR_REF: ${{ github.event.pull_request.head.ref || github.ref }}
shell: bash
run: |
exec &> >(tee -a "analyze_logs.txt")
fossa analyze --branch "$GITHUB_PR_REF" --revision "$GITHUB_PR_SHA"
# We only want to run license compliance test if `fossa test` succeeds. This is to unblock CI
# on FOSSA outages.
- if: steps.analyze.outcome == 'success'
name: 'Run `fossa test`'
id: test
continue-on-error: true
env:
FOSSA_API_KEY: ${{ steps.set_key.outputs.key }}
GITHUB_PR_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
shell: bash
run: |
exec &> >(tee -a "test_logs.txt")
# Set timeout to 5 minutes (default of 60 minutes is waaaay too long to block CI)
fossa test --timeout 300 --revision "$GITHUB_PR_SHA"
- if: steps.analyze.outcome == 'failure' || steps.test.outcome == 'failure'
name: 'Send error to Sentry on `fossa-cli` errors'
shell: bash
env:
SENTRY_DSN: https://decbca863c554db095624ede8a83310c@o1.ingest.sentry.io/4505031352713216
run: |
if [[ ${{ steps.analyze.outcome }} == 'failure' ]]; then
curl -sL https://sentry.io/get-cli/ | sh
# Environment variables will automatically be sent, so we just want some minimal information
error_msg=$(cat analyze_logs.txt | grep -zoP '(?<=>>> Relevant errors\n\n Error\n\n ).*?(?=\n)' || echo 'unknown error message')
sentry-cli send-event -m "analyze: $error_msg" -t repo:$GITHUB_REPOSITORY -e url:$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID --logfile analyze_logs.txt
exit 0
fi
if grep -q "The scan has revealed issues. Number of issues found:" test_logs.txt; then
echo
echo "🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 "
echo
echo "Eep! It seems that this PR introduces a license violation. Did you add any libraries? Do they use the GPL or some weird license? Am I a confused bot? If you need a hand, cc: @getsentry/open-source in a comment. 🙏"
echo
echo "🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 🛑 "
exit 1
fi
curl -sL https://sentry.io/get-cli/ | sh
error_msg=$(cat test_logs.txt | grep -zoP '(?<=>>> Relevant errors\n\n Error\n\n ).*?(?=\n)' || echo 'unknown error message')
sentry-cli send-event -m "test: $error_msg" -t repo:$GITHUB_REPOSITORY -e url:$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID --logfile test_logs.txt