pleo-io · pleo-file-distributor · May 24, 2024
@@ -28,17 +28,14 @@ env:
   CONFIG_FILE: ""
   RUN_ON_DEFAULT_BRANCH: true
   GRADLE_SCRIPT_PATH: ./gradlew
-  setWizCliDepsScanPath: .
-  setWizCliDepsPolicy: Pleo-Default-vulnerabilities-policy
-  runWizCliDepsScan: false
+  RUN_WIZCLI_DEPS_SCAN: <<runWizCliDepsScan>>>
 
 jobs:
   preflight:
     name: Determine if CodeQL should run
     runs-on: ubuntu-latest
     outputs:
       should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
-      should_run_wiz_cli: ${{ steps.maybe_skip_wiz_cli.outputs.should_run_wiz_cli }}
       working_language: ${{steps.working_language_step.outputs.WORKING_LANGUAGE}}
     steps:
       - uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2
@@ -69,60 +66,25 @@ jobs:
             echo "Running CodeQL analysis"
             echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
           fi
-      - id: maybe_skip_wiz_cli
-        name: Check if Wiz-CLI Deps Scan should run
-        shell: bash
-        run: |
-          if [[ "${{ env.runWizCliDepsScan }}" == "true" ]]; then
-            echo "should_run_wiz_cli=true" >> "$GITHUB_OUTPUT"
-          else
-              echo "should_run_wiz_cli=false" >> "$GITHUB_OUTPUT"
-          fi
       - id: working_language_step
         name: We check if the repository language is supported by CodeQL
         run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT"
 
   wiz-cli:
-    name: Scan Dependencies with Wiz CLI
-    if: ${{ needs.preflight.outputs.should_run_wiz_cli == 'true'}}
-    needs:
-      - preflight
+    name: Wiz-CLI
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'feature-deploy') && (github.ref != 'refs/heads/main' || github.event_name != 'push') }}
     steps:
-      - name: Check out repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
-
-      - name: Check latest version of Wiz CLI
-        id: version_check
-        run: |
-          raw_output=$(curl -sL https://wizcli.app.wiz.io/latest/wizcli-version)
-          LATEST_VERSION=$(echo "$raw_output" | grep -oP '"\K[^-]*' | head -1) 
-          COMPLETE_VERSION=$(echo "$raw_output" | grep -oP '(?<=").*?(?=")')
-          echo "version=$LATEST_VERSION" >> "$GITHUB_OUTPUT"
-          echo "complete_version=$COMPLETE_VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Cache Wiz CLI
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
-        id: cache_wizcli
+      - name: Scan Dependencies with Wiz-CLI
+        uses: pleo-io/reusable-actions/wizcli@main
+        if: ${{ env.RUN_WIZCLI_DEPS_SCAN == 'true' }}
         with:
-          path: wizcli-${{ steps.version_check.outputs.version }}
-          key: wizcli-${{ steps.version_check.outputs.version }}
-
-      - name: Download Wiz CLI
-        if: steps.cache_wizcli.outputs.cache-hit != 'true'
-        run: curl -o wizcli-${{ steps.version_check.outputs.version }} https://wizcli.app.wiz.io/${{ steps.version_check.outputs.complete_version }}/wizcli && chmod +x wizcli-${{ steps.version_check.outputs.version }}
-
-      - name: Authenticate to Wiz
-        env:
-          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
-          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
-        run: ./wizcli-${{ steps.version_check.outputs.version }} auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
-
-      - name: Run wiz CLI Dependency Scan
-        run: ./wizcli-${{ steps.version_check.outputs.version }} dir scan --path "${{ env.setWizCliDepsScanPath }}" --policy "${{ env.setWizCliDepsPolicy }}"
+          scan_deps: ${{ env.RUN_WIZCLI_DEPS_SCAN }}
+          deps_scan_path: .
+          deps_policy: Pleo-Default-vulnerabilities-policy
+          wiz_client_id: ${{ secrets.WIZ_CLIENT_ID }}
+          wiz_client_secret: ${{ secrets.WIZ_CLIENT_SECRET }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
   analyze-code:
     name: Analyze code with CodeQL
@@ -137,7 +99,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
       - name: Set Working Language
         run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV"
       # Set up a JDK environment for building, testing and releasing.
@@ -165,7 +127,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3
         with:
           languages: ${{ github.event.repository.language }}
           ram: 4096
@@ -182,6 +144,6 @@ jobs:
           JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3
         with:
           ram: 4096
@@ -3,27 +3,18 @@
 #   - centralized-templates
 # FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver
 
-name: Check PR
+name: Automate PR
+
 on:
   pull_request:
+    # This workflow is triggered for each individual label that was added / removed
+    # It is necessary to detect the actual label in each job / step
     types:
-      - assigned
-      - unassigned
       - labeled
       - unlabeled
-      - opened
-      - edited
-      - closed
-      - reopened
-      - synchronize
-      - ready_for_review
-      - locked
-      - unlocked
-      - review_requested
-      - review_request_removed
 
 concurrency:
-  group: ci-${{ github.workflow }}-${{ github.ref }}
+  group: ci-${{ github.workflow }}-${{ github.ref }}-${{ github.event.label.name }}
   cancel-in-progress: true
 
 env:
@@ -33,10 +24,36 @@ jobs:
   auto-approve-pr:
     runs-on: ubuntu-latest
     name: Auto-approve PR
-    if: ${{ contains(fromJSON('["pleo-bot-renovate", "pleo-file-distributor[bot]"]'), github.actor) && contains(github.event.pull_request.labels.*.name, 'autoapprove') }}
+    if: ${{ contains(fromJSON('["pleo-bot-renovate", "pleo-bot", "pleo-file-distributor[bot]"]'), github.actor) && github.event.label.name == 'autoapprove' }}
     steps:
       - uses: hmarr/auto-approve-action@v3
-        if: env.autoApproveEnabled == 'true'
+        if: ${{ github.event.action == 'labeled' && env.autoApproveEnabled == 'true' }}
         with:
           github-token: ${{ secrets.PLEO_BOT_AUTO_APPROVER_TOKEN }}
           review-message: "This has been auto-approved by @pleo-bot-auto-approver. If your PR isn't being auto-merged as desired, make sure to add @pleo-bot-auto-approver to the CODEOWNERS file. More details how to use Renovate [here](https://www.notion.so/pleo/How-to-use-Renovate-781e4861200744c6b38d3efd8c6d525a?pvs=4)"
+
+  automerge-pr:
+    # This job is used to to replace Kodiak which fails in repos that use Github's merge queue
+    # The main use case is to automerge PRs created by file-distirbutor
+    name: Detecting Label "automerge"
+    runs-on: ubuntu-latest
+    if: ${{ github.event.label.name == 'automerge' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+
+      - id: enable-automerge
+        name: Enable Pull Request Automerge
+        if: ${{github.event.action == 'labeled'}}
+        run: gh pr merge --auto --squash "$PR_NUMBER"
+        env:
+          GITHUB_TOKEN: "${{ secrets.PLEO_BOT_AUTO_APPROVER_TOKEN }}"
+          PR_NUMBER: ${{ github.event.number }}
+
+      - id: disable-automerge
+        name: Disable Pull Request Automerge
+        if: ${{github.event.action == 'unlabeled'}}
+        run: gh pr merge --disable-auto "$PR_NUMBER"
+        env:
+          GITHUB_TOKEN: "${{ secrets.PLEO_BOT_AUTO_APPROVER_TOKEN }}"
+          PR_NUMBER: ${{ github.event.number }}
@@ -0,0 +1,27 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver
+
+name: Renovate - Dependency management
+
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+
+  schedule:
+    - cron: 55 7 * * 1-5
+
+concurrency: renovate
+
+jobs:
+  call-workflow:
+    uses: pleo-io/renovate-config/.github/workflows/[custom]_reusable_run-renovate.yaml@main
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}
+    secrets: inherit