semgrep · aryx · May 23, 2024 · May 22, 2024 · May 22, 2024 · May 22, 2024
diff --git a/.github/workflows/sync-with-PRO.jsonnet b/.github/workflows/sync-with-PRO.jsonnet
@@ -1,8 +1,13 @@
-// TODO: this workflow does not provide a full sync of OSS to Pro.
-// It just takes what is in the HEAD in the OSS repo (e.g., the patch of the
-// release) and create a PR with it in pro. This could be used later
-// also to sync simple contributions to OSS from external contributors.
-// TODO: call this workflow from the release workflow
+// Workflow to create a PR to update the Pro repo with changes in OSS.
+//
+// Note that this workflow does not provide a full sync of OSS to Pro;
+// it just takes what is in the HEAD in develop in the OSS repo
+// (e.g., the patch of the release that bumps the version) and create a PR
+// with it in pro.
+// This could be used later also to sync simple contributions to OSS from
+// external contributors.
+// TODO? in theory we could even move this workflow in Pro? (which makes
+// it easier to iterate on)
 
 local semgrep = import 'libs/semgrep.libsonnet';
 local gha = import 'libs/gha.libsonnet';
@@ -13,10 +18,67 @@ local gha = import 'libs/gha.libsonnet';
 
 local job = {
  'runs-on': 'ubuntu-latest',
- steps: [
+ permissions: gha.write_permissions,
+ steps: semgrep.github_bot.get_token_steps + [
  {
- run: 'echo TODO'
+ name: 'Checkout OSS',
+ uses: 'actions/checkout@v3',
+ with: {
+ ref: 'develop',
+ // fetch all history, seems needed to reference develop^ below
+ 'fetch-depth': 0,
+ // Use the token provided by the JWT token getter above
+ token: semgrep.github_bot.token_ref,
+ },
  },
+ {
+ name: 'Checkout PRO',
+ uses: 'actions/checkout@v3',
+ with: {
+ repository: 'semgrep/semgrep-proprietary',
+ path: 'PRO',
+ token: semgrep.github_bot.token_ref,
+ },
+ },
+ {
+ name: 'Creating the branch and commiting to it',
+ env: {
+ BRANCHNAME: 'sync-with-PRO-${{ github.run_id }}-${{ github.run_attempt }}',
+ GITHUB_TOKEN: semgrep.github_bot.token_ref,
+ },
+ // the git config are needed otherwise GHA complains about
+ // unknown identity
+ run: |||
+ if git show --stat develop | grep -q "synced from Pro"; then
+ echo "error: HEAD commit already comes from Pro and cannot be synced"
+ exit 1
+ fi
+ # will generate a 0001-xxx patch
+ git format-patch develop^
+ OSSREF=`git rev-parse develop`
+ cd PRO
+ git config --global user.name "GitHub Actions Bot"
+ git config --global user.email "<>"
+ git checkout -b $BRANCHNAME
+ git am --directory=OSS ../0001-*
+ git log -1 --pretty=%B >message
+ echo "" >>message
+ echo "synced from OSS $OSSREF" >>message
+ git commit --amend -F message
+ git push origin $BRANCHNAME
+ |||,
+ },
+ {
+ name: 'Create the Pull request with gh',
+ env: {
+ GITHUB_TOKEN: semgrep.github_bot.token_ref,
+ },
+ run : |||
+ cd PRO
+ gh pr create --fill --base develop
+ |||,
+ },
+
  ],
 };
 
@@ -27,6 +89,7 @@ local job = {
 {
  name: 'sync-with-PRO',
  on: {
+ // TODO: call this workflow from the release workflow
  workflow_dispatch: null,
  },
  jobs: {

diff --git a/.github/workflows/sync-with-PRO.yml b/.github/workflows/sync-with-PRO.yml
@@ -1,9 +1,68 @@
 # AUTOGENERATED FROM sync-with-PRO.jsonnet DO NOT MODIFY
 jobs:
  job:
+ permissions:
+ contents: write
+ id-token: write
  runs-on: ubuntu-latest
  steps:
- - run: echo TODO
+ - env:
+ EXPIRATION: 600
+ ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+ PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+ id: jwt
+ name: Get JWT for semgrep-ci GitHub App
+ uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+ - id: token
+ name: Get token for semgrep-ci GitHub App
+ run: |
+ TOKEN="$(curl -X POST \
+ -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+ -H "Accept: application/vnd.github.v3+json" \
+ "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+ jq -r .token)"
+ echo "::add-mask::$TOKEN"
+ echo "token=$TOKEN" >> $GITHUB_OUTPUT
+ - name: Checkout OSS
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+ ref: develop
+ token: ${{ steps.token.outputs.token }}
+ - name: Checkout PRO
+ uses: actions/checkout@v3
+ with:
+ path: PRO
+ repository: semgrep/semgrep-proprietary
+ token: ${{ steps.token.outputs.token }}
+ - env:
+ BRANCHNAME: sync-with-PRO-${{ github.run_id }}-${{ github.run_attempt }}
+ GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+ name: Creating the branch and commiting to it
+ run: |
+ if git show --stat develop | grep -q "synced from Pro"; then
+ echo "error: HEAD commit already comes from Pro and cannot be synced"
+ exit 1
+ fi
+ # will generate a 0001-xxx patch
+ git format-patch develop^
+ OSSREF=`git rev-parse develop`
+ cd PRO
+ git config --global user.name "GitHub Actions Bot"
+ git config --global user.email "<>"
+ git checkout -b $BRANCHNAME
+ git am --directory=OSS ../0001-*
+ git log -1 --pretty=%B >message
+ echo "" >>message
+ echo "synced from OSS $OSSREF" >>message
+ git commit --amend -F message
+ git push origin $BRANCHNAME
+ - env:
+ GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+ name: Create the Pull request with gh
+ run: |
+ cd PRO
+ gh pr create --fill --base develop
 name: sync-with-PRO
 on:
  workflow_dispatch: null