update_manifest workflow: fix & use deploy_key instead of user token (#973) (#999)

patchback[bot] · himdel · newswangerd · web-flow · commit fce7a607dbcd · 2021-09-30T14:08:40.000-04:00
* ci workflow: fix update_manifest update_manifest is currently failing to run for 2 reasons: GITHUB_PULL_REQUEST is set to a PR number during the pull_request event, and nothing during the push event, the script expects `false` fixing by testing GITHUB_PULL_REQUEST for nonempty GITHUB_BRANCH is set to github.head_ref, only available during pull_request events, the script tests for "master" or "stable" fixing by updating GITHUB_BRANCH to use github.ref sans the refs/heads/ prefix and removed the unused vars, as well as github.event.after which doesn't seem documented for push builds * update_manifest: use deploy key instead of user token same as ansible/ansible-hub-ui#946 the gpg-encrypted key is added to the repo, encrypted by a passphrase added to secrets No-Issue * post-job-template.yml.j2 - update and rerun `plugin-template --github galaxy_ng` (cherry picked from commit 436ffc4) Co-authored-by: Martin Hradil <mhradil@redhat.com> Co-authored-by: David Newswanger <dnewswan@redhat.com>
diff --git a/.github/post-job-template.yml.j2 b/.github/post-job-template.yml.j2
@@ -6,11 +6,16 @@ update_manifest:
       - name: Checkout code
         uses: actions/checkout@v2
         with:
-          ref: {{ "${{ github.event.after }}" }}  # for PR avoids checking out merge commit
           fetch-depth: 0  # include all history
 
+      - name: "Set GITHUB_BRANCH"
+        run: |
+          GITHUB_BRANCH=`sed 's/^refs\/heads\///' <<< $GITHUB_REF`
+          echo "GITHUB_BRANCH=${GITHUB_BRANCH}" >> $GITHUB_ENV
+
       - name: Update Manifest for Ansible Hub UI
         env:
-          {{ set_env_vars() | indent(10) }}
+          GITHUB_PULL_REQUEST: {{ "${{ github.event.number }}" }}
+          MANIFEST_PASSPHRASE: {{ "${{ secrets.MANIFEST_PASSPHRASE }}" }}
         run: .github/workflows/scripts/update_manifest.sh
         shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -198,18 +198,16 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
         with:
-          ref: ${{ github.event.after }}  # for PR avoids checking out merge commit
           fetch-depth: 0  # include all history
 
+      - name: "Set GITHUB_BRANCH"
+        run: |
+          GITHUB_BRANCH=`sed 's/^refs\/heads\///' <<< $GITHUB_REF`
+          echo "GITHUB_BRANCH=${GITHUB_BRANCH}" >> $GITHUB_ENV
+
       - name: Update Manifest for Ansible Hub UI
         env:
-          PY_COLORS: '1'
-          ANSIBLE_FORCE_COLOR: '1'
           GITHUB_PULL_REQUEST: ${{ github.event.number }}
-          GITHUB_PULL_REQUEST_BODY: ${{ github.event.pull_request.body }}
-          GITHUB_BRANCH: ${{ github.head_ref }}
-          GITHUB_REPO_SLUG: ${{ github.repository }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_CONTEXT: ${{ github.event.pull_request.commits_url }}
+          MANIFEST_PASSPHRASE: ${{ secrets.MANIFEST_PASSPHRASE }}
         run: .github/workflows/scripts/update_manifest.sh
         shell: bash
diff --git a/.github/workflows/scripts/deploy_manifest.gpg b/.github/workflows/scripts/deploy_manifest.gpg
diff --git a/.github/workflows/scripts/update_manifest.sh b/.github/workflows/scripts/update_manifest.sh
@@ -10,8 +10,7 @@ readonly GITHUB_BRANCH="${GITHUB_BRANCH:-}"
 
 readonly MANIFESTS_GIT_USER="${MANIFESTS_GIT_USER:-}"
 readonly MANIFESTS_GIT_EMAIL="${MANIFESTS_GIT_EMAIL:-}"
-readonly MANIFESTS_GIT_TOKEN="${MANIFESTS_GIT_TOKEN:-}"
-readonly MANIFESTS_GIT_URL="https://${MANIFESTS_GIT_USER}:${MANIFESTS_GIT_TOKEN}@github.com/RedHatInsights/manifests.git"
+readonly MANIFESTS_GIT_URL="git@github.com:RedHatInsights/manifests.git"
 
 readonly MANIFESTS_DIR='/tmp/manifests'
 readonly MANIFEST_FILE="${MANIFESTS_DIR}/automation-hub/automation-hub-api.txt"
@@ -37,7 +36,7 @@ generate_docker_manifest() {
     echo "${PREFIX}/Dockerfile-FROM-${base_image}"
 }
 
-if [[ "$GITHUB_PULL_REQUEST" != 'false' ]]; then
+if [[ -n "$GITHUB_PULL_REQUEST" ]]; then
     log_message 'Ignoring manifest update for pull request.'
     exit 0
 fi
@@ -49,6 +48,14 @@ else
     exit 0
 fi
 
+# decrypt deploy key and use
+gpg --quiet --batch --yes --decrypt --passphrase="$MANIFEST_PASSPHRASE" --output .github/workflows/scripts/deploy_manifest .github/workflows/scripts/deploy_manifest.gpg
+
+chmod 600 .github/workflows/scripts/deploy_manifest
+eval `ssh-agent -s`
+ssh-add .github/workflows/scripts/deploy_manifest
+
+
 git clone --depth=10 --branch="${manifests_branch}" \
     "${MANIFESTS_GIT_URL}" "${MANIFESTS_DIR}" &>/dev/null
 
