diff --git a/.cirrus.yml b/.cirrus.yml index 91af5f07dd2..87a70375d96 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -1,5 +1,5 @@ env: - COVERAGE_GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token] + GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token] SONAR_HOST_URL: VAULT[development/kv/data/next data.url] SONAR_TOKEN: VAULT[development/kv/data/next data.token] SONAR_SCANNER_VERSION: 5.0.1.3006 diff --git a/.github/workflows/add_language.yml b/.github/workflows/add_language.yml index 116ba8c8389..142cf761262 100644 --- a/.github/workflows/add_language.yml +++ b/.github/workflows/add_language.yml @@ -15,18 +15,10 @@ on: jobs: add_language_to_rule: runs-on: ubuntu-latest - permissions: - id-token: write # OIDC auth for Vault - contents: read # checkout + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: 'get secrets' - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; - - uses: actions/checkout@v4 with: persist-credentials: true @@ -46,7 +38,5 @@ jobs: run: pipenv install - name: 'Add Language' - env: - COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} working-directory: 'rspec/rspec-tools' run: pipenv run rspec-tools add-lang-to-rule --user ${{ github.actor }} --language "${{ github.event.inputs.language }}" --rule "${{ github.event.inputs.rule }}" diff --git a/.github/workflows/create_new_rspec.yml b/.github/workflows/create_new_rspec.yml index 042c69e8fb0..79dbaa2344f 100644 --- a/.github/workflows/create_new_rspec.yml +++ b/.github/workflows/create_new_rspec.yml @@ -12,18 +12,10 @@ on: jobs: create_new_rule: runs-on: ubuntu-latest - permissions: - id-token: write # OIDC auth for Vault - contents: read # checkout + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: 'get secrets' - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; - - uses: actions/checkout@v4 with: persist-credentials: true @@ -43,7 +35,5 @@ jobs: run: pipenv install - name: 'Create Rule' - env: - COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} working-directory: 'rspec/rspec-tools' run: pipenv run rspec-tools create-rule --user ${{ github.actor }} --languages "${{ github.event.inputs.languages }}" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 92ea99a59a2..2869f01e9ba 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,18 +9,9 @@ jobs: build-and-deploy: runs-on: ubuntu-20.04 permissions: - id-token: write # OIDC auth for Vault pull-requests: read # Get the list and metadata of open new-rule PRs contents: write # Get the contents of open new-rule PRs, the 'master'; write to 'gh-pages' branch - pages: write # for github-pages-deploy-action steps: - - name: 'get secrets' - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; - - name: Checkout 🛎️ uses: actions/checkout@v4 # If you're using actions/checkout you must set persist-credentials to false in most cases for the deployment to work correctly. with: @@ -36,7 +27,7 @@ jobs: npm run predeploy env: NODE_OPTIONS: "--max-old-space-size=3048" - COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@releases/v3 with: diff --git a/.github/workflows/update_coverage.yml b/.github/workflows/update_coverage.yml index 08ee2613d5b..12f97a209d4 100644 --- a/.github/workflows/update_coverage.yml +++ b/.github/workflows/update_coverage.yml @@ -2,13 +2,15 @@ name: Update rule coverage on: schedule: - cron: '17 2 * * *' + workflow_dispatch: jobs: update_coverage: runs-on: ubuntu-latest permissions: - id-token: write # OIDC auth for Vault - contents: read # checkout + id-token: write + contents: write + checks: read env: TMP_BRANCH: temporary/coverage_update @@ -18,15 +20,16 @@ jobs: uses: SonarSource/vault-action-wrapper@v3 with: secrets: | - development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; + development/github/token/SonarSource-rspec-coverage token | coverage_github_token; development/kv/data/slack token | slack_token; - uses: actions/checkout@v4 with: persist-credentials: true - ref: master + fetch-depth: 0 path: 'rspec' - token: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} + token: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }} + - uses: actions/setup-python@v4 with: python-version: '3.9' @@ -41,7 +44,7 @@ jobs: - name: 'Regenerate coverage information' env: - COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }} id: gen-coverage working-directory: 'rspec/rspec-tools' run: | @@ -74,7 +77,7 @@ jobs: uses: fountainhead/action-wait-for-check@v1.0.0 id: wait-for-build with: - token: ${{ secrets.COVERAGE_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} checkName: all_required_checks ref: ${{ env.TMP_BRANCH }} timeoutSeconds: 2400 @@ -94,7 +97,7 @@ jobs: if: always() && steps.create-temp-branch.conclusion == 'success' uses: dawidd6/action-delete-branch@v3 with: - COVERAGE_GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN}} + github_token: ${{ secrets.GITHUB_TOKEN }} branches: ${{ env.TMP_BRANCH}} - name: 'Fail if the change breaks CI' diff --git a/.github/workflows/update_quickfix_status.yml b/.github/workflows/update_quickfix_status.yml index 78cc8989e3f..11a42e825a6 100644 --- a/.github/workflows/update_quickfix_status.yml +++ b/.github/workflows/update_quickfix_status.yml @@ -1,6 +1,6 @@ name: Update quick fix status -on: +on: workflow_dispatch: inputs: rule: @@ -26,16 +26,9 @@ jobs: update_quickfix_status: name: Update quick fix status runs-on: ubuntu-20.04 - permissions: - id-token: write # OIDC auth for Vault - contents: read # checkout + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: 'get secrets' - id: secrets - uses: SonarSource/vault-action-wrapper@v3 - with: - secrets: | - development/github/token/SonarSource-rspec-coverage token | COVERAGE_GITHUB_TOKEN; - uses: actions/checkout@v2 with: persist-credentials: true @@ -56,6 +49,4 @@ jobs: - name: 'Update quickfix status' working-directory: 'rspec/rspec-tools' - env: - COVERAGE_GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).COVERAGE_GITHUB_TOKEN }} run: pipenv run rspec-tools update-quickfix-status --user ${{ github.actor }} --rule "${{ github.event.inputs.rule }}" --language "${{ github.event.inputs.language }}" --status "${{ github.event.inputs.status }}" diff --git a/frontend/README.adoc b/frontend/README.adoc index a7b331babfe..ff93dd87ad3 100644 --- a/frontend/README.adoc +++ b/frontend/README.adoc @@ -36,7 +36,7 @@ NOTE: If the script fails to clone or fetch due to an SSL certificate failure As a workaround you can https://github.com/nodegit/nodegit/issues/1742[disable the certificate check]. NOTE: In the predeploy step (specifically the `prepare-rules` part of it) the script fetches all the open PRs locally. - You might want to set `COVERAGE_GITHUB_TOKEN` to your personal GitHub token + You might want to set `GITHUB_TOKEN` to your personal GitHub token to avoid GitHub throttling your requests during the predeploy stage. diff --git a/frontend/src/deployment/pullRequestIndexing.ts b/frontend/src/deployment/pullRequestIndexing.ts index b13252206d6..12b4e9fe8b9 100644 --- a/frontend/src/deployment/pullRequestIndexing.ts +++ b/frontend/src/deployment/pullRequestIndexing.ts @@ -24,14 +24,14 @@ export interface PullRequest { */ export async function process_incomplete_rspecs(tmpRepoDir: string, callback: (srcDir: string, pr: PullRequest)=>void) { - const octokit = process.env.COVERAGE_GITHUB_TOKEN ? - new Octokit({userAgent: 'rspec-tools', auth: process.env.COVERAGE_GITHUB_TOKEN}): + const octokit = process.env.GITHUB_TOKEN ? + new Octokit({userAgent: 'rspec-tools', auth: process.env.GITHUB_TOKEN}): new Octokit({userAgent: 'rspec-tools'}); const repo = await (() => { if (!fs.existsSync(path.join(tmpRepoDir, '.git'))) { - if (process.env.COVERAGE_GITHUB_TOKEN) { - return Git.Clone.clone(`https://${process.env.COVERAGE_GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir); + if (process.env.GITHUB_TOKEN) { + return Git.Clone.clone(`https://${process.env.GITHUB_TOKEN}@github.com/SonarSource/rspec/`, tmpRepoDir); } else { return Git.Clone.clone('https://github.com/SonarSource/rspec/', tmpRepoDir); } diff --git a/rspec-tools/rspec_tools/cli.py b/rspec-tools/rspec_tools/cli.py index 228582b7cab..71abb95b6d4 100644 --- a/rspec-tools/rspec_tools/cli.py +++ b/rspec-tools/rspec_tools/cli.py @@ -45,7 +45,7 @@ def check_links(d): @click.option('--user', required=False) def create_rule(languages: str, user: Optional[str]): '''Create a new rule.''' - token = os.environ.get('COVERAGE_GITHUB_TOKEN') + token = os.environ.get('GITHUB_TOKEN') rspec_tools.create_rule.create_new_rule(languages, token, user) @@ -55,7 +55,7 @@ def create_rule(languages: str, user: Optional[str]): @click.option('--user', required=False) def add_lang_to_rule(language: str, rule: str, user: Optional[str]): '''Add a new language to rule.''' - token = os.environ.get('COVERAGE_GITHUB_TOKEN') + token = os.environ.get('GITHUB_TOKEN') rspec_tools.create_rule.add_language_to_rule(language, rule, token, user) @@ -66,7 +66,7 @@ def add_lang_to_rule(language: str, rule: str, user: Optional[str]): @click.option('--user', required=False) def update_quickfix_status(language: str, rule: str, status: str, user: Optional[str]): '''Update the status of quick fix for the given rule/language''' - token = os.environ.get('COVERAGE_GITHUB_TOKEN') + token = os.environ.get('GITHUB_TOKEN') rspec_tools.modify_rule.update_rule_quickfix_status(language, rule, status, token, user) diff --git a/rspec-tools/rspec_tools/coverage.py b/rspec-tools/rspec_tools/coverage.py index b58ed1736c1..2bba7e13d65 100644 --- a/rspec-tools/rspec_tools/coverage.py +++ b/rspec-tools/rspec_tools/coverage.py @@ -153,9 +153,9 @@ def all_implemented_rules(): def checkout_repo(repo): git_url=f"https://github.com/SonarSource/{repo}" - token=os.getenv('COVERAGE_GITHUB_TOKEN') + token=os.getenv('GITHUB_TOKEN') if token: - git_url=f"https://${token}@github.com/SonarSource/{repo}" + git_url=f"https://oauth2:{token}@github.com/SonarSource/{repo}" if not os.path.exists(repo): return Repo.clone_from(git_url, repo) else: diff --git a/rspec-tools/tests/test_cli.py b/rspec-tools/tests/test_cli.py index c85156cec75..b8a7eaa2562 100644 --- a/rspec-tools/tests/test_cli.py +++ b/rspec-tools/tests/test_cli.py @@ -12,7 +12,7 @@ class TestCLIUpdateQuickfixStatus: '''Unit test for quickfix status update through Command Line Interface.''' - @patch.dict(os.environ, {'COVERAGE_GITHUB_TOKEN': 'TOKEN'}) + @patch.dict(os.environ, {'GITHUB_TOKEN': 'TOKEN'}) @patch('rspec_tools.modify_rule.update_rule_quickfix_status') def test_basic_cli_usage(self, mock): arguments = [