From e4567d72f1086a023f40cdd7089cb769daa23cd5 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Fri, 4 Oct 2024 12:00:21 -0700 Subject: [PATCH 1/4] feat: filter repos by team ownership Signed-off-by: Zack Koppert --- README.md | 5 ++- env.py | 10 +++-- evergreen.py | 21 +++++++--- test_env.py | 100 +++++++++++++++++++++++++++++++++++++++++++++- test_evergreen.py | 42 ++++++++++++++++++- 5 files changed, 165 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 957b33a..fdffebc 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ [![Python package](https://github.com/github/evergreen/actions/workflows/python-ci.yml/badge.svg)](https://github.com/github/evergreen/actions/workflows/python-ci.yml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github/evergreen/badge)](https://scorecard.dev/viewer/?uri=github.com/github/evergreen) -This is a GitHub Action that given an organization or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository. +This is a GitHub Action that given an organization, team, or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository. This action was developed by the GitHub OSPO for our own use and developed in a way that we could open source it that it might be useful to you as well! If you want to know more about how we use it, reach out in an issue in this repository. @@ -27,7 +27,7 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th 1. Create a repository to host this GitHub Action or select an existing repository. 1. Select a best fit workflow file from the [examples below](#example-workflows). 1. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: `.github/workflows/` directory with the file extension `.yml` (ie. `.github/workflows/evergreen.yml`) -1. Edit the values (`ORGANIZATION`, `REPOSITORY`, `EXEMPT_REPOS`, `TYPE`, `TITLE`, `BODY`) from the sample workflow with your information. If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot. +1. Edit the values (`ORGANIZATION`, `TEAM_NAME`, `REPOSITORY`, `EXEMPT_REPOS`, `TYPE`, `TITLE`, `BODY`) from the sample workflow with your information. If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. If running the action on a team, then an organization is required and no repository is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot. 1. Optionally, edit the value (`CREATED_AFTER_DATE`) if you are setting up this action to run regularly and only want newly created repositories to be considered. Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave blank. 1. Optionally edit the value (`UPDATE_EXISTING`) if you want to update existing dependabot configuration files. If set to `true`, the action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to `false`, the action will only create a new dependabot configuration file if there is not an existing one. The default value is `false`. 1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com. For github.com users, don't put anything in here. @@ -64,6 +64,7 @@ This action can be configured to authenticate with GitHub App Installation or Pe | -------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `GH_ENTERPRISE_URL` | False | "" | The `GH_ENTERPRISE_URL` is used to connect to an enterprise server instance of GitHub. github.com users should not enter anything here. | | `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` | +| `TEAM_NAME` | Requires `ORGANIZATION` | | The name of the organization's team which you want this action to work from. ie. For a team like github/engineering would be `engineering` | | `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` | | `EXEMPT_REPOS` | False | "" | These repositories will be exempt from this action considering them for dependabot enablement. ex: If my org is set to `github` then I might want to exempt a few of the repos but get the rest by setting `EXEMPT_REPOS` to `github/evergreen,github/contributors` | | `TYPE` | False | pull | Type refers to the type of action you want taken if this workflow determines that dependabot could be enabled. Valid values are `pull` or `issue`. | diff --git a/env.py b/env.py index 4facb77..48aaa05 100644 --- a/env.py +++ b/env.py @@ -117,6 +117,7 @@ def get_env_vars( dict, str, str, + str | None, ]: """ Get the environment variables for use in the action. @@ -148,6 +149,7 @@ def get_env_vars( repo_specific_exemptions (dict): A dictionary of per repository ecosystem exemptions schedule (str): The schedule to run the action on schedule_day (str): The day of the week to run the action on if schedule is daily + team_name (str): The team to search for repositories in """ if not test: @@ -157,15 +159,16 @@ def get_env_vars( organization = os.getenv("ORGANIZATION") repositories_str = os.getenv("REPOSITORY") + team_name = os.getenv("TEAM_NAME") # Either organization or repository must be set if not organization and not repositories_str: raise ValueError( "ORGANIZATION and REPOSITORY environment variables were not set. Please set one" ) - - if repositories_str and repositories_str.find("/") == 0: + # Team name and repository are mutually exclusive + if repositories_str and team_name: raise ValueError( - "REPOSITORY environment variable was not set correctly. Please set it to a comma separated list of repositories in the format org/repo" + "TEAM_NAME environment variable cannot be used with ORGANIZATION or REPOSITORY" ) # Separate repositories_str into a list based on the comma separator @@ -349,4 +352,5 @@ def get_env_vars( repo_specific_exemptions, schedule, schedule_day, + team_name, ) diff --git a/evergreen.py b/evergreen.py index ba64f49..ce9f8aa 100644 --- a/evergreen.py +++ b/evergreen.py @@ -1,5 +1,6 @@ """This file contains the main() and other functions needed to open an issue/PR dependabot is not enabled but could be""" +import sys import uuid from datetime import datetime @@ -39,6 +40,7 @@ def main(): # pragma: no cover repo_specific_exemptions, schedule, schedule_day, + team_name, ) = env.get_env_vars() # Auth to GitHub.com or GHE @@ -60,8 +62,10 @@ def main(): # pragma: no cover ) project_id = get_global_project_id(token, organization, project_id) - # Get the repositories from the organization or list of repositories - repos = get_repos_iterator(organization, repository_list, github_connection) + # Get the repositories from the organization, team name, or list of repositories + repos = get_repos_iterator( + organization, team_name, repository_list, github_connection + ) # Iterate through the repositories and open an issue/PR if dependabot is not enabled count_eligible = 0 @@ -256,11 +260,18 @@ def enable_dependabot_security_updates(owner, repo, access_token): print("\tFailed to enable Dependabot security updates.") -def get_repos_iterator(organization, repository_list, github_connection): - """Get the repositories from the organization or list of repositories""" +def get_repos_iterator(organization, team_name, repository_list, github_connection): + """Get the repositories from the organization, team_name, or list of repositories""" repos = [] - if organization and not repository_list: + if organization and not repository_list and not team_name: repos = github_connection.organization(organization).repositories() + elif team_name and organization: + # Get the repositories from the team + team = github_connection.organization(organization).team_by_name(team_name) + if team.repos_count == 0: + print(f"Team {team_name} has no repositories") + sys.exit(1) + repos = team.repositories() else: # Get the repositories from the repository_list for repo in repository_list: diff --git a/test_env.py b/test_env.py index ba0e38f..40b2b3e 100644 --- a/test_env.py +++ b/test_env.py @@ -1,4 +1,4 @@ -# pylint: disable=too-many-public-methods +# pylint: disable=too-many-public-methods, too-many-lines """Test the get_env_vars function""" @@ -81,6 +81,7 @@ def test_get_env_vars_with_org(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -132,6 +133,7 @@ def test_get_env_vars_with_org_and_repo_specific_exemptions(self): }, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -240,10 +242,94 @@ def test_get_env_vars_with_repos(self): }, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) + @patch.dict( + os.environ, + { + "TEAM_NAME": "engineering", + "ORGANIZATION": "my_organization", + "GH_TOKEN": "my_token", + "EXEMPT_REPOS": "repo4,repo5", + "TYPE": "pull", + "TITLE": "Dependabot Alert custom title", + "BODY": "Dependabot custom body", + "CREATED_AFTER_DATE": "2023-01-01", + "DRY_RUN": "true", + "COMMIT_MESSAGE": "Create dependabot configuration", + "PROJECT_ID": "123", + "GROUP_DEPENDENCIES": "false", + "REPO_SPECIFIC_EXEMPTIONS": "org1/repo1:docker;org2/repo2:gomod", + }, + clear=True, + ) + def test_get_env_vars_with_team(self): + """Test that all environment variables are set correctly using a team""" + expected_result = ( + "my_organization", + [], + None, + None, + b"", + "my_token", + "", + ["repo4", "repo5"], + "pull", + "Dependabot Alert custom title", + "Dependabot custom body", + "2023-01-01", + True, + "Create dependabot configuration", + "123", + False, + ["internal", "private", "public"], + None, # batch_size + True, # enable_security_updates + [], # exempt_ecosystems + False, # update_existing + { + "org1/repo1": ["docker"], + "org2/repo2": ["gomod"], + }, # repo_specific_exemptions + "weekly", # schedule + "", # schedule_day + "engineering", # team_name + ) + result = get_env_vars(True) + self.assertEqual(result, expected_result) + + @patch.dict( + os.environ, + { + "TEAM_NAME": "engineering", + "REPOSITORY": "org/repo1,org2/repo2", + "GH_TOKEN": "my_token", + "EXEMPT_REPOS": "repo4,repo5", + "TYPE": "pull", + "TITLE": "Dependabot Alert custom title", + "BODY": "Dependabot custom body", + "CREATED_AFTER_DATE": "2023-01-01", + "DRY_RUN": "true", + "COMMIT_MESSAGE": "Create dependabot configuration", + "PROJECT_ID": "123", + "GROUP_DEPENDENCIES": "false", + "REPO_SPECIFIC_EXEMPTIONS": "org1/repo1:docker;org2/repo2:gomod", + }, + clear=True, + ) + def test_get_env_vars_with_team_and_repo(self): + """Test the prgoram errors when TEAM_NAME is set with REPOSITORY""" + with self.assertRaises(ValueError) as cm: + get_env_vars(True) + the_exception = cm.exception + self.assertEqual( + str(the_exception), + "TEAM_NAME environment variable cannot be used with ORGANIZATION or REPOSITORY", + ) + @patch.dict( os.environ, { @@ -281,6 +367,7 @@ def test_get_env_vars_optional_values(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -323,6 +410,7 @@ def test_get_env_vars_with_update_existing(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -379,6 +467,7 @@ def test_get_env_vars_auth_with_github_app_installation(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -443,6 +532,7 @@ def test_get_env_vars_with_repos_no_dry_run(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -485,6 +575,7 @@ def test_get_env_vars_with_repos_disabled_security_updates(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -528,6 +619,7 @@ def test_get_env_vars_with_repos_filter_visibility_multiple_values(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -571,6 +663,7 @@ def test_get_env_vars_with_repos_filter_visibility_single_value(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -644,6 +737,7 @@ def test_get_env_vars_with_repos_filter_visibility_no_duplicates(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -688,6 +782,7 @@ def test_get_env_vars_with_repos_exempt_ecosystems(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -731,6 +826,7 @@ def test_get_env_vars_with_no_batch_size(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -775,6 +871,7 @@ def test_get_env_vars_with_batch_size(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -908,6 +1005,7 @@ def test_get_env_vars_with_valid_schedule_and_schedule_day(self): {}, # repo_specific_exemptions "weekly", # schedule "tuesday", # schedule_day + None, # team_name ) result = get_env_vars(True) self.assertEqual(result, expected_result) diff --git a/test_evergreen.py b/test_evergreen.py index d9e3c54..9de3fe4 100644 --- a/test_evergreen.py +++ b/test_evergreen.py @@ -315,7 +315,9 @@ def test_get_repos_iterator_with_organization(self, mock_github): mock_organization.repositories.return_value = mock_repositories github_connection.organization.return_value = mock_organization - result = get_repos_iterator(organization, repository_list, github_connection) + result = get_repos_iterator( + organization, None, repository_list, github_connection + ) # Assert that the organization method was called with the correct argument github_connection.organization.assert_called_once_with(organization) @@ -337,7 +339,9 @@ def test_get_repos_iterator_with_repository_list(self, mock_github): mock_repository_list = [mock_repository, mock_repository] github_connection.repository.side_effect = mock_repository_list - result = get_repos_iterator(organization, repository_list, github_connection) + result = get_repos_iterator( + organization, None, repository_list, github_connection + ) # Assert that the repository method was called with the correct arguments for each repository in the list expected_calls = [ @@ -349,6 +353,40 @@ def test_get_repos_iterator_with_repository_list(self, mock_github): # Assert that the function returned the expected result self.assertEqual(result, mock_repository_list) + @patch("github3.login") + def test_get_repos_iterator_with_team(self, mock_github): + """Test the get_repos_iterator function with a team""" + organization = "my_organization" + repository_list = [] + team_name = "my_team" + github_connection = mock_github.return_value + + mock_team_repositories = MagicMock() + github_connection.organization.return_value.team_by_name.return_value.repositories.return_value = ( + mock_team_repositories + ) + + result = get_repos_iterator( + organization, + team_name, + repository_list, + github_connection, + ) + + # Assert that the organization method was called with the correct argument + github_connection.organization.assert_called_once_with(organization) + + # Assert that the team_by_name method was called on the organization object + github_connection.organization.return_value.team_by_name.assert_called_once_with( + team_name + ) + + # Assert that the repositories method was called on the team object + github_connection.organization.return_value.team_by_name.return_value.repositories.assert_called_once() + + # Assert that the function returned the expected result + self.assertEqual(result, mock_team_repositories) + class TestGetGlobalProjectId(unittest.TestCase): """Test the get_global_project_id function in evergreen.py""" From 402f50acfd88229ea3b065c24205ea6a2a73377a Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Fri, 4 Oct 2024 12:14:53 -0700 Subject: [PATCH 2/4] fix: fix tests after a rebase Signed-off-by: Zack Koppert --- test_env.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test_env.py b/test_env.py index 46c9ad1..9f8c1b7 100644 --- a/test_env.py +++ b/test_env.py @@ -301,6 +301,7 @@ def test_get_env_vars_with_team(self): "weekly", # schedule "", # schedule_day "engineering", # team_name + [], # labels ) result = get_env_vars(True) self.assertEqual(result, expected_result) @@ -1064,6 +1065,7 @@ def test_get_env_vars_with_a_valid_label(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ["dependencies"], # labels ) result = get_env_vars(True) @@ -1107,6 +1109,7 @@ def test_get_env_vars_with_valid_labels_containing_spaces(self): {}, # repo_specific_exemptions "weekly", # schedule "", # schedule_day + None, # team_name ["dependencies", "test", "test2"], # labels ) result = get_env_vars(True) From c1e58058799ca683b91f8807014d7dd33f004202 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Fri, 4 Oct 2024 17:21:14 -0700 Subject: [PATCH 3/4] fix: correct error message Co-authored-by: Jason Meridth --- env.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/env.py b/env.py index d43c7f1..74548fc 100644 --- a/env.py +++ b/env.py @@ -170,7 +170,7 @@ def get_env_vars( # Team name and repository are mutually exclusive if repositories_str and team_name: raise ValueError( - "TEAM_NAME environment variable cannot be used with ORGANIZATION or REPOSITORY" + "TEAM_NAME environment variable cannot be used with REPOSITORY" ) # Separate repositories_str into a list based on the comma separator From 1d94cf6a5d7b45c8f539b562d9fa2a1409b24cf4 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Fri, 4 Oct 2024 17:23:28 -0700 Subject: [PATCH 4/4] fix:make test match corrected error message Signed-off-by: Zack Koppert --- test_env.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test_env.py b/test_env.py index 9f8c1b7..751a00f 100644 --- a/test_env.py +++ b/test_env.py @@ -332,7 +332,7 @@ def test_get_env_vars_with_team_and_repo(self): the_exception = cm.exception self.assertEqual( str(the_exception), - "TEAM_NAME environment variable cannot be used with ORGANIZATION or REPOSITORY", + "TEAM_NAME environment variable cannot be used with REPOSITORY", ) @patch.dict(