Skip to content

Commit 52c78c0

Browse files
avidalavidal
committed
make it work with dd-octo-sts tokens and commit-headless
1 parent 7f5aba8 commit 52c78c0

File tree

4 files changed

+48
-26
lines changed

4 files changed

+48
-26
lines changed

.ci/reset-staging.sh

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,19 @@
33
set -euo pipefail
44
IFS=$'\n\t'
55

6-
GITHUB_STAGING_RESET_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_github_token" --with-decryption --query "Parameter.Value" --out text)
6+
# Get our two tokens from dd-octo-sts
77

8-
# See https://github.com/DataDog/dogweb/blob/prod/tasks/gitlab/staging-reset.sh
8+
# XXX: This policy does not exist yet and our example is reading the script from the current
9+
# repository so we're reusing GITHUB_TOKEN below
10+
# export READ_SCRIPT_TOKEN=$(dd-octo-sts token --scope=DataDog --policy=gitlab.reset-staging-dl-script)
11+
export GITHUB_TOKEN=$(dd-octo-sts token --scope="DataDog/${REPO}" --policy=gitlab.reset-staging)
12+
export READ_SCRIPT_TOKEN="${GITHUB_TOKEN}"
13+
14+
# Download the actual reset script from the upstream.
15+
# In normal usage this'd be from dogweb but in our case we're actually downloading it from the same
16+
# repository on the same branch.
917
curl \
10-
-H "Authorization: token ${GITHUB_STAGING_RESET_TOKEN}" \
18+
-H "Authorization: token ${READ_SCRIPT_TOKEN}" \
1119
-H "Accept: application/vnd.github.v3.raw" \
12-
https://api.github.com/repos/DataDog/dogweb/contents/tasks/gitlab/staging-reset.sh \
20+
'https://api.github.com/repos/DataDog/commit-headless/contents/.ci/staging-reset-source.sh?ref=test-weekly-reset' \
1321
| bash

.ci/staging-reset-source.sh

Lines changed: 31 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
#!/bin/bash
22
set -euo pipefail
33

4+
# Print commands, but do not expand variables (avoid leaking secrets)
5+
# set -o verbose
6+
47
# Sourced from: https://github.com/DataDog/dogweb/blob/c8cd885a6736345ee941079d899a208c166b578e/tasks/gitlab/staging-reset.sh
58

69
# Used by staging reset jobs in dd-go, dogweb, profiling-backend, and web-ui.
@@ -9,27 +12,24 @@ set -euo pipefail
912
# rid of the Jenkins job. This script will be obsolete once we get rid of
1013
# the staging branch.
1114

12-
# Add github public host key to the known_hosts
13-
mkdir -p ~/.ssh
14-
echo "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=" > ~/.ssh/known_hosts
15-
16-
# Pull the SSH key and use it
17-
eval "$(ssh-agent -s)"
18-
aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_ssh_key" --with-decryption --query "Parameter.Value" --out text | ssh-add -
19-
20-
GITHUB_STAGING_RESET_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_github_token" --with-decryption --query "Parameter.Value" --out text)
21-
GITHUB_STAGING_RESET_ADMIN_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_github_admin_token" --with-decryption --query "Parameter.Value" --out text)
22-
GITLAB_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_gitlab_token" --with-decryption --query "Parameter.Value" --out text)
23-
SLACK_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_slack_token" --with-decryption --query "Parameter.Value" --out text)
15+
#GITLAB_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_gitlab_token" --with-decryption --query "Parameter.Value" --out text)
16+
#SLACK_TOKEN=$(aws ssm get-parameter --region us-east-1 --name "ci.${REPO}.staging_reset_slack_token" --with-decryption --query "Parameter.Value" --out text)
17+
# XXX: Disabling gitlab and slack stuff
18+
GITLAB_TOKEN="xxx"
19+
SLACK_TOKEN="xxx"
2420

2521
# Here, we clone the repository into a temporary directory, remove the remote
2622
# named origin (GitLab), and add GitHub as `origin` since
2723
# `git remote rename <old> <new>` is not supported on GitLab CI.
2824
repo_directory="$(mktemp -d)/${REPO}"
25+
26+
# Because of the way the repository is cloned, this is how you mark it safe
27+
git config --global --add safe.directory "$PWD/.//.git"
2928
git clone ./ "${repo_directory}"
29+
3030
cd "${repo_directory}"
3131
git remote remove origin
32-
git remote add origin git@github.com:DataDog/$REPO
32+
git remote add origin "https://anyuser:${GITHUB_TOKEN}@github.com/DataDog/$REPO"
3333

3434
# Legacy staging reset flow:
3535

@@ -41,6 +41,9 @@ BASE_BRANCH="prod"
4141
if [[ $REPO == "web-ui" ]]; then
4242
BASE_BRANCH="preprod"
4343
fi
44+
if [[ $REPO == "commit-headless" ]]; then
45+
BASE_BRANCH="reset-base"
46+
fi
4447

4548
git fetch origin $BASE_BRANCH
4649
git checkout $BASE_BRANCH --force
@@ -94,7 +97,7 @@ if git rev-parse staging-${NEW_BRANCH_NUMBER} 2>/dev/null; then
9497
fi
9598

9699
echo "Deleting old remote staging branch..."
97-
git push origin --delete staging-$NEW_BRANCH_NUMBER || true
100+
git push origin --delete staging-$NEW_BRANCH_NUMBER 2>/dev/null || true
98101
echo "Creating new staging branch..."
99102
git checkout -b staging-$NEW_BRANCH_NUMBER
100103
git push -u origin staging-$NEW_BRANCH_NUMBER -f
@@ -104,15 +107,20 @@ if [[ $(git status --porcelain) ]]; then
104107
echo "Changing staging branch in .gitlab-ci.yml..."
105108
git commit -n -m "Change staging branch in .gitlab-ci.yml to staging-$NEW_BRANCH_NUMBER" .gitlab-ci.yml
106109

107-
git push origin HEAD:refs/heads/staging-reset/staging-$NEW_BRANCH_NUMBER
108-
PR_NUMBER=$(curl -H "Authorization: token $GITHUB_STAGING_RESET_TOKEN" -X POST https://api.github.com/repos/datadog/${REPO}/pulls -d '{"head":"staging-reset/staging-'"${NEW_BRANCH_NUMBER}"'","base":"'"${BASE_BRANCH}"'","title":"staging reset '"${NEW_BRANCH_NUMBER}"'"}' | jq -r .number)
110+
commit-headless push \
111+
--target "DataDog/${REPO}" \
112+
--branch "staging-reset/staging-${NEW_BRANCH_NUMBER}" \
113+
--branch-from "$(git rev-parse ${BASE_BRANCH})" \
114+
"$(git rev-parse HEAD)"
115+
116+
PR_NUMBER=$(curl -H "Authorization: token $GITHUB_TOKEN" -X POST https://api.github.com/repos/datadog/${REPO}/pulls -d '{"head":"staging-reset/staging-'"${NEW_BRANCH_NUMBER}"'","base":"'"${BASE_BRANCH}"'","title":"staging reset '"${NEW_BRANCH_NUMBER}"'"}' | jq -r .number)
109117
echo "Created pull request: https://github.com/datadog/${REPO}/pull/${PR_NUMBER}, approving and waiting until I can merge this to continue..."
110-
curl -H "Authorization: token $GITHUB_STAGING_RESET_ADMIN_TOKEN" -X POST https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/reviews -d '{"event": "APPROVE"}'
111-
MERGED=$(curl -H "Authorization: token $GITHUB_STAGING_RESET_ADMIN_TOKEN" -X PUT https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/merge | jq .merged)
118+
# curl -H "Authorization: token $GITHUB_TOKEN" -X POST https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/reviews -d '{"event": "APPROVE"}'
119+
MERGED=$(curl -H "Authorization: token $GITHUB_TOKEN" -X PUT https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/merge | jq .merged)
112120
until [ "$MERGED" == "true" ]; do
113121
echo "still not mergeable"
114122
sleep 30
115-
MERGED=$(curl -H "Authorization: token $GITHUB_STAGING_RESET_ADMIN_TOKEN" -X PUT https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/merge | jq .merged)
123+
MERGED=$(curl -H "Authorization: token $GITHUB_TOKEN" -X PUT https://api.github.com/repos/datadog/${REPO}/pulls/${PR_NUMBER}/merge | jq .merged)
116124
done
117125
else
118126
echo "Staging branch already up to date in .gitlab-ci.yml. Skipping."
@@ -136,7 +144,7 @@ if [ -f .gitlab-ci.yml ]; then
136144
echo "Disabling CI on the old branch..."
137145
git rm .gitlab-ci.yml
138146
git commit .gitlab-ci.yml -m "Remove .gitlab-ci.yml on old branch so pushes are noop"
139-
git push --set-upstream origin staging-$OLD_BRANCH_NUMBER
147+
commit-headless push --target "DataDog/${REPO}" --branch "staging-${OLD_BRANCH_NUMBER}" "$(git rev-parse HEAD)"
140148
else
141149
echo "CI already disabled on the old branch. Skipping."
142150
fi
@@ -153,6 +161,9 @@ else
153161
fi
154162
# Don't delete the old branch or someone may re-push it containing .gitlab-ci.yml
155163

164+
echo "Done with initial script, exiting before gitlab and slack code runs."
165+
exit 0;
166+
156167
git checkout $BASE_BRANCH
157168
git pull
158169

.github/auto-review/filesignore-per-user

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
dd-octo-sts[bot]: .gitlab-ci.yml

.gitlab-ci.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
variables:
2+
CURRENT_STAGING: staging-30
23
DOCKER_IMAGE: "registry.ddbuild.io/docker:24.0.4-gbi-focal"
34
CI_IMAGE_REPO: "registry.ddbuild.io/ci/commit-headless"
45
# Built on main commit 887ca009df25f0f20054dcb9cde962a8fc918ce6
@@ -67,9 +68,10 @@ staging-reset-manual:
6768
aud: dd-octo-sts
6869
script:
6970
- export REPO="commit-headless"
71+
- export WEEKLY_STAGING_RESET=true
7072
- bash .ci/reset-staging.sh
71-
after_script:
72-
- dd-octo-sts revoke -t "${READ_SCRIPT_TOKEN}"
73+
after_script: # TODO: these variables are not available here (exported in .ci/reset-staging.sh)
74+
- dd-octo-sts revoke -t "${READ_SCRIPT_TOKEN}" || true; # make sure we can pass to the next revoke
7375
- dd-octo-sts revoke -t "${GITHUB_TOKEN}"
7476

7577
test:

0 commit comments

Comments
 (0)