Skip to content

Commit

Permalink
feat: filter repos by team ownership
Browse files Browse the repository at this point in the history 
Signed-off-by: Zack Koppert <[email protected]>
  • Loading branch information
@zkoppert
zkoppert committed Oct 4, 2024
1 parent 0a550b3 commit e4567d7
Show file tree
Hide file tree
Showing 5 changed files with 165 additions and 13 deletions.
5 changes: 3 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
[![Python package](https://github.com/github/evergreen/actions/workflows/python-ci.yml/badge.svg)](https://github.com/github/evergreen/actions/workflows/python-ci.yml)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github/evergreen/badge)](https://scorecard.dev/viewer/?uri=github.com/github/evergreen)

This is a GitHub Action that given an organization or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository.
This is a GitHub Action that given an organization, team, or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository.

This action was developed by the GitHub OSPO for our own use and developed in a way that we could open source it that it might be useful to you as well! If you want to know more about how we use it, reach out in an issue in this repository.

Expand All @@ -27,7 +27,7 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th
1. Create a repository to host this GitHub Action or select an existing repository.
1. Select a best fit workflow file from the [examples below](#example-workflows).
1. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: `.github/workflows/` directory with the file extension `.yml` (ie. `.github/workflows/evergreen.yml`)
1. Edit the values (`ORGANIZATION`, `REPOSITORY`, `EXEMPT_REPOS`, `TYPE`, `TITLE`, `BODY`) from the sample workflow with your information. If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot.
1. Edit the values (`ORGANIZATION`, `TEAM_NAME`, `REPOSITORY`, `EXEMPT_REPOS`, `TYPE`, `TITLE`, `BODY`) from the sample workflow with your information. If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. If running the action on a team, then an organization is required and no repository is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot.
1. Optionally, edit the value (`CREATED_AFTER_DATE`) if you are setting up this action to run regularly and only want newly created repositories to be considered. Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave blank.
1. Optionally edit the value (`UPDATE_EXISTING`) if you want to update existing dependabot configuration files. If set to `true`, the action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to `false`, the action will only create a new dependabot configuration file if there is not an existing one. The default value is `false`.
1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com. For github.com users, don't put anything in here.
Expand Down Expand Up @@ -64,6 +64,7 @@ This action can be configured to authenticate with GitHub App Installation or Pe
| -------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `GH_ENTERPRISE_URL` | False | "" | The `GH_ENTERPRISE_URL` is used to connect to an enterprise server instance of GitHub. github.com users should not enter anything here. |
| `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` |
| `TEAM_NAME` | Requires `ORGANIZATION` | | The name of the organization's team which you want this action to work from. ie. For a team like github/engineering would be `engineering` |
| `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` |
| `EXEMPT_REPOS` | False | "" | These repositories will be exempt from this action considering them for dependabot enablement. ex: If my org is set to `github` then I might want to exempt a few of the repos but get the rest by setting `EXEMPT_REPOS` to `github/evergreen,github/contributors` |
| `TYPE` | False | pull | Type refers to the type of action you want taken if this workflow determines that dependabot could be enabled. Valid values are `pull` or `issue`. |
Expand Down
10 changes: 7 additions & 3 deletions env.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ def get_env_vars(
dict,
str,
str,
str | None,
]:
"""
Get the environment variables for use in the action.
Expand Down Expand Up @@ -148,6 +149,7 @@ def get_env_vars(
repo_specific_exemptions (dict): A dictionary of per repository ecosystem exemptions
schedule (str): The schedule to run the action on
schedule_day (str): The day of the week to run the action on if schedule is daily
team_name (str): The team to search for repositories in
"""

if not test:
Expand All @@ -157,15 +159,16 @@ def get_env_vars(

organization = os.getenv("ORGANIZATION")
repositories_str = os.getenv("REPOSITORY")
team_name = os.getenv("TEAM_NAME")
# Either organization or repository must be set
if not organization and not repositories_str:
raise ValueError(
"ORGANIZATION and REPOSITORY environment variables were not set. Please set one"
)

if repositories_str and repositories_str.find("/") == 0:
# Team name and repository are mutually exclusive
if repositories_str and team_name:
raise ValueError(
"REPOSITORY environment variable was not set correctly. Please set it to a comma separated list of repositories in the format org/repo"
"TEAM_NAME environment variable cannot be used with ORGANIZATION or REPOSITORY"
)

# Separate repositories_str into a list based on the comma separator
Expand Down Expand Up @@ -349,4 +352,5 @@ def get_env_vars(
repo_specific_exemptions,
schedule,
schedule_day,
team_name,
)
21 changes: 16 additions & 5 deletions evergreen.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
"""This file contains the main() and other functions needed to open an issue/PR dependabot is not enabled but could be"""

import sys
import uuid
from datetime import datetime

Expand Down Expand Up @@ -39,6 +40,7 @@ def main(): # pragma: no cover
repo_specific_exemptions,
schedule,
schedule_day,
team_name,
) = env.get_env_vars()

# Auth to GitHub.com or GHE
Expand All @@ -60,8 +62,10 @@ def main(): # pragma: no cover
)
project_id = get_global_project_id(token, organization, project_id)

# Get the repositories from the organization or list of repositories
repos = get_repos_iterator(organization, repository_list, github_connection)
# Get the repositories from the organization, team name, or list of repositories
repos = get_repos_iterator(
organization, team_name, repository_list, github_connection
)

# Iterate through the repositories and open an issue/PR if dependabot is not enabled
count_eligible = 0
Expand Down Expand Up @@ -256,11 +260,18 @@ def enable_dependabot_security_updates(owner, repo, access_token):
print("\tFailed to enable Dependabot security updates.")


def get_repos_iterator(organization, repository_list, github_connection):
"""Get the repositories from the organization or list of repositories"""
def get_repos_iterator(organization, team_name, repository_list, github_connection):
"""Get the repositories from the organization, team_name, or list of repositories"""
repos = []
if organization and not repository_list:
if organization and not repository_list and not team_name:
repos = github_connection.organization(organization).repositories()
elif team_name and organization:
# Get the repositories from the team
team = github_connection.organization(organization).team_by_name(team_name)
if team.repos_count == 0:
print(f"Team {team_name} has no repositories")
sys.exit(1)
repos = team.repositories()
else:
# Get the repositories from the repository_list
for repo in repository_list:
Expand Down
Loading

0 comments on commit e4567d7

Please sign in to comment.