From 29b62e3fe10a32d8220ec0d9a04c3e1d42690c29 Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Wed, 23 Oct 2024 10:18:30 +0100 Subject: [PATCH 1/8] fear: support github enterprise api --- auth.py | 24 +++---- evergreen.py | 162 ++++++++++++++++++++------------------------ test_auth.py | 4 +- test_evergreen.py | 169 ++++++++++++++++------------------------------ 4 files changed, 147 insertions(+), 212 deletions(-) diff --git a/auth.py b/auth.py index 8ba8bcf..726fb16 100644 --- a/auth.py +++ b/auth.py @@ -25,32 +25,31 @@ def auth_to_github( github3.GitHub: the GitHub connection object """ if gh_app_id and gh_app_private_key_bytes and gh_app_installation_id: - gh = github3.github.GitHub() - gh.login_as_app_installation( - gh_app_private_key_bytes, gh_app_id, gh_app_installation_id - ) + if ghe: + gh = github3.github.GitHubEnterprise(url=ghe) + else: + gh = github3.github.GitHub() + gh.login_as_app_installation(gh_app_private_key_bytes, gh_app_id, gh_app_installation_id) github_connection = gh elif ghe and token: - github_connection = github3.github.GitHubEnterprise(ghe, token=token) + github_connection = github3.github.GitHubEnterprise(url=ghe, token=token) elif token: github_connection = github3.login(token=token) else: - raise ValueError( - "GH_TOKEN or the set of [GH_APP_ID, GH_APP_INSTALLATION_ID, GH_APP_PRIVATE_KEY] environment variables are not set" - ) + raise ValueError("GH_TOKEN or the set of [GH_APP_ID, GH_APP_INSTALLATION_ID, GH_APP_PRIVATE_KEY] environment variables are not set") if not github_connection: raise ValueError("Unable to authenticate to GitHub") return github_connection # type: ignore -def get_github_app_installation_token( - gh_app_id: str, gh_app_private_key_bytes: bytes, gh_app_installation_id: str -) -> str | None: +def get_github_app_installation_token(ghe: str, gh_app_id: str, gh_app_private_key_bytes: bytes, gh_app_installation_id: str) -> str | None: """ Get a GitHub App Installation token. + API: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation Args: + ghe (str): the GitHub Enterprise endpoint gh_app_id (str): the GitHub App ID gh_app_private_key_bytes (bytes): the GitHub App Private Key gh_app_installation_id (str): the GitHub App Installation ID @@ -59,7 +58,8 @@ def get_github_app_installation_token( str: the GitHub App token """ jwt_headers = github3.apps.create_jwt_headers(gh_app_private_key_bytes, gh_app_id) - url = f"https://api.github.com/app/installations/{gh_app_installation_id}/access_tokens" + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/app/installations/{gh_app_installation_id}/access_tokens" try: response = requests.post(url, headers=jwt_headers, json=None, timeout=5) diff --git a/evergreen.py b/evergreen.py index 527ba7e..bdb1b99 100644 --- a/evergreen.py +++ b/evergreen.py @@ -45,28 +45,20 @@ def main(): # pragma: no cover ) = env.get_env_vars() # Auth to GitHub.com or GHE - github_connection = auth.auth_to_github( - token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe - ) + github_connection = auth.auth_to_github(token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe) if not token and gh_app_id and gh_app_installation_id and gh_app_private_key: - token = auth.get_github_app_installation_token( - gh_app_id, gh_app_private_key, gh_app_installation_id - ) + token = auth.get_github_app_installation_token(ghe, gh_app_id, gh_app_private_key, gh_app_installation_id) # If Project ID is set, lookup the global project ID if project_id: # Check Organization is set as it is required for linking to a project if not organization: - raise ValueError( - "ORGANIZATION environment variable was not set. Please set it" - ) - project_id = get_global_project_id(token, organization, project_id) + raise ValueError("ORGANIZATION environment variable was not set. Please set it") + project_id = get_global_project_id(ghe, token, organization, project_id) # Get the repositories from the organization, team name, or list of repositories - repos = get_repos_iterator( - organization, team_name, repository_list, github_connection - ) + repos = get_repos_iterator(organization, team_name, repository_list, github_connection) # Iterate through the repositories and open an issue/PR if dependabot is not enabled count_eligible = 0 @@ -78,13 +70,13 @@ def main(): # pragma: no cover # Check all the things to see if repo is eligble for a pr/issue if repo.full_name in exempt_repositories_list: - print("Skipping " + repo.full_name + " (exempted)") + print(f"Skipping {repo.full_name} (exempted)") continue if repo.archived: - print("Skipping " + repo.full_name + " (archived)") + print(f"Skipping {repo.full_name} (archived)") continue if repo.visibility.lower() not in filter_visibility: - print("Skipping " + repo.full_name + " (visibility-filtered)") + print(f"Skipping {repo.full_name} (visibility-filtered)") continue existing_config = None filename_list = [".github/dependabot.yaml", ".github/dependabot.yml"] @@ -96,20 +88,14 @@ def main(): # pragma: no cover break if existing_config and not update_existing: - print( - "Skipping " - + repo.full_name - + " (dependabot file already exists and update_existing is False)" - ) + print(f"Skipping {repo.full_name} (dependabot file already exists and update_existing is False)") continue - if created_after_date and is_repo_created_date_before( - repo.created_at, created_after_date - ): - print("Skipping " + repo.full_name + " (created after filter)") + if created_after_date and is_repo_created_date_before(repo.created_at, created_after_date): + print(f"Skipping {repo.full_name} (created after filter)") continue - print("Checking " + repo.full_name + " for compatible package managers") + print(f"Checking {repo.full_name} for compatible package managers") # Try to detect package managers and build a dependabot file dependabot_file = build_dependabot_file( repo, @@ -133,42 +119,32 @@ def main(): # pragma: no cover if not skip: print("\tEligible for configuring dependabot.") count_eligible += 1 - print("\tConfiguration:\n" + dependabot_file) + print(f"\tConfiguration:\n {dependabot_file}") if follow_up_type == "pull": # Try to detect if the repo already has an open pull request for dependabot skip = check_pending_pulls_for_duplicates(title, repo) if not skip: print("\tEligible for configuring dependabot.") count_eligible += 1 - print("\tConfiguration:\n" + dependabot_file) + print(f"\tConfiguration:\n {dependabot_file}") continue # Get dependabot security updates enabled if possible if enable_security_updates: - if not is_dependabot_security_updates_enabled(repo.owner, repo.name, token): - enable_dependabot_security_updates(repo.owner, repo.name, token) + if not is_dependabot_security_updates_enabled(ghe, repo.owner, repo.name, token): + enable_dependabot_security_updates(ghe, repo.owner, repo.name, token) if follow_up_type == "issue": skip = check_pending_issues_for_duplicates(title, repo) if not skip: count_eligible += 1 - body_issue = ( - body - + "\n\n```yaml\n" - + "# " - + dependabot_filename_to_use - + "\n" - + dependabot_file - + "\n```" - ) + body_issue = f"{body}\n\n```yaml\n# {dependabot_filename_to_use} \n{dependabot_file}\n```" issue = repo.create_issue(title, body_issue) - print("\tCreated issue " + issue.html_url) + print(f"\tCreated issue {issue.html_url}") if project_id: - issue_id = get_global_issue_id( - token, organization, repo.name, issue.number - ) - link_item_to_project(token, project_id, issue_id) - print("\tLinked issue to project " + project_id) + issue_id = get_global_issue_id(ghe, token, organization, repo.name, issue.number) + link_item_to_project(ghe, token, project_id, issue_id) + print(f"\tLinked issue to project {project_id}") else: # Try to detect if the repo already has an open pull request for dependabot skip = check_pending_pulls_for_duplicates(title, repo) @@ -186,34 +162,32 @@ def main(): # pragma: no cover dependabot_filename_to_use, existing_config, ) - print("\tCreated pull request " + pull.html_url) + print(f"\tCreated pull request {pull.html_url}") if project_id: - pr_id = get_global_pr_id( - token, organization, repo.name, pull.number - ) - response = link_item_to_project(token, project_id, pr_id) + pr_id = get_global_pr_id(ghe, token, organization, repo.name, pull.number) + response = link_item_to_project(ghe, token, project_id, pr_id) if response: - print("\tLinked pull request to project " + project_id) + print(f"\tLinked pull request to project {project_id}") except github3.exceptions.NotFoundError: print("\tFailed to create pull request. Check write permissions.") continue - print("Done. " + str(count_eligible) + " repositories were eligible.") + print(f"Done. {str(count_eligible)} repositories were eligible.") def is_repo_created_date_before(repo_created_at: str, created_after_date: str): """Check if the repository was created before the created_after_date""" repo_created_at_date = datetime.fromisoformat(repo_created_at).replace(tzinfo=None) - return created_after_date and repo_created_at_date < datetime.strptime( - created_after_date, "%Y-%m-%d" - ) + return created_after_date and repo_created_at_date < datetime.strptime(created_after_date, "%Y-%m-%d") -def is_dependabot_security_updates_enabled(owner, repo, access_token): - """Check if Dependabot security updates are enabled at the - /repos/:owner/:repo/automated-security-fixes endpoint using the requests library +def is_dependabot_security_updates_enabled(ghe, owner, repo, access_token): + """ + Check if Dependabot security updates are enabled at the /repos/:owner/:repo/automated-security-fixes endpoint using the requests library + API: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#check-if-automated-security-fixes-are-enabled-for-a-repository """ - url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/repos/{owner}/{repo}/automated-security-fixes" headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -247,9 +221,13 @@ def check_existing_config(repo, filename): return None -def enable_dependabot_security_updates(owner, repo, access_token): - """Enable Dependabot security updates at the /repos/:owner/:repo/automated-security-fixes endpoint using the requests library""" - url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" +def enable_dependabot_security_updates(ghe, owner, repo, access_token): + """ + Enable Dependabot security updates at the /repos/:owner/:repo/automated-security-fixes endpoint using the requests library + API: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#enable-automated-security-fixes + """ + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/repos/{owner}/{repo}/automated-security-fixes" headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -277,9 +255,7 @@ def get_repos_iterator(organization, team_name, repository_list, github_connecti else: # Get the repositories from the repository_list for repo in repository_list: - repos.append( - github_connection.repository(repo.split("/")[0], repo.split("/")[1]) - ) + repos.append(github_connection.repository(repo.split("/")[0], repo.split("/")[1])) return repos @@ -290,7 +266,7 @@ def check_pending_pulls_for_duplicates(title, repo) -> bool: skip = False for pull_request in pull_requests: if pull_request.title.startswith(title): - print("\tPull request already exists: " + pull_request.html_url) + print(f"\tPull request already exists: {pull_request.html_url}") skip = True break return skip @@ -302,7 +278,7 @@ def check_pending_issues_for_duplicates(title, repo) -> bool: skip = False for issue in issues: if issue.title.startswith(title): - print("\tIssue already exists: " + issue.html_url) + print(f"\tIssue already exists: {issue.html_url}") skip = True break return skip @@ -338,19 +314,19 @@ def commit_changes( branch=branch_name, ) - pull = repo.create_pull( - title=title, body=body, head=branch_name, base=repo.default_branch - ) + pull = repo.create_pull(title=title, body=body, head=branch_name, base=repo.default_branch) return pull -def get_global_project_id(token, organization, number): - """Fetches the project ID from GitHub's GraphQL API.""" - url = "https://api.github.com/graphql" +def get_global_project_id(ghe, token, organization, number): + """ + Fetches the project ID from GitHub's GraphQL API. + API: https://docs.github.com/en/graphql/guides/forming-calls-with-graphql + """ + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} - data = { - "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' - } + data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} try: response = requests.post(url, headers=headers, json=data, timeout=20) @@ -366,9 +342,13 @@ def get_global_project_id(token, organization, number): return None -def get_global_issue_id(token, organization, repository, issue_number): - """Fetches the issue ID from GitHub's GraphQL API""" - url = "https://api.github.com/graphql" +def get_global_issue_id(ghe, token, organization, repository, issue_number): + """ + Fetches the issue ID from GitHub's GraphQL API + API: https://docs.github.com/en/graphql/guides/forming-calls-with-graphql + """ + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} data = { "query": f""" @@ -396,9 +376,13 @@ def get_global_issue_id(token, organization, repository, issue_number): return None -def get_global_pr_id(token, organization, repository, pr_number): - """Fetches the pull request ID from GitHub's GraphQL API""" - url = "https://api.github.com/graphql" +def get_global_pr_id(ghe, token, organization, repository, pr_number): + """ + Fetches the pull request ID from GitHub's GraphQL API + API: https://docs.github.com/en/graphql/guides/forming-calls-with-graphql + """ + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} data = { "query": f""" @@ -426,13 +410,15 @@ def get_global_pr_id(token, organization, repository, pr_number): return None -def link_item_to_project(token, project_id, item_id): - """Links an item (issue or pull request) to a project in GitHub.""" - url = "https://api.github.com/graphql" +def link_item_to_project(ghe, token, project_id, item_id): + """ + Links an item (issue or pull request) to a project in GitHub. + API: https://docs.github.com/en/graphql/guides/forming-calls-with-graphql + """ + api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" + url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} - data = { - "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' - } + data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} try: response = requests.post(url, headers=headers, json=data, timeout=20) diff --git a/test_auth.py b/test_auth.py index 19efc06..adad4ef 100644 --- a/test_auth.py +++ b/test_auth.py @@ -57,9 +57,7 @@ def test_get_github_app_installation_token(self, mock_post): mock_response.json.return_value = {"token": dummy_token} mock_post.return_value = mock_response - result = auth.get_github_app_installation_token( - b"gh_private_token", "gh_app_id", "gh_installation_id" - ) + result = auth.get_github_app_installation_token(b"ghe", "gh_private_token", "gh_app_id", "gh_installation_id") self.assertEqual(result, dummy_token) diff --git a/test_evergreen.py b/test_evergreen.py index 9de3fe4..cb0cae7 100644 --- a/test_evergreen.py +++ b/test_evergreen.py @@ -37,10 +37,9 @@ def test_is_dependabot_security_updates_enabled(self): owner = "my_owner" repo = "my_repo" access_token = "my_access_token" + ghe = "" - expected_url = ( - f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" - ) + expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -51,11 +50,9 @@ def test_is_dependabot_security_updates_enabled(self): mock_get.return_value.status_code = 200 mock_get.return_value.json.return_value = expected_response - result = is_dependabot_security_updates_enabled(owner, repo, access_token) + result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) - mock_get.assert_called_once_with( - expected_url, headers=expected_headers, timeout=20 - ) + mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) self.assertTrue(result) def test_is_dependabot_security_updates_disabled(self): @@ -70,10 +67,9 @@ def test_is_dependabot_security_updates_disabled(self): owner = "my_owner" repo = "my_repo" access_token = "my_access_token" + ghe = "" - expected_url = ( - f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" - ) + expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -83,11 +79,9 @@ def test_is_dependabot_security_updates_disabled(self): mock_get.return_value.status_code = 200 mock_get.return_value.json.return_value = {"enabled": False} - result = is_dependabot_security_updates_enabled(owner, repo, access_token) + result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) - mock_get.assert_called_once_with( - expected_url, headers=expected_headers, timeout=20 - ) + mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) self.assertFalse(result) def test_is_dependabot_security_updates_not_found(self): @@ -102,10 +96,9 @@ def test_is_dependabot_security_updates_not_found(self): owner = "my_owner" repo = "my_repo" access_token = "my_access_token" + ghe = "" - expected_url = ( - f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" - ) + expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -114,11 +107,9 @@ def test_is_dependabot_security_updates_not_found(self): with patch("requests.get") as mock_get: mock_get.return_value.status_code = 404 - result = is_dependabot_security_updates_enabled(owner, repo, access_token) + result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) - mock_get.assert_called_once_with( - expected_url, headers=expected_headers, timeout=20 - ) + mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) self.assertFalse(result) def test_enable_dependabot_security_updates(self): @@ -133,10 +124,9 @@ def test_enable_dependabot_security_updates(self): owner = "my_owner" repo = "my_repo" access_token = "my_access_token" + ghe = "" - expected_url = ( - f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" - ) + expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -146,14 +136,10 @@ def test_enable_dependabot_security_updates(self): mock_put.return_value.status_code = 204 with patch("builtins.print") as mock_print: - enable_dependabot_security_updates(owner, repo, access_token) + enable_dependabot_security_updates(ghe, owner, repo, access_token) - mock_put.assert_called_once_with( - expected_url, headers=expected_headers, timeout=20 - ) - mock_print.assert_called_once_with( - "\tDependabot security updates enabled successfully." - ) + mock_put.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) + mock_print.assert_called_once_with("\tDependabot security updates enabled successfully.") def test_enable_dependabot_security_updates_failed(self): """ @@ -167,10 +153,9 @@ def test_enable_dependabot_security_updates_failed(self): owner = "my_owner" repo = "my_repo" access_token = "my_access_token" + ghe = "" - expected_url = ( - f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" - ) + expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -180,14 +165,10 @@ def test_enable_dependabot_security_updates_failed(self): mock_put.return_value.status_code = 500 with patch("builtins.print") as mock_print: - enable_dependabot_security_updates(owner, repo, access_token) + enable_dependabot_security_updates(ghe, owner, repo, access_token) - mock_put.assert_called_once_with( - expected_url, headers=expected_headers, timeout=20 - ) - mock_print.assert_called_once_with( - "\tFailed to enable Dependabot security updates." - ) + mock_put.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) + mock_print.assert_called_once_with("\tFailed to enable Dependabot security updates.") class TestCommitChanges(unittest.TestCase): @@ -196,9 +177,7 @@ class TestCommitChanges(unittest.TestCase): @patch("uuid.uuid4") def test_commit_changes(self, mock_uuid): """Test the commit_changes function.""" - mock_uuid.return_value = uuid.UUID( - "12345678123456781234567812345678" - ) # Mock UUID generation + mock_uuid.return_value = uuid.UUID("12345678123456781234567812345678") # Mock UUID generation mock_repo = MagicMock() # Mock repo object mock_repo.default_branch = "main" mock_repo.ref.return_value.object.sha = "abc123" # Mock SHA for latest commit @@ -222,9 +201,7 @@ def test_commit_changes(self, mock_uuid): ) # Assert that the methods were called with the correct arguments - mock_repo.create_ref.assert_called_once_with( - f"refs/heads/{branch_name}", "abc123" - ) + mock_repo.create_ref.assert_called_once_with(f"refs/heads/{branch_name}", "abc123") mock_repo.create_file.assert_called_once_with( path=dependabot_file_name, message=commit_message, @@ -315,9 +292,7 @@ def test_get_repos_iterator_with_organization(self, mock_github): mock_organization.repositories.return_value = mock_repositories github_connection.organization.return_value = mock_organization - result = get_repos_iterator( - organization, None, repository_list, github_connection - ) + result = get_repos_iterator(organization, None, repository_list, github_connection) # Assert that the organization method was called with the correct argument github_connection.organization.assert_called_once_with(organization) @@ -339,9 +314,7 @@ def test_get_repos_iterator_with_repository_list(self, mock_github): mock_repository_list = [mock_repository, mock_repository] github_connection.repository.side_effect = mock_repository_list - result = get_repos_iterator( - organization, None, repository_list, github_connection - ) + result = get_repos_iterator(organization, None, repository_list, github_connection) # Assert that the repository method was called with the correct arguments for each repository in the list expected_calls = [ @@ -362,9 +335,7 @@ def test_get_repos_iterator_with_team(self, mock_github): github_connection = mock_github.return_value mock_team_repositories = MagicMock() - github_connection.organization.return_value.team_by_name.return_value.repositories.return_value = ( - mock_team_repositories - ) + github_connection.organization.return_value.team_by_name.return_value.repositories.return_value = mock_team_repositories result = get_repos_iterator( organization, @@ -377,9 +348,7 @@ def test_get_repos_iterator_with_team(self, mock_github): github_connection.organization.assert_called_once_with(organization) # Assert that the team_by_name method was called on the organization object - github_connection.organization.return_value.team_by_name.assert_called_once_with( - team_name - ) + github_connection.organization.return_value.team_by_name.assert_called_once_with(team_name) # Assert that the repositories method was called on the team object github_connection.organization.return_value.team_by_name.return_value.repositories.assert_called_once() @@ -397,24 +366,19 @@ def test_get_global_project_id_success(self, mock_post): token = "my_token" organization = "my_organization" number = 123 + ghe = "" expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = { - "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' - } - expected_response = { - "data": {"organization": {"projectV2": {"id": "my_project_id"}}} - } + expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} + expected_response = {"data": {"organization": {"projectV2": {"id": "my_project_id"}}}} mock_post.return_value.status_code = 200 mock_post.return_value.json.return_value = expected_response - result = get_global_project_id(token, organization, number) + result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with( - expected_url, headers=expected_headers, json=expected_data, timeout=20 - ) + mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) self.assertEqual(result, "my_project_id") @patch("requests.post") @@ -423,21 +387,18 @@ def test_get_global_project_id_request_failed(self, mock_post): token = "my_token" organization = "my_organization" number = 123 + ghe = "" expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = { - "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' - } + expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} mock_post.side_effect = requests.exceptions.RequestException("Request failed") with patch("builtins.print") as mock_print: - result = get_global_project_id(token, organization, number) + result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with( - expected_url, headers=expected_headers, json=expected_data, timeout=20 - ) + mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) mock_print.assert_called_once_with("Request failed: Request failed") self.assertIsNone(result) @@ -447,23 +408,20 @@ def test_get_global_project_id_parse_response_failed(self, mock_post): token = "my_token" organization = "my_organization" number = 123 + ghe = "" expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = { - "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' - } + expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} expected_response = {"data": {"organization": {"projectV2": {}}}} mock_post.return_value.status_code = 200 mock_post.return_value.json.return_value = expected_response with patch("builtins.print") as mock_print: - result = get_global_project_id(token, organization, number) + result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with( - expected_url, headers=expected_headers, json=expected_data, timeout=20 - ) + mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) mock_print.assert_called_once_with("Failed to parse response: 'id'") self.assertIsNone(result) @@ -478,13 +436,14 @@ def test_get_global_issue_id_success(self, mock_post): organization = "my_organization" repository = "my_repository" issue_number = 123 + ghe = "" expected_response = {"data": {"repository": {"issue": {"id": "1234567890"}}}} mock_post.return_value.status_code = 200 mock_post.return_value.json.return_value = expected_response - result = get_global_issue_id(token, organization, repository, issue_number) + result = get_global_issue_id(ghe, token, organization, repository, issue_number) mock_post.assert_called_once() self.assertEqual(result, "1234567890") @@ -496,10 +455,11 @@ def test_get_global_issue_id_request_failed(self, mock_post): organization = "my_organization" repository = "my_repository" issue_number = 123 + ghe = "" mock_post.side_effect = requests.exceptions.RequestException("Request failed") - result = get_global_issue_id(token, organization, repository, issue_number) + result = get_global_issue_id(ghe, token, organization, repository, issue_number) mock_post.assert_called_once() self.assertIsNone(result) @@ -511,13 +471,14 @@ def test_get_global_issue_id_parse_response_failed(self, mock_post): organization = "my_organization" repository = "my_repository" issue_number = 123 + ghe = "" expected_response = {"data": {"repository": {"issue": {}}}} mock_post.return_value.status_code = 200 mock_post.return_value.json.return_value = expected_response - result = get_global_issue_id(token, organization, repository, issue_number) + result = get_global_issue_id(ghe, token, organization, repository, issue_number) mock_post.assert_called_once() self.assertIsNone(result) @@ -532,13 +493,11 @@ def test_get_global_pr_id_success(self, mock_post): # Mock the response from requests.post mock_response = MagicMock() mock_response.raise_for_status.return_value = None - mock_response.json.return_value = { - "data": {"repository": {"pullRequest": {"id": "test_id"}}} - } + mock_response.json.return_value = {"data": {"repository": {"pullRequest": {"id": "test_id"}}}} mock_post.return_value = mock_response # Call the function with test data - result = get_global_pr_id("test_token", "test_org", "test_repo", 1) + result = get_global_pr_id("", "test_token", "test_org", "test_repo", 1) # Check that the result is as expected self.assertEqual(result, "test_id") @@ -550,7 +509,7 @@ def test_get_global_pr_id_request_exception(self, mock_post): mock_post.side_effect = requests.exceptions.RequestException # Call the function with test data - result = get_global_pr_id("test_token", "test_org", "test_repo", 1) + result = get_global_pr_id("", "test_token", "test_org", "test_repo", 1) # Check that the result is None self.assertIsNone(result) @@ -565,7 +524,7 @@ def test_get_global_pr_id_key_error(self, mock_post): mock_post.return_value = mock_response # Call the function with test data - result = get_global_pr_id("test_token", "test_org", "test_repo", 1) + result = get_global_pr_id("", "test_token", "test_org", "test_repo", 1) # Check that the result is None self.assertIsNone(result) @@ -580,22 +539,19 @@ def test_link_item_to_project_success(self, mock_post): token = "my_token" project_id = "my_project_id" item_id = "my_item_id" + ghe = "" expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = { - "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' - } + expected_data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} mock_response = MagicMock() mock_response.status_code = 200 mock_post.return_value = mock_response - result = link_item_to_project(token, project_id, item_id) + result = link_item_to_project(ghe, token, project_id, item_id) - mock_post.assert_called_once_with( - expected_url, headers=expected_headers, json=expected_data, timeout=20 - ) + mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) mock_response.raise_for_status.assert_called_once() # Assert that the function returned None @@ -607,21 +563,18 @@ def test_link_item_to_project_request_exception(self, mock_post): token = "my_token" project_id = "my_project_id" item_id = "my_item_id" + ghe = "" expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = { - "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' - } + expected_data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} mock_post.side_effect = requests.exceptions.RequestException("Request failed") with patch("builtins.print") as mock_print: - result = link_item_to_project(token, project_id, item_id) + result = link_item_to_project(ghe, token, project_id, item_id) - mock_post.assert_called_once_with( - expected_url, headers=expected_headers, json=expected_data, timeout=20 - ) + mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) mock_print.assert_called_once_with("Request failed: Request failed") # Assert that the function returned None @@ -710,9 +663,7 @@ def test_check_existing_config_without_existing_config(self): """ mock_repo = MagicMock() mock_response = MagicMock() - mock_repo.file_contents.side_effect = github3.exceptions.NotFoundError( - mock_response - ) + mock_repo.file_contents.side_effect = github3.exceptions.NotFoundError(mock_response) result = check_existing_config(mock_repo, "dependabot.yml") From 30153746d95b1df65553974bd2f017e28eda1a05 Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Wed, 23 Oct 2024 10:49:21 +0100 Subject: [PATCH 2/8] fix: lint files --- auth.py | 15 ++++- evergreen.py | 56 ++++++++++++++----- test_auth.py | 4 +- test_evergreen.py | 136 ++++++++++++++++++++++++++++++++++------------ 4 files changed, 159 insertions(+), 52 deletions(-) diff --git a/auth.py b/auth.py index 726fb16..a6b0be1 100644 --- a/auth.py +++ b/auth.py @@ -29,21 +29,30 @@ def auth_to_github( gh = github3.github.GitHubEnterprise(url=ghe) else: gh = github3.github.GitHub() - gh.login_as_app_installation(gh_app_private_key_bytes, gh_app_id, gh_app_installation_id) + gh.login_as_app_installation( + gh_app_private_key_bytes, gh_app_id, gh_app_installation_id + ) github_connection = gh elif ghe and token: github_connection = github3.github.GitHubEnterprise(url=ghe, token=token) elif token: github_connection = github3.login(token=token) else: - raise ValueError("GH_TOKEN or the set of [GH_APP_ID, GH_APP_INSTALLATION_ID, GH_APP_PRIVATE_KEY] environment variables are not set") + raise ValueError( + "GH_TOKEN or the set of [GH_APP_ID, GH_APP_INSTALLATION_ID, GH_APP_PRIVATE_KEY] environment variables are not set" + ) if not github_connection: raise ValueError("Unable to authenticate to GitHub") return github_connection # type: ignore -def get_github_app_installation_token(ghe: str, gh_app_id: str, gh_app_private_key_bytes: bytes, gh_app_installation_id: str) -> str | None: +def get_github_app_installation_token( + ghe: str, + gh_app_id: str, + gh_app_private_key_bytes: bytes, + gh_app_installation_id: str, +) -> str | None: """ Get a GitHub App Installation token. API: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation diff --git a/evergreen.py b/evergreen.py index bdb1b99..422206e 100644 --- a/evergreen.py +++ b/evergreen.py @@ -45,20 +45,28 @@ def main(): # pragma: no cover ) = env.get_env_vars() # Auth to GitHub.com or GHE - github_connection = auth.auth_to_github(token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe) + github_connection = auth.auth_to_github( + token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe + ) if not token and gh_app_id and gh_app_installation_id and gh_app_private_key: - token = auth.get_github_app_installation_token(ghe, gh_app_id, gh_app_private_key, gh_app_installation_id) + token = auth.get_github_app_installation_token( + ghe, gh_app_id, gh_app_private_key, gh_app_installation_id + ) # If Project ID is set, lookup the global project ID if project_id: # Check Organization is set as it is required for linking to a project if not organization: - raise ValueError("ORGANIZATION environment variable was not set. Please set it") + raise ValueError( + "ORGANIZATION environment variable was not set. Please set it" + ) project_id = get_global_project_id(ghe, token, organization, project_id) # Get the repositories from the organization, team name, or list of repositories - repos = get_repos_iterator(organization, team_name, repository_list, github_connection) + repos = get_repos_iterator( + organization, team_name, repository_list, github_connection + ) # Iterate through the repositories and open an issue/PR if dependabot is not enabled count_eligible = 0 @@ -88,10 +96,14 @@ def main(): # pragma: no cover break if existing_config and not update_existing: - print(f"Skipping {repo.full_name} (dependabot file already exists and update_existing is False)") + print( + f"Skipping {repo.full_name} (dependabot file already exists and update_existing is False)" + ) continue - if created_after_date and is_repo_created_date_before(repo.created_at, created_after_date): + if created_after_date and is_repo_created_date_before( + repo.created_at, created_after_date + ): print(f"Skipping {repo.full_name} (created after filter)") continue @@ -131,7 +143,9 @@ def main(): # pragma: no cover # Get dependabot security updates enabled if possible if enable_security_updates: - if not is_dependabot_security_updates_enabled(ghe, repo.owner, repo.name, token): + if not is_dependabot_security_updates_enabled( + ghe, repo.owner, repo.name, token + ): enable_dependabot_security_updates(ghe, repo.owner, repo.name, token) if follow_up_type == "issue": @@ -142,7 +156,9 @@ def main(): # pragma: no cover issue = repo.create_issue(title, body_issue) print(f"\tCreated issue {issue.html_url}") if project_id: - issue_id = get_global_issue_id(ghe, token, organization, repo.name, issue.number) + issue_id = get_global_issue_id( + ghe, token, organization, repo.name, issue.number + ) link_item_to_project(ghe, token, project_id, issue_id) print(f"\tLinked issue to project {project_id}") else: @@ -164,7 +180,9 @@ def main(): # pragma: no cover ) print(f"\tCreated pull request {pull.html_url}") if project_id: - pr_id = get_global_pr_id(ghe, token, organization, repo.name, pull.number) + pr_id = get_global_pr_id( + ghe, token, organization, repo.name, pull.number + ) response = link_item_to_project(ghe, token, project_id, pr_id) if response: print(f"\tLinked pull request to project {project_id}") @@ -178,7 +196,9 @@ def main(): # pragma: no cover def is_repo_created_date_before(repo_created_at: str, created_after_date: str): """Check if the repository was created before the created_after_date""" repo_created_at_date = datetime.fromisoformat(repo_created_at).replace(tzinfo=None) - return created_after_date and repo_created_at_date < datetime.strptime(created_after_date, "%Y-%m-%d") + return created_after_date and repo_created_at_date < datetime.strptime( + created_after_date, "%Y-%m-%d" + ) def is_dependabot_security_updates_enabled(ghe, owner, repo, access_token): @@ -255,7 +275,9 @@ def get_repos_iterator(organization, team_name, repository_list, github_connecti else: # Get the repositories from the repository_list for repo in repository_list: - repos.append(github_connection.repository(repo.split("/")[0], repo.split("/")[1])) + repos.append( + github_connection.repository(repo.split("/")[0], repo.split("/")[1]) + ) return repos @@ -314,7 +336,9 @@ def commit_changes( branch=branch_name, ) - pull = repo.create_pull(title=title, body=body, head=branch_name, base=repo.default_branch) + pull = repo.create_pull( + title=title, body=body, head=branch_name, base=repo.default_branch + ) return pull @@ -326,7 +350,9 @@ def get_global_project_id(ghe, token, organization, number): api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} - data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} + data = { + "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' + } try: response = requests.post(url, headers=headers, json=data, timeout=20) @@ -418,7 +444,9 @@ def link_item_to_project(ghe, token, project_id, item_id): api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com" url = f"{api_endpoint}/graphql" headers = {"Authorization": f"Bearer {token}"} - data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} + data = { + "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' + } try: response = requests.post(url, headers=headers, json=data, timeout=20) diff --git a/test_auth.py b/test_auth.py index adad4ef..064539e 100644 --- a/test_auth.py +++ b/test_auth.py @@ -57,7 +57,9 @@ def test_get_github_app_installation_token(self, mock_post): mock_response.json.return_value = {"token": dummy_token} mock_post.return_value = mock_response - result = auth.get_github_app_installation_token(b"ghe", "gh_private_token", "gh_app_id", "gh_installation_id") + result = auth.get_github_app_installation_token( + b"ghe", "gh_private_token", "gh_app_id", "gh_installation_id" + ) self.assertEqual(result, dummy_token) diff --git a/test_evergreen.py b/test_evergreen.py index cb0cae7..4402d96 100644 --- a/test_evergreen.py +++ b/test_evergreen.py @@ -39,7 +39,9 @@ def test_is_dependabot_security_updates_enabled(self): access_token = "my_access_token" ghe = "" - expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + expected_url = ( + f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + ) expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -50,9 +52,13 @@ def test_is_dependabot_security_updates_enabled(self): mock_get.return_value.status_code = 200 mock_get.return_value.json.return_value = expected_response - result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) + result = is_dependabot_security_updates_enabled( + ghe, owner, repo, access_token + ) - mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) + mock_get.assert_called_once_with( + expected_url, headers=expected_headers, timeout=20 + ) self.assertTrue(result) def test_is_dependabot_security_updates_disabled(self): @@ -69,7 +75,9 @@ def test_is_dependabot_security_updates_disabled(self): access_token = "my_access_token" ghe = "" - expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + expected_url = ( + f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + ) expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -79,9 +87,13 @@ def test_is_dependabot_security_updates_disabled(self): mock_get.return_value.status_code = 200 mock_get.return_value.json.return_value = {"enabled": False} - result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) + result = is_dependabot_security_updates_enabled( + ghe, owner, repo, access_token + ) - mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) + mock_get.assert_called_once_with( + expected_url, headers=expected_headers, timeout=20 + ) self.assertFalse(result) def test_is_dependabot_security_updates_not_found(self): @@ -98,7 +110,9 @@ def test_is_dependabot_security_updates_not_found(self): access_token = "my_access_token" ghe = "" - expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + expected_url = ( + f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + ) expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -107,9 +121,13 @@ def test_is_dependabot_security_updates_not_found(self): with patch("requests.get") as mock_get: mock_get.return_value.status_code = 404 - result = is_dependabot_security_updates_enabled(ghe, owner, repo, access_token) + result = is_dependabot_security_updates_enabled( + ghe, owner, repo, access_token + ) - mock_get.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) + mock_get.assert_called_once_with( + expected_url, headers=expected_headers, timeout=20 + ) self.assertFalse(result) def test_enable_dependabot_security_updates(self): @@ -126,7 +144,9 @@ def test_enable_dependabot_security_updates(self): access_token = "my_access_token" ghe = "" - expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + expected_url = ( + f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + ) expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -138,8 +158,12 @@ def test_enable_dependabot_security_updates(self): with patch("builtins.print") as mock_print: enable_dependabot_security_updates(ghe, owner, repo, access_token) - mock_put.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) - mock_print.assert_called_once_with("\tDependabot security updates enabled successfully.") + mock_put.assert_called_once_with( + expected_url, headers=expected_headers, timeout=20 + ) + mock_print.assert_called_once_with( + "\tDependabot security updates enabled successfully." + ) def test_enable_dependabot_security_updates_failed(self): """ @@ -155,7 +179,9 @@ def test_enable_dependabot_security_updates_failed(self): access_token = "my_access_token" ghe = "" - expected_url = f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + expected_url = ( + f"https://api.github.com/repos/{owner}/{repo}/automated-security-fixes" + ) expected_headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/vnd.github.london-preview+json", @@ -167,8 +193,12 @@ def test_enable_dependabot_security_updates_failed(self): with patch("builtins.print") as mock_print: enable_dependabot_security_updates(ghe, owner, repo, access_token) - mock_put.assert_called_once_with(expected_url, headers=expected_headers, timeout=20) - mock_print.assert_called_once_with("\tFailed to enable Dependabot security updates.") + mock_put.assert_called_once_with( + expected_url, headers=expected_headers, timeout=20 + ) + mock_print.assert_called_once_with( + "\tFailed to enable Dependabot security updates." + ) class TestCommitChanges(unittest.TestCase): @@ -177,7 +207,9 @@ class TestCommitChanges(unittest.TestCase): @patch("uuid.uuid4") def test_commit_changes(self, mock_uuid): """Test the commit_changes function.""" - mock_uuid.return_value = uuid.UUID("12345678123456781234567812345678") # Mock UUID generation + mock_uuid.return_value = uuid.UUID( + "12345678123456781234567812345678" + ) # Mock UUID generation mock_repo = MagicMock() # Mock repo object mock_repo.default_branch = "main" mock_repo.ref.return_value.object.sha = "abc123" # Mock SHA for latest commit @@ -201,7 +233,9 @@ def test_commit_changes(self, mock_uuid): ) # Assert that the methods were called with the correct arguments - mock_repo.create_ref.assert_called_once_with(f"refs/heads/{branch_name}", "abc123") + mock_repo.create_ref.assert_called_once_with( + f"refs/heads/{branch_name}", "abc123" + ) mock_repo.create_file.assert_called_once_with( path=dependabot_file_name, message=commit_message, @@ -292,7 +326,9 @@ def test_get_repos_iterator_with_organization(self, mock_github): mock_organization.repositories.return_value = mock_repositories github_connection.organization.return_value = mock_organization - result = get_repos_iterator(organization, None, repository_list, github_connection) + result = get_repos_iterator( + organization, None, repository_list, github_connection + ) # Assert that the organization method was called with the correct argument github_connection.organization.assert_called_once_with(organization) @@ -314,7 +350,9 @@ def test_get_repos_iterator_with_repository_list(self, mock_github): mock_repository_list = [mock_repository, mock_repository] github_connection.repository.side_effect = mock_repository_list - result = get_repos_iterator(organization, None, repository_list, github_connection) + result = get_repos_iterator( + organization, None, repository_list, github_connection + ) # Assert that the repository method was called with the correct arguments for each repository in the list expected_calls = [ @@ -335,7 +373,9 @@ def test_get_repos_iterator_with_team(self, mock_github): github_connection = mock_github.return_value mock_team_repositories = MagicMock() - github_connection.organization.return_value.team_by_name.return_value.repositories.return_value = mock_team_repositories + github_connection.organization.return_value.team_by_name.return_value.repositories.return_value = ( + mock_team_repositories + ) result = get_repos_iterator( organization, @@ -348,7 +388,9 @@ def test_get_repos_iterator_with_team(self, mock_github): github_connection.organization.assert_called_once_with(organization) # Assert that the team_by_name method was called on the organization object - github_connection.organization.return_value.team_by_name.assert_called_once_with(team_name) + github_connection.organization.return_value.team_by_name.assert_called_once_with( + team_name + ) # Assert that the repositories method was called on the team object github_connection.organization.return_value.team_by_name.return_value.repositories.assert_called_once() @@ -370,15 +412,21 @@ def test_get_global_project_id_success(self, mock_post): expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} - expected_response = {"data": {"organization": {"projectV2": {"id": "my_project_id"}}}} + expected_data = { + "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' + } + expected_response = { + "data": {"organization": {"projectV2": {"id": "my_project_id"}}} + } mock_post.return_value.status_code = 200 mock_post.return_value.json.return_value = expected_response result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) + mock_post.assert_called_once_with( + expected_url, headers=expected_headers, json=expected_data, timeout=20 + ) self.assertEqual(result, "my_project_id") @patch("requests.post") @@ -391,14 +439,18 @@ def test_get_global_project_id_request_failed(self, mock_post): expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} + expected_data = { + "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' + } mock_post.side_effect = requests.exceptions.RequestException("Request failed") with patch("builtins.print") as mock_print: result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) + mock_post.assert_called_once_with( + expected_url, headers=expected_headers, json=expected_data, timeout=20 + ) mock_print.assert_called_once_with("Request failed: Request failed") self.assertIsNone(result) @@ -412,7 +464,9 @@ def test_get_global_project_id_parse_response_failed(self, mock_post): expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = {"query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}'} + expected_data = { + "query": f'query{{organization(login: "{organization}") {{projectV2(number: {number}){{id}}}}}}' + } expected_response = {"data": {"organization": {"projectV2": {}}}} mock_post.return_value.status_code = 200 @@ -421,7 +475,9 @@ def test_get_global_project_id_parse_response_failed(self, mock_post): with patch("builtins.print") as mock_print: result = get_global_project_id(ghe, token, organization, number) - mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) + mock_post.assert_called_once_with( + expected_url, headers=expected_headers, json=expected_data, timeout=20 + ) mock_print.assert_called_once_with("Failed to parse response: 'id'") self.assertIsNone(result) @@ -493,7 +549,9 @@ def test_get_global_pr_id_success(self, mock_post): # Mock the response from requests.post mock_response = MagicMock() mock_response.raise_for_status.return_value = None - mock_response.json.return_value = {"data": {"repository": {"pullRequest": {"id": "test_id"}}}} + mock_response.json.return_value = { + "data": {"repository": {"pullRequest": {"id": "test_id"}}} + } mock_post.return_value = mock_response # Call the function with test data @@ -543,7 +601,9 @@ def test_link_item_to_project_success(self, mock_post): expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} + expected_data = { + "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' + } mock_response = MagicMock() mock_response.status_code = 200 @@ -551,7 +611,9 @@ def test_link_item_to_project_success(self, mock_post): result = link_item_to_project(ghe, token, project_id, item_id) - mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) + mock_post.assert_called_once_with( + expected_url, headers=expected_headers, json=expected_data, timeout=20 + ) mock_response.raise_for_status.assert_called_once() # Assert that the function returned None @@ -567,14 +629,18 @@ def test_link_item_to_project_request_exception(self, mock_post): expected_url = "https://api.github.com/graphql" expected_headers = {"Authorization": f"Bearer {token}"} - expected_data = {"query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}'} + expected_data = { + "query": f'mutation {{addProjectV2ItemById(input: {{projectId: "{project_id}", contentId: "{item_id}"}}) {{item {{id}}}}}}' + } mock_post.side_effect = requests.exceptions.RequestException("Request failed") with patch("builtins.print") as mock_print: result = link_item_to_project(ghe, token, project_id, item_id) - mock_post.assert_called_once_with(expected_url, headers=expected_headers, json=expected_data, timeout=20) + mock_post.assert_called_once_with( + expected_url, headers=expected_headers, json=expected_data, timeout=20 + ) mock_print.assert_called_once_with("Request failed: Request failed") # Assert that the function returned None @@ -663,7 +729,9 @@ def test_check_existing_config_without_existing_config(self): """ mock_repo = MagicMock() mock_response = MagicMock() - mock_repo.file_contents.side_effect = github3.exceptions.NotFoundError(mock_response) + mock_repo.file_contents.side_effect = github3.exceptions.NotFoundError( + mock_response + ) result = check_existing_config(mock_repo, "dependabot.yml") From b20c04e2eaf28c4d3bc185ab860a91414eba775a Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Wed, 23 Oct 2024 11:42:39 +0100 Subject: [PATCH 3/8] feat: update readme --- README.md | 131 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 99 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 35620a6..d3c4850 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github/evergreen/badge)](https://scorecard.dev/viewer/?uri=github.com/github/evergreen) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9523/badge)](https://www.bestpractices.dev/projects/9523) -This is a GitHub Action that given an organization, team, or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository. +This is a GitHub Action that given an organization, team, or specified repositories, opens an issue/PR if dependabot is not enabled, or there are more package ecosystems that could be added. It also enables [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) for the repository. This action was developed by the GitHub OSPO for our own use and developed in a way that we could open source it that it might be useful to you as well! If you want to know more about how we use it, reach out in an issue in this repository. @@ -28,11 +28,39 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th 1. Create a repository to host this GitHub Action or select an existing repository. 1. Select a best fit workflow file from the [examples below](#example-workflows). 1. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: `.github/workflows/` directory with the file extension `.yml` (ie. `.github/workflows/evergreen.yml`) -1. Edit the values (`ORGANIZATION`, `TEAM_NAME`, `REPOSITORY`, `EXEMPT_REPOS`, `TYPE`, `TITLE`, `BODY`) from the sample workflow with your information. If running on a whole organization then no repository is needed. If running the action on just one repository or a list of repositories, then no organization is needed. If running the action on a team, then an organization is required and no repository is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot. -1. Optionally, edit the value (`CREATED_AFTER_DATE`) if you are setting up this action to run regularly and only want newly created repositories to be considered. Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave blank. -1. Optionally edit the value (`UPDATE_EXISTING`) if you want to update existing dependabot configuration files. If set to `true`, the action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to `false`, the action will only create a new dependabot configuration file if there is not an existing one. The default value is `false`. -1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com. For github.com users, don't put anything in here. -1. Update the value of `GH_TOKEN`. Do this by creating a [GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with permissions to read the repository/organization and write issues or pull requests depending on what you put in for the `TYPE`. Additionally, you should set the `administration:write` permission on every repository in scope to successfully enable security updates. Then take the value of the API token you just created, and [create a repository secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets) where the name of the secret is `GH_TOKEN` and the value of the secret the API token. Then finally update the workflow file to use that repository secret by changing `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}` to `GH_TOKEN: ${{ secrets.GH_TOKEN }}`. The name of the secret can really be anything. It just needs to match between when you create the secret name and when you refer to it in the workflow file. +1. Edit the values below from the sample workflow with your information: + - `ORGANIZATION` + - `TEAM_NAME` + - `REPOSITORY` + - `EXEMPT_REPOS` + - `TYPE` + - `TITLE` + - `BODY` + + If running on a whole **organization** then no repository is needed. + If running the action on just **one repository** or a **list of repositories**, then no organization is needed. + If running the action on a **team**, then an organization is required and no repository is needed. + The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot. +1. Optionally, edit the value `CREATED_AFTER_DATE` if you are setting up this action to run regularly and only want newly created repositories to be considered. + Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave it blank. +1. Optionally edit the value `UPDATE_EXISTING` (default value `false`) if you want to update existing dependabot configuration files. + If set to `true`, the action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. + If set to `false`, the action will only create a new dependabot configuration file if there is not an existing one. +1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com. + For github.com users, leave it empty. +1. Update the value of `GH_TOKEN`. Do this by creating a [GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with the following permissions: + - If using **classic tokens**: + - `workflow`, this will set also all permissions for `repo` + - under `admin`, `read:org` and `write:org` + - If using **fine grain tokens**: + - `Administration` - Read and Write (Needed to activate the [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) ) + - `Pull Requests` - Read and Write (If `TYPE` input is set to `pull`) + - `Issues` - Read and Write (If `TYPE` input is set to `issue`) + - `Workflows` - Read and Write (Needed to create the `dependabot.yml` file) + + Then take the value of the API token you just created, and [create a repository secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets) where the name of the secret is `GH_TOKEN` and the value of the secret the API token. + Then finally update the workflow file to use that repository secret by changing `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}` to `GH_TOKEN: ${{ secrets.GH_TOKEN }}`. + The name of the secret can really be anything, it just needs to match between when you create the secret name and when you refer to it in the workflow file. 1. If you want the resulting issue with the output to appear in a different repository other than the one the workflow file runs in, update the line `token: ${{ secrets.GITHUB_TOKEN }}` with your own GitHub API token stored as a repository secret. This process is the same as described in the step above. More info on creating secrets can be found [here](https://docs.github.com/en/actions/security-guides/encrypted-secrets). 1. Commit the workflow file to the default branch (often `master` or `main`) 1. Wait for the action to trigger based on the `schedule` entry or manually trigger the workflow as shown in the [documentation](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow). @@ -53,37 +81,44 @@ This action can be configured to authenticate with GitHub App Installation or Pe | `GH_APP_INSTALLATION_ID` | True | `""` | GitHub Application Installation ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | | `GH_APP_PRIVATE_KEY` | True | `""` | GitHub Application Private Key. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | +The needed GitHub app permissions are the following: + +- `Administration` - Read and Write (Needed to activate the [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) ) +- `Pull Requests` - Read and Write (If `TYPE` input is set to `pull`) +- `Issues` - Read and Write (If `TYPE` input is set to `issue`) +- `Workflows` - Read and Write (Needed to create the `dependabot.yml` file) + ##### Personal Access Token (PAT) -| field | required | default | description | -| ---------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `GH_TOKEN` | True | `""` | The GitHub Token used to scan the repository. Must have read access to all repository you are interested in scanning, `repo:write`, and `workflow` privileges to create a pull request. | +| field | required | default | description | +| ---------- | -------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `GH_TOKEN` | True | `""` | The GitHub Token used to scan the repository. Must have read access to all the repositories you are interested in scanning, `repo:write`, and `workflow` privileges to create a pull request. | #### Other Configuration Options -| field | required | default | description | -| -------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `GH_ENTERPRISE_URL` | False | "" | The `GH_ENTERPRISE_URL` is used to connect to an enterprise server instance of GitHub. github.com users should not enter anything here. | -| `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` | -| `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` | -| `EXEMPT_REPOS` | False | "" | These repositories will be exempt from this action considering them for dependabot enablement. ex: If my org is set to `github` then I might want to exempt a few of the repos but get the rest by setting `EXEMPT_REPOS` to `github/evergreen,github/contributors` | -| `TYPE` | False | pull | Type refers to the type of action you want taken if this workflow determines that dependabot could be enabled. Valid values are `pull` or `issue`. | -| `TITLE` | False | "Enable Dependabot" | The title of the issue or pull request that will be created if dependabot could be enabled. | -| `BODY` | False | **Pull Request:** "Dependabot could be enabled for this repository. Please enable it by merging this pull request so that we can keep our dependencies up to date and secure." **Issue:** "Please update the repository to include a Dependabot configuration file. This will ensure our dependencies remain updated and secure. Follow the guidelines in [creating Dependabot configuration files](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) to set it up properly.Here's an example of the code:" | The body of the issue or pull request that will be created if dependabot could be enabled. | -| `COMMIT_MESSAGE` | False | "Create dependabot.yaml" | The commit message for the pull request that will be created if dependabot could be enabled. | -| `CREATED_AFTER_DATE` | False | none | If a value is set, this action will only consider repositories created on or after this date for dependabot enablement. This is useful if you want to only consider newly created repositories. If I set up this action to run weekly and I only want to scan for repos created in the last week that need dependabot enabled, then I would set `CREATED_AFTER_DATE` to 7 days ago. That way only repositories created after 7 days ago will be considered for dependabot enablement. If not set or set to nothing, all repositories will be scanned and a duplicate issue/pull request may occur. Ex: 2023-12-31 for Dec. 31st 2023 | -| `UPDATE_EXISTING` | False | False | If set to true, this action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to false, the action will only create a new dependabot configuration file if there is not an existing one. | -| `PROJECT_ID` | False | "" | If set, this will assign the issue or pull request to the project with the given ID. ( The project ID on GitHub can be located by navigating to the respective project and observing the URL's end.) **The `ORGANIZATION` variable is required** | -| `DRY_RUN` | False | False | If set to true, this action will not create any issues or pull requests. It will only log the repositories that could have dependabot enabled. This is useful for testing. | -| `GROUP_DEPENDENCIES` | False | false | If set to true, dependabot configuration will group dependencies updates based on [dependency type](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) (production or development, where supported) | -| `FILTER_VISIBILITY` | False | "public,private,internal" | Use this flag to filter repositories in scope by their visibility (`public`, `private`, `internal`). By default all repository are targeted. ex: to ignore public repositories set this value to `private,internal`. | -| `BATCH_SIZE` | False | None | Set this to define the maximum amount of eligible repositories for every run. This is useful if you are targeting large organizations and you don't want to flood repositories with pull requests / issues. ex: if you want to target 20 repositories per time, set this to 20. | -| `ENABLE_SECURITY_UPDATES` | False | true | If set to true, Evergreen will enable [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) on target repositories. Note that the GitHub token needs to have the `administration:write` permission on every repository in scope to successfully enable security updates. | -| `EXEMPT_ECOSYSTEMS` | False | "" | A list of [package ecosystems](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) to exempt from the generated dependabot configuration. To ignore ecosystems set this to one or more of `bundler`,`cargo`, `composer`, `pip`, `docker`, `npm`, `gomod`, `mix`, `nuget`, `maven`, `github-actions` and `terraform`. ex: if you don't want Dependabot to update Dockerfiles and Github Actions you can set this to `docker,github-actions`. | -| `REPO_SPECIFIC_EXEMPTIONS` | False | "" | A list of repositories that should be exempt from specific package ecosystems similar to EXEMPT_ECOSYSTEMS but those apply to all repositories. ex: `org1/repo1:docker,github-actions;org1/repo2:pip` would set exempt_ecosystems for `org1/repo1` to be `['docker', 'github-actions']`, and for `org1/repo2` it would be `['pip']`, while for every other repository evaluated, it would be set by the env variable `EXEMPT_ECOSYSTEMS`. NOTE: If you want specific exemptions to be added on top of the already specified global exemptions, you need to add the global exemptions to each repo specific exemption. | -| `SCHEDULE` | False | 'weekly' | Schedule interval by which to check for dependency updates via Dependabot. Allowed values are 'daily', 'weekly', or 'monthly' | -| `SCHEDULE_DAY` | False | '' | Scheduled day by which to check for dependency updates via Dependabot. Allowed values are days of the week full names (i.e., 'monday') | -| `LABELS` | False | "" | A comma separated list of labels that should be added to pull requests opened by dependabot. | +| field | required | default | description | +| -------------------------- | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `GH_ENTERPRISE_URL` | False | "" | The `GH_ENTERPRISE_URL` is used to connect to an enterprise server instance of GitHub, ex: `https://yourgheserver.com`.
github.com users should not enter anything here. | +| `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` | +| `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` | +| `EXEMPT_REPOS` | False | "" | These repositories will be exempt from this action considering them for dependabot enablement. ex: If my org is set to `github` then I might want to exempt a few of the repos but get the rest by setting `EXEMPT_REPOS` to `github/evergreen,github/contributors` | +| `TYPE` | False | pull | Type refers to the type of action you want taken if this workflow determines that dependabot could be enabled. Valid values are `pull` or `issue`. | +| `TITLE` | False | "Enable Dependabot" | The title of the issue or pull request that will be created if dependabot could be enabled. | +| `BODY` | False |
  • **Pull Request:** "Dependabot could be enabled for this repository. Please enable it by merging this pull request so that we can keep our dependencies up to date and secure."
  • **Issue:** "Please update the repository to include a Dependabot configuration file. This will ensure our dependencies remain updated and secure. Follow the guidelines in [creating Dependabot configuration files](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) to set it up properly.Here's an example of the code:"
| The body of the issue or pull request that will be created if dependabot could be enabled. | +| `COMMIT_MESSAGE` | False | "Create dependabot.yaml" | The commit message for the pull request that will be created if dependabot could be enabled. | +| `CREATED_AFTER_DATE` | False | none | If a value is set, this action will only consider repositories created on or after this date for dependabot enablement. This is useful if you want to only consider newly created repositories. If I set up this action to run weekly and I only want to scan for repos created in the last week that need dependabot enabled, then I would set `CREATED_AFTER_DATE` to 7 days ago. That way only repositories created after 7 days ago will be considered for dependabot enablement. If not set or set to nothing, all repositories will be scanned and a duplicate issue/pull request may occur. Ex: 2023-12-31 for Dec. 31st 2023 | +| `UPDATE_EXISTING` | False | False | If set to true, this action will update the existing dependabot configuration file with any package ecosystems that are detected but not configured yet. If set to false, the action will only create a new dependabot configuration file if there is not an existing one. | +| `PROJECT_ID` | False | "" | If set, this will assign the issue or pull request to the project with the given ID. ( The project ID on GitHub can be located by navigating to the respective project and observing the URL's end.) **The `ORGANIZATION` variable is required** | +| `DRY_RUN` | False | False | If set to true, this action will not create any issues or pull requests. It will only log the repositories that could have dependabot enabled. This is useful for testing. | +| `GROUP_DEPENDENCIES` | False | false | If set to true, dependabot configuration will group dependencies updates based on [dependency type](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups) (production or development, where supported) | +| `FILTER_VISIBILITY` | False | "public,private,internal" | Use this flag to filter repositories in scope by their visibility (`public`, `private`, `internal`). By default all repository are targeted. ex: to ignore public repositories set this value to `private,internal`. | +| `BATCH_SIZE` | False | None | Set this to define the maximum amount of eligible repositories for every run. This is useful if you are targeting large organizations and you don't want to flood repositories with pull requests / issues. ex: if you want to target 20 repositories per time, set this to 20. | +| `ENABLE_SECURITY_UPDATES` | False | true | If set to true, Evergreen will enable [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) on target repositories. Note that the GitHub token needs to have the `administration:write` permission on every repository in scope to successfully enable security updates. | +| `EXEMPT_ECOSYSTEMS` | False | "" | A list of [package ecosystems](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) to exempt from the generated dependabot configuration. To ignore ecosystems set this to one or more of `bundler`,`cargo`, `composer`, `pip`, `docker`, `npm`, `gomod`, `mix`, `nuget`, `maven`, `github-actions` and `terraform`. ex: if you don't want Dependabot to update Dockerfiles and Github Actions you can set this to `docker,github-actions`. | +| `REPO_SPECIFIC_EXEMPTIONS` | False | "" | A list of repositories that should be exempt from specific package ecosystems similar to EXEMPT_ECOSYSTEMS but those apply to all repositories. ex: `org1/repo1:docker,github-actions;org1/repo2:pip` would set exempt_ecosystems for `org1/repo1` to be `['docker', 'github-actions']`, and for `org1/repo2` it would be `['pip']`, while for every other repository evaluated, it would be set by the env variable `EXEMPT_ECOSYSTEMS`. NOTE: If you want specific exemptions to be added on top of the already specified global exemptions, you need to add the global exemptions to each repo specific exemption. | +| `SCHEDULE` | False | `weekly` | Schedule interval by which to check for dependency updates via Dependabot. Allowed values are `daily`, `weekly`, or `monthly` | +| `SCHEDULE_DAY` | False | '' | Scheduled day by which to check for dependency updates via Dependabot. Allowed values are days of the week full names (i.e., `monday`) | +| `LABELS` | False | "" | A comma separated list of labels that should be added to pull requests opened by dependabot. | ### Example workflows @@ -158,6 +193,38 @@ jobs: CREATED_AFTER_DATE: ${{ env.one_week_ago }} ``` +#### Using GitHub app + +```yaml +name: Evergreen +on: + workflow_dispatch: + schedule: + - cron: "3 2 * * 6" + +permissions: + contents: read + +jobs: + evergreen: + name: "Create dependabot.yml" + runs-on: ubuntu-latest + + steps: + - name: Run evergreen action for tools + uses: github/evergreen@v1 + env: + GH_APP_ID: ${{ secrets.GH_APP_ID }} + GH_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }} + GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} + GH_ENTERPRISE_URL: ${{ github.server_url }} + # GH_TOKEN: ${{ steps.app-token.outputs.token }} the token input is not used if the github app inputs are set + ORGANIZATION: your_organization + UPDATE_EXISTING: True + GROUP_DEPENDENCIES: True + +``` + ## Local usage without Docker 1. Make sure you have at least Python3.11 installed From 512ace286d5248c2e2f1c2d6bf66ee460e561e42 Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Wed, 23 Oct 2024 15:47:36 +0100 Subject: [PATCH 4/8] fix: README lint issues --- README.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d3c4850..7970d59 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,8 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th 1. Create a repository to host this GitHub Action or select an existing repository. 1. Select a best fit workflow file from the [examples below](#example-workflows). 1. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: `.github/workflows/` directory with the file extension `.yml` (ie. `.github/workflows/evergreen.yml`) -1. Edit the values below from the sample workflow with your information: +1. Edit the values below from the sample workflow with your information: + - `ORGANIZATION` - `TEAM_NAME` - `REPOSITORY` @@ -41,6 +42,7 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th If running the action on just **one repository** or a **list of repositories**, then no organization is needed. If running the action on a **team**, then an organization is required and no repository is needed. The type should be either `issue` or `pull` representing the action that you want taken after discovering a repository that should enable dependabot. + 1. Optionally, edit the value `CREATED_AFTER_DATE` if you are setting up this action to run regularly and only want newly created repositories to be considered. Otherwise, if you want all specified repositories regardless of when they were created to be considered, then leave it blank. 1. Optionally edit the value `UPDATE_EXISTING` (default value `false`) if you want to update existing dependabot configuration files. @@ -49,18 +51,20 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th 1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com. For github.com users, leave it empty. 1. Update the value of `GH_TOKEN`. Do this by creating a [GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with the following permissions: + - If using **classic tokens**: - - `workflow`, this will set also all permissions for `repo` - - under `admin`, `read:org` and `write:org` + - `workflow`, this will set also all permissions for `repo` + - under `admin`, `read:org` and `write:org` - If using **fine grain tokens**: - - `Administration` - Read and Write (Needed to activate the [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) ) - - `Pull Requests` - Read and Write (If `TYPE` input is set to `pull`) - - `Issues` - Read and Write (If `TYPE` input is set to `issue`) - - `Workflows` - Read and Write (Needed to create the `dependabot.yml` file) + - `Administration` - Read and Write (Needed to activate the [automated security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories) ) + - `Pull Requests` - Read and Write (If `TYPE` input is set to `pull`) + - `Issues` - Read and Write (If `TYPE` input is set to `issue`) + - `Workflows` - Read and Write (Needed to create the `dependabot.yml` file) Then take the value of the API token you just created, and [create a repository secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets) where the name of the secret is `GH_TOKEN` and the value of the secret the API token. Then finally update the workflow file to use that repository secret by changing `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}` to `GH_TOKEN: ${{ secrets.GH_TOKEN }}`. The name of the secret can really be anything, it just needs to match between when you create the secret name and when you refer to it in the workflow file. + 1. If you want the resulting issue with the output to appear in a different repository other than the one the workflow file runs in, update the line `token: ${{ secrets.GITHUB_TOKEN }}` with your own GitHub API token stored as a repository secret. This process is the same as described in the step above. More info on creating secrets can be found [here](https://docs.github.com/en/actions/security-guides/encrypted-secrets). 1. Commit the workflow file to the default branch (often `master` or `main`) 1. Wait for the action to trigger based on the `schedule` entry or manually trigger the workflow as shown in the [documentation](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow). @@ -222,7 +226,6 @@ jobs: ORGANIZATION: your_organization UPDATE_EXISTING: True GROUP_DEPENDENCIES: True - ``` ## Local usage without Docker From 1408143aa6bf6693837f2efc7d11df51c3ea96ea Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Wed, 23 Oct 2024 16:13:43 +0100 Subject: [PATCH 5/8] fix: add ignore rule to markdown lint --- .github/linters/.markdown-lint.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml index af70e5f..3339428 100644 --- a/.github/linters/.markdown-lint.yml +++ b/.github/linters/.markdown-lint.yml @@ -5,3 +5,7 @@ MD013: false MD025: false # duplicate headers MD024: false +# MD033/no-inline-html - Inline HTML +MD033: + # Allowed elements + allowed_elements: [br, li, ul] \ No newline at end of file From 9954dc271eba8db7b5b105f814d9e3b9df57c62b Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Thu, 24 Oct 2024 11:52:39 +0100 Subject: [PATCH 6/8] feat: add env variable for ghe apps only + add tests --- .github/linters/.markdown-lint.yml | 2 +- README.md | 14 ++-- auth.py | 9 +- env.py | 4 + evergreen.py | 8 +- test_auth.py | 34 +++++++- test_env.py | 129 +++++++++++++++++++++++++++++ 7 files changed, 188 insertions(+), 12 deletions(-) diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml index 3339428..833eaff 100644 --- a/.github/linters/.markdown-lint.yml +++ b/.github/linters/.markdown-lint.yml @@ -8,4 +8,4 @@ MD024: false # MD033/no-inline-html - Inline HTML MD033: # Allowed elements - allowed_elements: [br, li, ul] \ No newline at end of file + allowed_elements: [br, li, ul] diff --git a/README.md b/README.md index 7970d59..03d6407 100644 --- a/README.md +++ b/README.md @@ -79,11 +79,12 @@ This action can be configured to authenticate with GitHub App Installation or Pe ##### GitHub App Installation -| field | required | default | description | -| ------------------------ | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `GH_APP_ID` | True | `""` | GitHub Application ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | -| `GH_APP_INSTALLATION_ID` | True | `""` | GitHub Application Installation ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | -| `GH_APP_PRIVATE_KEY` | True | `""` | GitHub Application Private Key. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | +| field | required | default | description | +| ---------------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `GH_APP_ID` | True | `""` | GitHub Application ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | +| `GH_APP_INSTALLATION_ID` | True | `""` | GitHub Application Installation ID. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | +| `GH_APP_PRIVATE_KEY` | True | `""` | GitHub Application Private Key. See [documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) for more details. | +| `GITHUB_APP_ENTERPRISE_ONLY` | False | false | Set this input to `true` if your app is created in GHE and communicates with GHE. | The needed GitHub app permissions are the following: @@ -221,8 +222,9 @@ jobs: GH_APP_ID: ${{ secrets.GH_APP_ID }} GH_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }} GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }} + # GITHUB_APP_ENTERPRISE_ONLY: True --> Set to true when created GHE App needs to communicate with GHE api GH_ENTERPRISE_URL: ${{ github.server_url }} - # GH_TOKEN: ${{ steps.app-token.outputs.token }} the token input is not used if the github app inputs are set + # GH_TOKEN: ${{ steps.app-token.outputs.token }} --> the token input is not used if the github app inputs are set ORGANIZATION: your_organization UPDATE_EXISTING: True GROUP_DEPENDENCIES: True diff --git a/auth.py b/auth.py index a6b0be1..2d3a320 100644 --- a/auth.py +++ b/auth.py @@ -1,8 +1,13 @@ """This is the module that contains functions related to authenticating to GitHub with a personal access token.""" +import logging +import logging.config + import github3 import requests +logging.basicConfig(level=logging.DEBUG) + def auth_to_github( token: str, @@ -10,6 +15,7 @@ def auth_to_github( gh_app_installation_id: int | None, gh_app_private_key_bytes: bytes, ghe: str, + gh_app_enterprise_only: bool, ) -> github3.GitHub: """ Connect to GitHub.com or GitHub Enterprise, depending on env variables. @@ -20,12 +26,13 @@ def auth_to_github( gh_app_installation_id (int | None): the GitHub App Installation ID gh_app_private_key_bytes (bytes): the GitHub App Private Key ghe (str): the GitHub Enterprise URL + gh_app_enterprise_only (bool): Set this to true if the GH APP is created on GHE and needs to communicate with GHE api only Returns: github3.GitHub: the GitHub connection object """ if gh_app_id and gh_app_private_key_bytes and gh_app_installation_id: - if ghe: + if ghe and gh_app_enterprise_only: gh = github3.github.GitHubEnterprise(url=ghe) else: gh = github3.github.GitHub() diff --git a/env.py b/env.py index 74548fc..a347c40 100644 --- a/env.py +++ b/env.py @@ -98,6 +98,7 @@ def get_env_vars( int | None, int | None, bytes, + bool, str, str, list[str], @@ -132,6 +133,7 @@ def get_env_vars( gh_app_id (int | None): The GitHub App ID to use for authentication gh_app_installation_id (int | None): The GitHub App Installation ID to use for authentication gh_app_private_key_bytes (bytes): The GitHub App Private Key as bytes to use for authentication + gh_app_enterprise_only (bool): Set this to true if the GH APP is created on GHE and needs to communicate with GHE api only token (str): The GitHub token to use for authentication ghe (str): The GitHub Enterprise URL to use for authentication exempt_repositories_list (list[str]): A list of repositories to exempt from the action @@ -183,6 +185,7 @@ def get_env_vars( gh_app_id = get_int_env_var("GH_APP_ID") gh_app_private_key_bytes = os.environ.get("GH_APP_PRIVATE_KEY", "").encode("utf8") gh_app_installation_id = get_int_env_var("GH_APP_INSTALLATION_ID") + gh_app_enterprise_only = get_bool_env_var("GITHUB_APP_ENTERPRISE_ONLY") if gh_app_id and (not gh_app_private_key_bytes or not gh_app_installation_id): raise ValueError( @@ -340,6 +343,7 @@ def get_env_vars( gh_app_id, gh_app_installation_id, gh_app_private_key_bytes, + gh_app_enterprise_only, token, ghe, exempt_repositories_list, diff --git a/evergreen.py b/evergreen.py index 422206e..7e45724 100644 --- a/evergreen.py +++ b/evergreen.py @@ -21,6 +21,7 @@ def main(): # pragma: no cover gh_app_id, gh_app_installation_id, gh_app_private_key, + gh_app_enterprise_only, token, ghe, exempt_repositories_list, @@ -46,7 +47,12 @@ def main(): # pragma: no cover # Auth to GitHub.com or GHE github_connection = auth.auth_to_github( - token, gh_app_id, gh_app_installation_id, gh_app_private_key, ghe + token, + gh_app_id, + gh_app_installation_id, + gh_app_private_key, + ghe, + gh_app_enterprise_only, ) if not token and gh_app_id and gh_app_installation_id and gh_app_private_key: diff --git a/test_auth.py b/test_auth.py index 064539e..7a595fe 100644 --- a/test_auth.py +++ b/test_auth.py @@ -18,7 +18,7 @@ def test_auth_to_github_with_token(self, mock_login): """ mock_login.return_value = "Authenticated to GitHub.com" - result = auth.auth_to_github("token", "", "", b"", "") + result = auth.auth_to_github("token", "", "", b"", "", False) self.assertEqual(result, "Authenticated to GitHub.com") @@ -28,7 +28,7 @@ def test_auth_to_github_without_token(self): Expect a ValueError to be raised. """ with self.assertRaises(ValueError) as context_manager: - auth.auth_to_github("", "", "", b"", "") + auth.auth_to_github("", "", "", b"", "", False) the_exception = context_manager.exception self.assertEqual( str(the_exception), @@ -41,10 +41,38 @@ def test_auth_to_github_with_ghe(self, mock_ghe): Test the auth_to_github function when the GitHub Enterprise URL is provided. """ mock_ghe.return_value = "Authenticated to GitHub Enterprise" - result = auth.auth_to_github("token", "", "", b"", "https://github.example.com") + result = auth.auth_to_github( + "token", "", "", b"", "https://github.example.com", False + ) self.assertEqual(result, "Authenticated to GitHub Enterprise") + @patch("github3.github.GitHubEnterprise") + def test_auth_to_github_with_ghe_and_ghe_app(self, mock_ghe): + """ + Test the auth_to_github function when the GitHub Enterprise URL is provided and the app was created in GitHub Enterprise URL. + """ + mock = mock_ghe.return_value + mock.login_as_app_installation = MagicMock(return_value=True) + result = auth.auth_to_github( + "", "123", "123", b"123", "https://github.example.com", True + ) + mock.login_as_app_installation.assert_called_once() + self.assertEqual(result, mock) + + @patch("github3.github.GitHub") + def test_auth_to_github_with_app(self, mock_gh): + """ + Test the auth_to_github function when app credentials are provided + """ + mock = mock_gh.return_value + mock.login_as_app_installation = MagicMock(return_value=True) + result = auth.auth_to_github( + "", "123", "123", b"123", "https://github.example.com", False + ) + mock.login_as_app_installation.assert_called_once() + self.assertEqual(result, mock) + @patch("github3.apps.create_jwt_headers", MagicMock(return_value="gh_token")) @patch("requests.post") def test_get_github_app_installation_token(self, mock_post): diff --git a/test_env.py b/test_env.py index 751a00f..a774214 100644 --- a/test_env.py +++ b/test_env.py @@ -22,6 +22,7 @@ def setUp(self): "GH_APP_ID", "GH_APP_INSTALLATION_ID", "GH_APP_PRIVATE_KEY", + "GITHUB_APP_ENTERPRISE_ONLY", "GH_ENTERPRISE_URL", "GH_TOKEN", "GROUP_DEPENDENCIES", @@ -63,6 +64,7 @@ def test_get_env_vars_with_org(self): None, None, b"", + False, "my_token", "", ["repo4", "repo5"], @@ -113,6 +115,7 @@ def test_get_env_vars_with_org_and_repo_specific_exemptions(self): None, None, b"", + False, "my_token", "", ["repo4", "repo5"], @@ -223,6 +226,7 @@ def test_get_env_vars_with_repos(self): None, None, b"", + False, "my_token", "", ["repo4", "repo5"], @@ -278,6 +282,7 @@ def test_get_env_vars_with_team(self): None, None, b"", + False, "my_token", "", ["repo4", "repo5"], @@ -351,6 +356,7 @@ def test_get_env_vars_optional_values(self): None, None, b"", + False, "my_token", "", [], @@ -395,6 +401,7 @@ def test_get_env_vars_with_update_existing(self): None, None, b"", + False, "my_token", "", [], @@ -453,6 +460,7 @@ def test_get_env_vars_auth_with_github_app_installation(self): 12345, 678910, b"hello", + False, "", "", [], @@ -480,6 +488,58 @@ def test_get_env_vars_auth_with_github_app_installation(self): result = get_env_vars(True) self.assertEqual(result, expected_result) + @patch.dict( + os.environ, + { + "ORGANIZATION": "my_organization", + "GH_APP_ID": "12345", + "GH_APP_INSTALLATION_ID": "", + "GH_APP_PRIVATE_KEY": "", + "GH_TOKEN": "", + }, + clear=True, + ) + def test_get_env_vars_auth_with_github_app_installation_missing_inputs(self): + """Test that an error is raised there are missing inputs for the gh app""" + expected_result = ( + "my_organization", + [], + 12345, + None, + b"", + False, + "", + "", + [], + "pull", + "Enable Dependabot", + "Dependabot could be enabled for this repository. Please enable it by merging " + "this pull request so that we can keep our dependencies up to date and " + "secure.", + "", + False, + "Create/Update dependabot.yaml", + None, + False, + ["internal", "private", "public"], + None, # batch_size + True, # enable_security_updates + [], # exempt_ecosystems + False, # update_existing + {}, # repo_specific_exemptions + "weekly", # schedule + "", # schedule_day + None, # team_name + [], # labels + ) + with self.assertRaises(ValueError) as context_manager: + get_env_vars(True) + the_exception = context_manager.exception + self.assertEqual( + str(the_exception), + "GH_APP_ID set and GH_APP_INSTALLATION_ID or GH_APP_PRIVATE_KEY variable not set", + ) + @patch.dict( os.environ, { @@ -519,6 +579,7 @@ def test_get_env_vars_with_repos_no_dry_run(self): None, None, b"", + False, "my_token", "", [], @@ -563,6 +624,7 @@ def test_get_env_vars_with_repos_disabled_security_updates(self): None, None, b"", + False, "my_token", "", [], @@ -608,6 +670,7 @@ def test_get_env_vars_with_repos_filter_visibility_multiple_values(self): None, None, b"", + False, "my_token", "", [], @@ -653,6 +716,7 @@ def test_get_env_vars_with_repos_filter_visibility_single_value(self): None, None, b"", + False, "my_token", "", [], @@ -728,6 +792,7 @@ def test_get_env_vars_with_repos_filter_visibility_no_duplicates(self): None, None, b"", + False, "my_token", "", [], @@ -774,6 +839,7 @@ def test_get_env_vars_with_repos_exempt_ecosystems(self): None, None, b"", + False, "my_token", "", [], @@ -819,6 +885,7 @@ def test_get_env_vars_with_no_batch_size(self): None, None, b"", + False, "my_token", "", [], @@ -865,6 +932,7 @@ def test_get_env_vars_with_batch_size(self): None, None, b"", + False, "my_token", "", [], @@ -1000,6 +1068,7 @@ def test_get_env_vars_with_valid_schedule_and_schedule_day(self): None, None, b"", + False, "my_token", "", [], @@ -1027,6 +1096,64 @@ def test_get_env_vars_with_valid_schedule_and_schedule_day(self): result = get_env_vars(True) self.assertEqual(result, expected_result) + @patch.dict( + os.environ, + { + "ORGANIZATION": "my_organization", + "GH_TOKEN": "my_token", + "SCHEDULE": "daily", + "SCHEDULE_DAY": "tuesday", + }, + clear=True, + ) + def test_get_env_vars_with_schedule_day_error_when_schedule_not_set(self): + """Test schedule error setting schedule day when schedule is not set""" + with self.assertRaises(ValueError) as context_manager: + get_env_vars(True) + the_exception = context_manager.exception + self.assertEqual( + str(the_exception), + "SCHEDULE_DAY environment variable not needed when SCHEDULE is not 'weekly'", + ) + + @patch.dict( + os.environ, + { + "ORGANIZATION": "my_organization", + "GH_TOKEN": "my_token", + "TYPE": "discussion", + }, + clear=True, + ) + def test_get_env_vars_with_incorrect_type(self): + """Test incorrect type error, should be issue or pull""" + with self.assertRaises(ValueError) as context_manager: + get_env_vars(True) + the_exception = context_manager.exception + self.assertEqual( + str(the_exception), + "TYPE environment variable not 'issue' or 'pull'", + ) + + @patch.dict( + os.environ, + { + "ORGANIZATION": "my_organization", + "GH_TOKEN": "my_token", + "TITLE": "This is a really long title to test if the limit is set to a maximum number of characters supported by github", + }, + clear=True, + ) + def test_get_env_vars_with_long_title(self): + """Test incorrect type error, should be issue or pull""" + with self.assertRaises(ValueError) as context_manager: + get_env_vars(True) + the_exception = context_manager.exception + self.assertEqual( + str(the_exception), + "TITLE environment variable is too long", + ) + @patch.dict( os.environ, { @@ -1044,6 +1171,7 @@ def test_get_env_vars_with_a_valid_label(self): None, None, b"", + False, "my_token", "", [], @@ -1088,6 +1216,7 @@ def test_get_env_vars_with_valid_labels_containing_spaces(self): None, None, b"", + False, "my_token", "", [], From 9972b96763715d422ab56ee9354966ecdf2c48db Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Thu, 24 Oct 2024 12:00:35 +0100 Subject: [PATCH 7/8] fix: remove logging debug --- auth.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/auth.py b/auth.py index 2d3a320..840d4eb 100644 --- a/auth.py +++ b/auth.py @@ -1,13 +1,8 @@ """This is the module that contains functions related to authenticating to GitHub with a personal access token.""" -import logging -import logging.config - import github3 import requests -logging.basicConfig(level=logging.DEBUG) - def auth_to_github( token: str, From 6c372ac20ab96af0665292d01a171c30b5d8083c Mon Sep 17 00:00:00 2001 From: ricardojdsilva87 Date: Thu, 24 Oct 2024 13:44:53 +0100 Subject: [PATCH 8/8] feat: add GITHUB_APP_ENTERPRISE_ONLY to .env-example + fix lint issues --- .env-example | 1 + test_env.py | 31 ------------------------------- 2 files changed, 1 insertion(+), 31 deletions(-) diff --git a/.env-example b/.env-example index b26865f..879fcc2 100644 --- a/.env-example +++ b/.env-example @@ -21,3 +21,4 @@ UPDATE_EXISTING = "" GH_APP_ID = "" GH_INSTALLATION_ID = "" GH_PRIVATE_KEY = "" +GITHUB_APP_ENTERPRISE_ONLY = "" diff --git a/test_env.py b/test_env.py index a774214..b93adf4 100644 --- a/test_env.py +++ b/test_env.py @@ -501,37 +501,6 @@ def test_get_env_vars_auth_with_github_app_installation(self): ) def test_get_env_vars_auth_with_github_app_installation_missing_inputs(self): """Test that an error is raised there are missing inputs for the gh app""" - expected_result = ( - "my_organization", - [], - 12345, - None, - b"", - False, - "", - "", - [], - "pull", - "Enable Dependabot", - "Dependabot could be enabled for this repository. Please enable it by merging " - "this pull request so that we can keep our dependencies up to date and " - "secure.", - "", - False, - "Create/Update dependabot.yaml", - None, - False, - ["internal", "private", "public"], - None, # batch_size - True, # enable_security_updates - [], # exempt_ecosystems - False, # update_existing - {}, # repo_specific_exemptions - "weekly", # schedule - "", # schedule_day - None, # team_name - [], # labels - ) with self.assertRaises(ValueError) as context_manager: get_env_vars(True) the_exception = context_manager.exception