wip: migrate permissions-report to infra.ci

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
jenkins-infra · Apr 7, 2022 · 5180cef · 5180cef
1 parent e5ff4ed
commit 5180cef
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 13 deletions.
diff --git a/permissions-report/Dockerfile b/permissions-report/Dockerfile
diff --git a/permissions-report/Jenkinsfile b/permissions-report/Jenkinsfile
@@ -0,0 +1,44 @@
+@Library('pipeline-library@pull/348/head') _
+
+pipeline {
+	triggers {
+    // Execute once per day
+		cron('@daily')
+	}
+	options {
+		// This pipeline takes 6-7 hours max to execute
+		timeout(time: 10, unit: 'HOURS')
+    lock(resource: 'infra-reports-github-permissions', inversePrecedence: true)
+	}
+	agent {
+    kubernetes {
+      yamlFile 'JenkinsAgentPodTemplate.yaml'
+    }
+  }
+	stages {
+    stage('Generate GitHub Permissions Report') {
+      environment {
+        GITHUB_AUTH = credentials('jenkins-infra-reports')
+        /**
+        The error "graphql-<version>/lib/graphql/schema/loader.rb:17:in `fetch': key not found: "data" (KeyError)"
+        means that the connection to GitHub GraphQL API failed (usually bad authentication)
+        **/
+      }
+      steps {
+        dir('permissions-report') {
+          // Requires $GITHUB_AUTH_PSW to hold an IAT (github installation access token) valid for 1 hour, or a PAT
+          // Requires $GITHUB_AUTH_USR to hold the GitHub App ID, or the username (if using a PAT)
+          sh 'ruby ./permissions-report.rb > github-jenkinsci-permissions-report.json'
+          archiveArtifacts 'github-jenkinsci-permissions-report.json'
+        }
+      }
+		}
+    stage('Publish Report') {
+      steps {
+        dir('permissions-report') {
+          publishReports ([ 'github-jenkinsci-permissions-report.json' ])
+        }
+      }
+		}
+	}
+}
diff --git a/permissions-report/permissions-report.rb b/permissions-report/permissions-report.rb
@@ -11,14 +11,14 @@
 require 'base64'
 
 # Expects that the private key in PEM format. Converts the newlines
-if ENV['GITHUB_APP_PRIVATE_KEY_B64'] == '' then
+if ENV['GITHUB_AUTH_PSW'] == '' then
   abort "Error: the environment variable GITHUB_APP_PRIVATE_KEY_B64 is empty."
 else
   PRIVATE_KEY = OpenSSL::PKey::RSA.new(Base64.decode64(ENV['GITHUB_APP_PRIVATE_KEY_B64']).gsub('\n', "\n"))
 end
 
 # The GitHub App's identifier (type integer) set when registering an app.
-APP_IDENTIFIER = ENV['GITHUB_APP_ID']
+APP_IDENTIFIER = ENV['GITHUB_AUTH_USR']
 if APP_IDENTIFIER == '' then
   abort "Error: the environment variable GITHUB_APP_ID is empty."
 end
@@ -57,7 +57,7 @@ def get_auth_token
       # Your GitHub App's identifier number
       iss: APP_IDENTIFIER
   }
-  
+
   # Cryptographically sign the JWT.
   jwt = "Bearer #{JWT.encode(payload, PRIVATE_KEY, 'RS256')}"
 
@@ -78,7 +78,7 @@ def get_auth_token
   else
     abort "Error: no Github App installation for the organization #{GITHUB_ORG_NAME}"
   end
-  
+
   # Retrieve the Installation Access Token of the Github App (ref: https://docs.github.com/en/rest/reference/apps#create-an-installation-access-token-for-an-app)
   response = HTTParty.post("https://api.github.com/app/installations/#{installationId}/access_tokens", :headers => {
     'Authorization' => jwt,