chore(CI): Cut Dafny issues on nightly failures (#648)

josecorella · web-flow · commit 3b3cf4a4a954 · 2024-05-10T15:08:26.000-07:00
Description of changes: Automates cutting an issue to dafny-lang/dafny if the nightly build against the latest Dafny prerelease fails. Reuses the same GH token as the semantic release workflows, since that already has more than enough permissions (only public_repo is needed for this action). This is a copy paste from aws/aws-cryptographic-material-providers-library#306 which successfully cut dafny-lang/dafny an issue with dafny-lang/dafny#5391
diff --git a/.github/workflows/library_net_tests.yml b/.github/workflows/library_net_tests.yml
@@ -246,4 +246,4 @@ jobs:
             ESDK_NET_V400_POLICY="forbid" \
             DAFNY_AWS_ESDK_TEST_VECTOR_MANIFEST_PATH="$NET_401_VECTORS/manifest.json" \
             dotnet test --framework net6.0 --logger "console;verbosity=quiet"
-          fi
+          fi
diff --git a/.github/workflows/nighly_dafny.yml b/.github/workflows/nighly_dafny.yml
@@ -31,3 +31,41 @@ jobs:
     with:
       dafny: 'nightly-latest'
       regenerate-code: true
+  
+  cut-issue-on-failure:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    needs:
+      [
+        dafny-nightly-verification,
+        dafny-nightly-net,
+      ]
+    if: ${{ always() && contains(needs.*.result, 'failure') }}
+    steps:
+      # We need access to the role that is able to get CI Bot Creds
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: Dafny_Issue_Blocker
+
+      # Use AWS Secrets Manger GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
+      - name: Create release blocker on dafny-lang/dafny
+        env:
+          GH_TOKEN: ${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }}
+        run: |
+          gh issue create \
+            --repo "dafny-lang/dafny" \
+            --title "[PRERELEASE REGRESSION] Dafny prerelease regression from ${{ github.repository }}" \
+            --body "Failure in ${{ github.workflow_ref }}. \
+            See ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
