check command for GHA setup requirements (#25)

davidcheung · web-flow · commit d6b47915585a · 2021-04-08T16:50:36.000-04:00
custom command to check requirements instead, must exit 0 for apply
to happen, bumped the minimum version due to use of new feature
meaning ran from older zero version it won't pick up the check command
diff --git a/Makefile b/Makefile
@@ -34,7 +34,7 @@ circle_ci_setup:
 	curl -X POST https://circleci.com/api/v1.1/project/github/${GITHUB_ORG}/${GITHUB_REPO}/follow?circle-token=${CIRCLECI_API_KEY}
 
 github_actions_setup:
-	sh scripts/gha-setup.sh
+	sh scripts/gha-setup.sh setup
 
 summary:
 	@echo "zero-deployable-node-backend:"
diff --git a/scripts/check.sh b/scripts/check.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+if [[ "${CIVendor}" == "github-actions" ]]; then
+  sh ./scripts/gha-setup.sh check
+elif [[ "${CIVendor}" == "circleci" ]]; then
+  echo "CircleCI checks successful"
+fi
diff --git a/scripts/gha-setup.sh b/scripts/gha-setup.sh
@@ -1,50 +1,71 @@
 #!/bin/bash
+set -e
+
+COMMAND=$1
+
+## Setup variables for checks
+GITHUB_ORG=$(echo ${REPOSITORY} | cut -d "/" -f 2)
+GITHUB_REPO=$(echo ${REPOSITORY} | cut -d "/" -f 3)
+RANDOM_SEED=${randomSeed}
+REGION=${region}
 
 # In order to set project env-vars, we must encrypt secrets
 # Using gh client allows us to set the secret without installing another
 # binary just to encrypt the secrets
-
-# Login GH client
-# GITHUB_ACCESS_TOKEN is injected when zero apply runs
-gh auth login --with-token <<EOF
-$GITHUB_ACCESS_TOKEN
+setup () {
+	# Login GH client
+	# GITHUB_ACCESS_TOKEN is injected when zero apply runs
+	gh auth login --with-token <<EOF
+	$GITHUB_ACCESS_TOKEN
 EOF
 
-gh auth status
-
-AWS_KEY_PAIR=$(aws secretsmanager get-secret-value --region ${REGION} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${RANDOM_SEED})
-AWS_ACCESS_KEY_ID=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .access_key_id)
-AWS_SECRET_ACCESS_KEY=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .secret_key)
-
-## IMPORTANT: Set secret operates on the nearest .git repo even if you specify a different repository
-pushd $PROJECT_DIR && \
-gh secret set AWS_ACCESS_KEY_ID --repos="$GITHUB_REPO" --body="$AWS_ACCESS_KEY_ID" && \
-gh secret set AWS_SECRET_ACCESS_KEY --repos="$GITHUB_REPO" --body="$AWS_SECRET_ACCESS_KEY" && \
-popd
-
-## Branch Protect for PRs
-## By default we setup Pull-request checks of [lint, unit-test] in `.github/workflows/pull-request.yml`
-## And we will enforce both the checks pass before PR can be merged into default branch
-DEFAULT_BRANCH=master
-curl -XPUT "https://api.github.com/repos/$GITHUB_ORG/$GITHUB_REPO/branches/$DEFAULT_BRANCH/protection" \
---header "Authorization: token $GITHUB_ACCESS_TOKEN" \
---header 'Content-Type: application/json' \
---data '{
-	"required_status_checks": {
-		"strict": false,
-		"contexts": ["unit-test"]
-	},
-	"enforce_admins": false,
-	"required_pull_request_reviews": null,
-	"restrictions": null
-}'
-
-## Rerun github actions workflow, since the first time github action is ran there are no AWS credentials
-## so it will always fail, begining of this script we inject the AWS credentials, therefore now we can rerun the workflow
-MOST_RECENT_RUN_ID=$(curl -XGET --url "https://api.github.com/repos/${GITHUB_ORG}/${GITHUB_REPO}/actions/runs" \
---header "Authorization: token $GITHUB_ACCESS_TOKEN" --header 'Content-Type: application/json' | jq -r ".workflow_runs[0].id")
-## Triggering the rerun
-curl -XPOST --url "https://api.github.com/repos/${GITHUB_ORG}/${GITHUB_REPO}/actions/runs/${MOST_RECENT_RUN_ID}/rerun" \
---header "Authorization: token $GITHUB_ACCESS_TOKEN" --header 'Content-Type: application/json'
-
-echo "Github actions environment variables setup successfully."
+	gh auth status
+
+	AWS_KEY_PAIR=$(aws secretsmanager get-secret-value --region ${REGION} --secret-id=${PROJECT_NAME}-ci-user-aws-keys${RANDOM_SEED})
+	AWS_ACCESS_KEY_ID=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .access_key_id)
+	AWS_SECRET_ACCESS_KEY=$(echo ${AWS_KEY_PAIR} | jq -r '.SecretString'| jq -r .secret_key)
+
+	## IMPORTANT: Set secret operates on the nearest .git repo even if you specify a different repository
+	pushd $PROJECT_DIR && \
+	gh secret set AWS_ACCESS_KEY_ID --repos="$GITHUB_REPO" --body="$AWS_ACCESS_KEY_ID" && \
+	gh secret set AWS_SECRET_ACCESS_KEY --repos="$GITHUB_REPO" --body="$AWS_SECRET_ACCESS_KEY" && \
+	popd
+
+	## Branch Protect for PRs
+	## By default we setup Pull-request checks of [lint, unit-test] in `.github/workflows/pull-request.yml`
+	## And we will enforce both the checks pass before PR can be merged into default branch
+	DEFAULT_BRANCH=master
+	curl -XPUT "https://api.github.com/repos/$GITHUB_ORG/$GITHUB_REPO/branches/$DEFAULT_BRANCH/protection" \
+	--header "Authorization: token $GITHUB_ACCESS_TOKEN" \
+	--header 'Content-Type: application/json' \
+	--data '{
+		"required_status_checks": {
+			"strict": false,
+			"contexts": ["unit-test"]
+		},
+		"enforce_admins": false,
+		"required_pull_request_reviews": null,
+		"restrictions": null
+	}'
+
+	## Rerun github actions workflow, since the first time github action is ran there are no AWS credentials
+	## so it will always fail, begining of this script we inject the AWS credentials, therefore now we can rerun the workflow
+	MOST_RECENT_RUN_ID=$(curl -XGET --url "https://api.github.com/repos/${GITHUB_ORG}/${GITHUB_REPO}/actions/runs" \
+	--header "Authorization: token $GITHUB_ACCESS_TOKEN" --header 'Content-Type: application/json' | jq -r ".workflow_runs[0].id")
+	## Triggering the rerun
+	curl -XPOST --url "https://api.github.com/repos/${GITHUB_ORG}/${GITHUB_REPO}/actions/runs/${MOST_RECENT_RUN_ID}/rerun" \
+	--header "Authorization: token $GITHUB_ACCESS_TOKEN" --header 'Content-Type: application/json'
+
+	echo "Github actions environment variables setup successfully."
+}
+
+check () {
+	# Check if required binaries are installed on user's environment
+	sh scripts/required-bins.sh gh
+	# Check github token is able to access this repo
+	curl -s -XGET "https://api.github.com/repos/$GITHUB_ORG/${GITHUB_REPO}" \
+	--header "Authorization: token $GITHUB_ACCESS_TOKEN" --header 'Content-Type: application/json' | jq -e ".name == \"${GITHUB_REPO}\""
+}
+
+echo "Running command $COMMAND"
+$COMMAND
diff --git a/scripts/required-bins.sh b/scripts/required-bins.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+REQUIRED_BINS=$@
+FOUND_BINS=
+MISSING_BINS=
+EXIT_CODE=0
+
+for ((i = 1; i <= $#; i++ )); do
+  if command -v ${!i} > /dev/null; then
+    FOUND_BINS="${FOUND_BINS}${!i} "
+  else
+    EXIT_CODE=1
+    MISSING_BINS="${MISSING_BINS}${!i} "
+  fi
+done
+
+if [[ "$EXIT_CODE" == "0" ]]; then
+  echo "Successfully found binary(s): $FOUND_BINS";exit $EXIT_CODE
+else
+  echo "Missing binary(s): $MISSING_BINS" >&2 ; exit $EXIT_CODE
+fi
diff --git a/zero-module.yml b/zero-module.yml
@@ -1,7 +1,9 @@
 name: zero-deployable-node-backend
 description: 'zero module for a basic backend service running in kubernetes'
 author: 'Commit'
-zeroVersion: '>= 0.1.0'
+zeroVersion: '>= 0.1.1'
+commands:
+  check: sh scripts/check.sh
 
 dependsOn:
 - zero-aws-eks-stack
