Add recommended actions to sourcetool status (#224)

* Tool: Add FindWorkflowPR func

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Regenerate fakes

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Display existing workflow prs

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add FindPolicyPR function

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add CheckPolicyRepoFork func

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add status suggestions

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add pr/forks integration tests

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

Author: puerco

sourcetool/internal/cmd/status.go

@@ -96,6 +96,8 @@ sourcetool status myorg/myrepo@mybranch
 
 			cmd.SilenceUsage = true
 
+			actions := []recommendedAction{}
+
 			ctx := context.Background()
 			ghc := ghcontrol.NewGhConnection(opts.owner, opts.repository, opts.branch)
 
@@ -110,11 +112,20 @@ sourcetool status myorg/myrepo@mybranch
 				return err
 			}
 
+			// Get the active repository controls
 			controls, err := srctool.GetRepoControls()
 			if err != nil {
 				return fmt.Errorf("fetching active controls: %w", err)
 			}
 
+			// Check if the user has a fork of the policy repo:
+			policyForkFound, err := srctool.CheckPolicyRepoFork()
+			if err != nil {
+				return fmt.Errorf("checking for a fork of the policy repo: %w", err)
+			}
+
+			// Check if the user has a fork of the repository we want to protect
+
 			// Check if there is a policy:
 			pcy, _, err := policy.NewPolicyEvaluator().GetPolicy(ctx, ghc)
 			if err != nil {
@@ -125,7 +136,7 @@ sourcetool status myorg/myrepo@mybranch
 			toplevel := policy.ComputeEligibleSlsaLevel(controls)
 
 			title := fmt.Sprintf(
-				"SLSA Source Status for %s/%s@%s", opts.owner, opts.repository,
+				"\nSLSA Source Status for %s/%s@%s", opts.owner, opts.repository,
 				ghcontrol.BranchToFullRef(opts.branch),
 			)
 			fmt.Printf("")
@@ -137,14 +148,63 @@ sourcetool status myorg/myrepo@mybranch
 				if slices.Contains(controls.Names(), c) {
 					fmt.Println("✅")
 				} else {
+					//nolint:exhaustive // We don't display all labels here
+					switch c {
+					case slsa.ProvenanceAvailable:
+						prdata, err := srctool.FindWorkflowPR()
+						if err != nil {
+							return err
+						}
+
+						if prdata != nil {
+							fmt.Printf("⏳ (PR %s/%s#%d waiting to merge)\n", prdata.Owner, prdata.Repo, prdata.Number)
+							actions = append(actions, recommendedAction{
+								Text: "Merge provenance workflow pull request",
+							})
+							continue
+						}
+
+						actions = append(actions, recommendedAction{
+							Text:    fmt.Sprintf("Start generating provenance on %s/%s", opts.owner, opts.repository),
+							Command: fmt.Sprintf("sourcetool setup controls --config=CONFIG_PROVENANCE_WORKFLOW %s/%s", opts.owner, opts.repository),
+						})
+					case slsa.ContinuityEnforced:
+						actions = append(actions, recommendedAction{
+							Text:    "Enable branch push/delete protection",
+							Command: fmt.Sprintf("sourcetool setup controls --config=CONFIG_BRANCH_RULES %s/%s", opts.owner, opts.repository),
+						})
+					}
 					fmt.Println("🚫")
 				}
 			}
 
 			fmt.Println("")
 			fmt.Printf("%-35s  ", "Repo policy found:")
 			if pcy == nil {
-				fmt.Println("🚫")
+				prdata, err := srctool.FindPolicyPR()
+				if err != nil {
+					return fmt.Errorf("looking for policy PR: %w", err)
+				}
+
+				if prdata != nil {
+					fmt.Printf("⏳ (PR %s/%s#%d waiting to merge)\n", prdata.Owner, prdata.Repo, prdata.Number)
+					actions = append(actions, recommendedAction{
+						Text: "Wait for policy pull request to merge",
+					})
+				} else {
+					if policyForkFound {
+						actions = append(actions, recommendedAction{
+							Text:    fmt.Sprintf("Create and commit a source policy for %s/%s", opts.owner, opts.repository),
+							Command: fmt.Sprintf("sourcetool setup controls --config=CONFIG_POLICY %s/%s", opts.owner, opts.repository),
+						})
+					} else {
+						actions = append(actions, recommendedAction{
+							Text:    fmt.Sprintf("Create a fork of the SLSA policies repo (%s)", srctool.Options.PolicyRepo),
+							Command: fmt.Sprintf("Open https://github.com/%s/fork", srctool.Options.PolicyRepo),
+						})
+					}
+					fmt.Println("🚫")
+				}
 			} else {
 				fmt.Println("✅")
 			}
@@ -153,9 +213,24 @@ sourcetool status myorg/myrepo@mybranch
 			fmt.Println(w("Current SLSA Source level: " + toplevel))
 			fmt.Println("")
 
+			fmt.Println("Recommended actions:")
+
+			for _, a := range actions {
+				fmt.Printf(" - %s\n", a.Text)
+				if a.Command != "" {
+					fmt.Printf("   > %s\n", a.Command)
+				}
+				fmt.Println()
+			}
+
 			return nil
 		},
 	}
 	opts.AddFlags(statusCmd)
 	parentCmd.AddCommand(statusCmd)
 }
+
+type recommendedAction struct {
+	Text    string
+	Command string
+}

sourcetool/pkg/sourcetool/implementation.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/carabiner-dev/github"
 	gogit "github.com/go-git/go-git/v5"
+	gogithub "github.com/google/go-github/v69/github"
 	"github.com/sirupsen/logrus"
 	kgithub "sigs.k8s.io/release-sdk/github"
 
@@ -74,6 +75,7 @@ type toolImplementation interface {
 	CheckPolicyFork(*options.Options) error
 	CreatePolicyPR(*options.Options) error
 	CheckForks(*options.Options) error
+	SearchPullRequest(*options.Options, string) (int, error)
 }
 
 type defaultToolImplementation struct{}
@@ -247,6 +249,10 @@ func (impl *defaultToolImplementation) CheckWorkflowFork(opts *options.Options)
 	userForkOrg := opts.UserForkOrg
 	userForkRepo := opts.Repo // For now we only support forks with the same name
 
+	if userForkOrg == "" {
+		return errors.New("unable to check for for, user org not set")
+	}
+
 	if err := kgithub.VerifyFork(
 		fmt.Sprintf("slsa-source-workflow-%d", time.Now().Unix()), userForkOrg, userForkRepo, opts.Owner, opts.Repo,
 	); err != nil {
@@ -336,9 +342,20 @@ func (impl *defaultToolImplementation) CheckPolicyFork(opts *options.Options) er
 	if !ok || policyRepo == "" {
 		return fmt.Errorf("unable to parse policy repository slug")
 	}
+
+	if opts.UserForkOrg == "" {
+		if err := getUserData(opts); err != nil {
+			return err
+		}
+	}
+
 	userForkOrg := opts.UserForkOrg
 	userForkRepo := policyRepo // For now we only support forks with the same name
 
+	if userForkOrg == "" {
+		return errors.New("unable to check for for, user org not set")
+	}
+
 	// Check the user has a fork of the slsa repo
 	if err := kgithub.VerifyFork(
 		fmt.Sprintf("slsa-source-policy-%d", time.Now().Unix()), userForkOrg, userForkRepo, policyOrg, policyRepo,
@@ -439,3 +456,28 @@ func (impl *defaultToolImplementation) CheckForks(opts *options.Options) error {
 	}
 	return errors.Join(errs...)
 }
+
+// SearchPullRequest searches the last pull requests on a repo for one whose
+// title matches the query string
+func (impl *defaultToolImplementation) SearchPullRequest(opts *options.Options, query string) (int, error) {
+	gcx, err := opts.GetGitHubConnection()
+	if err != nil {
+		return 0, err
+	}
+
+	prs, _, err := gcx.Client().PullRequests.List(
+		context.Background(), opts.Owner, opts.Repo, &gogithub.PullRequestListOptions{
+			State: "open",
+		},
+	)
+	if err != nil {
+		return 0, fmt.Errorf("listing pull requests: %w", err)
+	}
+
+	for _, pr := range prs {
+		if strings.Contains(pr.GetTitle(), query) {
+			return pr.GetNumber(), nil
+		}
+	}
+	return 0, nil
+}