Testing External PR (Github App) (#1064)

* Initial testing setup for external prs

* updates to load priv key from base64

* attempt to setup local supabase

* fix

* more supabase testing

* fix

* update ignore

* fix

* Add inline docs

* additional testing for external-prs lib

* add CODEOWNERS

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Any changes to .github should trigger require one of the ops team to review
+.github/* @opensource-observer/ops
+ops/* @opensource-observer/ops

.github/scripts/run-supabase-local.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -euo pipefail
+
+cd "$1"
+
+pnpm supabase start
+export $(pnpm supabase status -o env | xargs)
+echo "SUPABASE_SERVICE_KEY=$SERVICE_ROLE_KEY" >> $GITHUB_ENV
+echo "SUPABASE_JWT_SECRET=$JWT_SECRET" >> $GITHUB_ENV 
+echo "NEXT_PUBLIC_SUPABASE_URL=$API_URL" >> $GITHUB_ENV
+echo "NEXT_PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY" >> $GITHUB_ENV

.github/workflows/ci-default.yml

@@ -12,16 +12,13 @@ env:
   NEXT_PUBLIC_DOMAIN: ${{ vars.NEXT_PUBLIC_DOMAIN }}
   NEXT_PUBLIC_DB_GRAPHQL_URL: ${{ vars.NEXT_PUBLIC_DB_GRAPHQL_URL }}
   OSO_API_KEY: ${{ secrets.OSO_API_KEY }}
-  NEXT_PUBLIC_SUPABASE_URL: ${{ vars.NEXT_PUBLIC_SUPABASE_URL }}
-  NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
-  SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
-  SUPABASE_JWT_SECRET: ${{ secrets.SUPABASE_JWT_SECRET }}
-  NEXT_PUBLIC_ALGOLIA_APPLICATION_ID: ${{ vars.NEXT_PUBLIC_ALGOLIA_APPLICATION_ID }}}
+  NEXT_PUBLIC_ALGOLIA_APPLICATION_ID: ${{ vars.NEXT_PUBLIC_ALGOLIA_APPLICATION_ID }}
   NEXT_PUBLIC_ALGOLIA_API_KEY: ${{ secrets.NEXT_PUBLIC_ALGOLIA_API_KEY }}
   NEXT_PUBLIC_ALGOLIA_INDEX: ${{ vars.NEXT_PUBLIC_ALGOLIA_INDEX }}
   NEXT_PUBLIC_FEEDBACK_FARM_ID: ${{ vars.NEXT_PUBLIC_FEEDBACK_FARM_ID }}
   # Indexer variables
-  DB_APPLICATION_NAME: oso-ci
+  X_GITHUB_GRAPHQL_API: ${{ vars.X_GITHUB_GRAPHQL_API }}
+  X_GITHUB_TOKEN: ${{ secrets.X_GITHUB_TOKEN }}
   GOOGLE_PROJECT_ID: "opensource-observer"
 
   # should not be set to a legitimate value for testing. This will use up API
@@ -99,6 +96,10 @@ jobs:
         run: |
           bash .github/scripts/create-dbt-profile.sh ${GOOGLE_APPLICATION_CREDENTIALS}
 
+      - name: Run supabase local
+        run: |
+          bash .github/scripts/run-supabase-local.sh apps/frontend 
+
       - name: Build
         run: |
           pnpm build

.gitignore

@@ -59,3 +59,7 @@ dbt_packages/
 
 # Python
 *.pyc
+
+supabase/.temp/
+**/supabase/.temp/
+*/**/supabase/.temp/

apps/frontend/supabase/migrations/20240209235914_hasura_claim.sql

@@ -1,6 +1,10 @@
 --- Creates an auth hook to insert hasura custom claims into JWT tokens
 --- See https://supabase.com/docs/guides/auth/auth-hooks?language=add-admin-role#hook-custom-access-token
 
+-- This command is required for local supabase which we use on our github
+-- actions. The local supabase doesn't automatically enable the plv8 extension.
+create extension if not exists plv8;
+
 create or replace function public.hasura_token_hook(event jsonb)
 returns jsonb
 language plv8

ops/external-prs/.eslintrc.json

@@ -0,0 +1,7 @@
+{
+  "extends": ["../../.eslintrc.js"],
+  "root": false,
+  "parserOptions": {
+    "project": ["./ops/external-prs/tsconfig.json"]
+  }
+}

ops/external-prs/README.md

@@ -0,0 +1,5 @@
+# External PRs
+
+A Github App that allows us to accept external PRs by enabling PR checks by an
+out of band process. We need this because some of the checks require _some_ form
+of authentication.

ops/external-prs/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@opensource-observer/ops-external-prs",
+  "version": "0.0.1",
+  "description": "External PRs github app for OSO",
+  "author": "Kariba Labs",
+  "license": "Apache-2.0",
+  "private": true,
+  "main": "./dist/src/index.js",
+  "types": "./dist/src/index.d.ts",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opensource-observer/oso.git"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsc",
+    "lint": "tsc --noEmit && pnpm lint:eslint && pnpm lint:prettier",
+    "lint:eslint": "eslint --ignore-path ../../.gitignore --max-warnings 0 .",
+    "lint:prettier": "prettier --ignore-path ../../.gitignore --log-level warn --check **/*.{js,jsx,ts,tsx,sol,md,json}"
+  },
+  "keywords": [],
+  "devDependencies": {
+    "@types/node": "^20.11.17",
+    "dotenv": "^16.4.1",
+    "ts-node": "^10.9.1",
+    "typescript": "^5.3.3"
+  },
+  "dependencies": {
+    "octokit": "^3.1.0",
+    "yaml": "^2.3.1"
+  }
+}

ops/external-prs/src/index.ts

@@ -0,0 +1,52 @@
+import { App } from "octokit";
+import dotenv from "dotenv";
+
+dotenv.config();
+
+async function main() {
+  const APP_TO_CHECK = process.env.APP_TO_CHECK;
+  const SHA_TO_CHECK = process.env.SHA_TO_CHECK;
+
+  const buf = Buffer.from(process.env.APP_PRIVATE_KEY!, "base64"); // Ta-da
+
+  const app = new App({
+    appId: process.env.APP_ID!,
+    privateKey: buf.toString("utf-8"),
+  });
+
+  const { data } = await app.octokit.request("/app");
+  console.log(`Authenticated as ${data.name}`);
+
+  for await (const { installation } of app.eachInstallation.iterator()) {
+    for await (const { octokit, repository } of app.eachRepository.iterator({
+      installationId: installation.id,
+    })) {
+      console.log(repository.name);
+      if (repository.name !== APP_TO_CHECK) {
+        continue;
+      }
+      const resp = await octokit.request(
+        "POST /repos/{owner}/{repo}/check-runs",
+        {
+          owner: repository.owner.login,
+          repo: repository.name,
+          data: {
+            name: "test-deployment2",
+            head_sha: SHA_TO_CHECK,
+            status: "completed",
+            conclusion: "success",
+            output: {
+              title: "test-deployment2",
+              summary: "This is some summary",
+            },
+          },
+        },
+      );
+      console.log(resp);
+    }
+  }
+}
+
+main().catch((e) => {
+  console.log(e);
+});

ops/external-prs/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "outDir": "dist",
+    "target": "ES6",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "declaration": true,
+    "declarationMap": true,
+    "esModuleInterop": true,
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "noImplicitAny": true,
+    "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "strictNullChecks": true,
+    "strictPropertyInitialization": false,
+  },
+  "exclude": ["node_modules"],
+  "include": ["./src/*.ts", "./src/**/*.ts", "./test"],
+}

package.json

@@ -12,6 +12,7 @@
   "scripts": {
     "build": "turbo run build --concurrency=100%",
     "build:cloudquery": "turbo run build --filter=@opensource-observer/cloudquery-*",
+    "build:ops": "turbo run build --filter=@opensource-observer/ops-*",
     "build:docs": "turbo run build --filter=@opensource-observer/docs",
     "build:frontend": "turbo run build --filter=@opensource-observer/frontend",
     "build:hasura": "turbo run build --filter=@opensource-observer/hasura",