chore(ci): fix ci run for forked repos (#2777)

monicahq · Jun 16, 2019 · 33fab0d · 33fab0d
1 parent e1509a0
commit 33fab0d
Show file tree

Hide file tree

Showing 12 changed files with 76 additions and 24 deletions.
diff --git a/.azure/azure.sig b/.azure/azure.sig
diff --git a/.azure/build-job.yml b/.azure/build-job.yml
@@ -12,23 +12,31 @@ jobs:
 
 #      SYSTEM_PULLREQUEST_PULLREQUESTID=$(test "$BUILD_SOURCEBRANCHNAME" != "master" -a "greenkeeper[bot]" = "`git log --format="%an" -n 1`" || echo '') GK_LOCK_YARN_OPTS="--ignore-engines" $(yarn global bin)/greenkeeper-lockfile-update
   - bash: |
+      source scripts/ci/fixsecrets.sh
       TRAVIS=true TRAVIS_REPO_SLUG=$BUILD_REPOSITORY_NAME TRAVIS_BRANCH=$SYSTEM_PULLREQUEST_SOURCEBRANCH TRAVIS_PULL_REQUEST=false TRAVIS_JOB_NUMBER=1 GK_LOCK_YARN_OPTS="--ignore-engines" $(yarn global bin)/greenkeeper-lockfile-update
     displayName: 'Update yarn lockfile'
+    env:
+      GH_TOKEN: $(GH_TOKEN)
   - bash: yarn inst
     displayName: 'yarn install'
 #      SYSTEM_PULLREQUEST_PULLREQUESTID=$(test "$BUILD_SOURCEBRANCHNAME" != "master" -a "greenkeeperio-bot" = "`git log --format="%an" -n 1`" || echo '') $(yarn global bin)/greenkeeper-lockfile-upload
   - bash: |
+      source scripts/ci/fixsecrets.sh
       TRAVIS=true TRAVIS_REPO_SLUG=$BUILD_REPOSITORY_NAME TRAVIS_BRANCH=$SYSTEM_PULLREQUEST_SOURCEBRANCH TRAVIS_PULL_REQUEST=false TRAVIS_JOB_NUMBER=1 $(yarn global bin)/greenkeeper-lockfile-upload
       cat gk-lockfile-git-push.err || true
       rm -f gk-lockfile-git-push.err || true
     displayName: 'Upload yarn lockfile'
+    env:
+      GH_TOKEN: $(GH_TOKEN)
 
   # Update js and css assets eventually
   - bash: yarn lint
     displayName: 'Check js and vue lint'
-  - bash: scripts/ci/update-assets.sh
+  - bash: |
+      source scripts/ci/fixsecrets.sh
+      scripts/ci/update-assets.sh
     displayName: 'Update assets'
     env:
+      ASSETS_USERNAME: $(ASSETS_USERNAME)
       ASSETS_EMAIL: $(ASSETS_EMAIL)
-      ASSETS_USERNAME: $(ASSETS_EMAIL)
       ASSETS_GITHUB_TOKEN: $(ASSETS_GITHUB_TOKEN)
diff --git a/.azure/docker-push-bintray-step.yml b/.azure/docker-push-bintray-step.yml
@@ -4,6 +4,6 @@ steps:
     make docker_push_bintray
   displayName: Publish docker image
   env:
+    BINTRAY_DOCKER_URL: monicahq-docker-docker.bintray.io
     BINTRAY_USER: $(BINTRAY_USER)
     BINTRAY_APIKEY: $(BINTRAY_APIKEY)
-    BINTRAY_DOCKER_URL: monicahq-docker-docker.bintray.io
diff --git a/.azure/prepare-environment-step.yml b/.azure/prepare-environment-step.yml
@@ -1,14 +1,19 @@
 steps:
+- bash: |
+    scripts/ci/rebase.sh
+  displayName: 'Rebase sources'
+
 - bash: |
     sudo update-alternatives --set php /usr/bin/php$(phpVersion)
     sudo update-alternatives --set phar /usr/bin/phar$(phpVersion)
     sudo update-alternatives --set phpdbg /usr/bin/phpdbg$(phpVersion)
     sudo update-alternatives --set php-cgi /usr/bin/php-cgi$(phpVersion)
     sudo update-alternatives --set phar.phar /usr/bin/phar.phar$(phpVersion)
     php -version
-  displayName: 'Use PHP version $(phpVersion)'
+  displayName: 'Set php version $(phpVersion)'
+
 - bash: |
     mkdir -p results/coverage
     sed 's/DB_TEST_PASSWORD=/DB_TEST_PASSWORD=root/' scripts/tests/.env.mysql > .env
     touch .sentry-release
-  displayName: Prepare environment
+  displayName: 'Prepare environment'
diff --git a/.azure/runsonar-step.yml b/.azure/runsonar-step.yml
@@ -1,10 +1,10 @@
 steps:
 - bash: |
+    source scripts/ci/fixsecrets.sh
     export SONAR_COVERAGE=$(ls -m ./results/coverage*.xml | sed 's/ //g' | sed ':a;N;$!ba;s/\n//g')
     scripts/tests/runsonar.sh
   displayName: 'Run sonar scanner'
   env:
     SONAR_RESULT: '$(System.DefaultWorkingDirectory)/results/results.xml'
-    GITHUB_TOKEN: $(GITHUB_TOKEN)
     SONAR_TOKEN: $(SONAR_TOKEN)
-    SONAR_VERSION: $(SONAR_VERSION)
+    GITHUB_TOKEN: $(GITHUB_TOKEN)
diff --git a/.azure/sign.sh b/.azure/sign.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+SELF_PATH=$(cd -P -- "$(dirname -- "$0")" && /bin/pwd -P)
+
+cat $SELF_PATH/../azure-pipelines.yml $SELF_PATH/*.yml | gpg -sb -o $SELF_PATH/azure.sig -
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -1,5 +1,5 @@
 # PHP
-# Test and package your PHP project
+# Test and package your PHP project.
 # Add steps that run tests, save build artifacts, deploy, and more:
 # https://docs.microsoft.com/azure/devops/pipelines/languages/php
 
@@ -27,7 +27,7 @@ variables:
 
 stages:
 - stage: build
-  displayName: 'Build and tests'
+  displayName: 'Build'
   jobs:
   - template: .azure/build-job.yml
 
@@ -101,7 +101,7 @@ stages:
     - template: .azure/runsonar-step.yml
 
 - stage: deploy
-  displayName: Deploy
+  displayName: 'Deploy'
   dependsOn: build
   condition: in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI')
   jobs:
@@ -130,7 +130,7 @@ stages:
         BINTRAY_APIKEY: $(BINTRAY_APIKEY)
 
   - job: deploy_docker_master
-    condition: or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), startsWith(variables['Build.SourceBranch'], 'refs/tags/'))
+    condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
     pool:
       vmImage: 'ubuntu-latest'
     steps:
@@ -155,6 +155,5 @@ stages:
         curl -X POST $MICROBADGER_WEBHOOK
       displayName: 'Publish docker image'
       env:
-        DOCKER_USER: $(DOCKER_USER)
-        DOCKER_LOGIN: $(DOCKER_LOGIN)
         MICROBADGER_WEBHOOK: $(MICROBADGER_WEBHOOK)
+        DOCKER_LOGIN: $(DOCKER_LOGIN)
diff --git a/scripts/ci/fixsecrets.sh b/scripts/ci/fixsecrets.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ "$SONAR_TOKEN" == "\$(SONAR_TOKEN)" ]; then
+    echo -e "\033[0;36mFix SONAR_TOKEN\033[0;37m"
+    export SONAR_TOKEN=
+fi
+if [ "$GITHUB_TOKEN" == "\$(GITHUB_TOKEN)" ]; then
+    echo -e "\033[0;36mFix GITHUB_TOKEN\033[0;37m"
+    export GITHUB_TOKEN=
+fi
+if [ "$GH_TOKEN" == "\$(GH_TOKEN)" ]; then
+    echo -e "\033[0;36mFix GH_TOKEN\033[0;37m"
+    export GH_TOKEN=
+fi
+if [ "$ASSETS_GITHUB_TOKEN" == "\$(ASSETS_GITHUB_TOKEN)" ]; then
+    echo -e "\033[0;36mFix ASSETS_GITHUB_TOKEN\033[0;37m"
+    export ASSETS_GITHUB_TOKEN=
+fi
diff --git a/scripts/ci/rebase.sh b/scripts/ci/rebase.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Rebase source on top of based branch
+
+set -evuo pipefail
+
+export GIT_COMMIT=$(git rev-parse --verify "HEAD^2" 2>/dev/null || echo $BUILD_SOURCEVERSION)
+echo "##vso[task.setvariable variable=GIT_COMMIT]$GIT_COMMIT"
+
+git reset --hard "$GIT_COMMIT"
+
+if [[ $BUILD_SOURCEBRANCH == refs/tags/* ]]; then
+  git checkout -q "$BUILD_SOURCEBRANCHNAME"
+elif [ -n "$SYSTEM_PULLREQUEST_SOURCEBRANCH" ]; then
+  git checkout -q -B "$SYSTEM_PULLREQUEST_SOURCEBRANCH"
+fi
+
+git reset --hard "$GIT_COMMIT"
diff --git a/scripts/ci/update-assets.sh b/scripts/ci/update-assets.sh
@@ -35,11 +35,11 @@ REPOSITORY_OWNER=monicahq/monica
 set -euo pipefail
 
 # Update assets
-echo -e "\033[1;32m# Build assets ...\033[0:37m"
-echo -e "\033[1;36mphp artisan lang:generate\033[0:37m"
+echo -e "\033[1;32m# Build assets ...\033[0;37m"
+echo -e "\033[1;36mphp artisan lang:generate\033[0;37m"
 php artisan lang:generate
 echo ""
-echo -e "\033[1;36myarn run production\033[0:37m"
+echo -e "\033[1;36myarn run production\033[0;37m"
 yarn run production
 echo ""
 
@@ -61,7 +61,7 @@ git add public/fonts/*
 # Commit
 if [ -z "${ASSETS_USERNAME:-}" ]; then
   #No username
-  echo -e "\033[0;31mMonica asset are not up to date.\033[0:37m"
+  echo -e "\033[0;31mMonica asset are not up to date.\033[0;37m"
   echo "Please update the Monica assets yourself by running:"
   echo " ~ php artisan lang:generate"
   echo " ~ yarn run production"
@@ -73,7 +73,7 @@ git commit -m "chore(assets): Update assets"
 
 # Push
 if [ "$BRANCH" == "master" ] && [ "$PR_NUMBER" == "false" ]; then
-  echo -e "\033[0;31mmaster is not up to date, but we can't update it directly...\033[0:37m"
+  echo -e "\033[0;31mmaster is not up to date, but we can't update it directly...\033[0;37m"
   exit 0
 
 elif [ -n "${ASSETS_GITHUB_TOKEN:-}" ]; then
@@ -84,12 +84,12 @@ elif [ -n "${ASSETS_GITHUB_TOKEN:-}" ]; then
   PULL_REQUEST_HEADBRANCH=${REPOS_VALUES[1]}
 
   if [ -z "${PULL_REQUEST_REPOSITORY:-}" ] || [ "$PULL_REQUEST_REPOSITORY" == "null" ]; then
-    echo -e "\033[0;31mError with github api call\033[0:37m"
+    echo -e "\033[0;31mError with github api call\033[0;37m"
     exit 1
   elif [ "$PULL_REQUEST_REPOSITORY" == "$REPOSITORY_OWNER" ]; then
     PULL_REQUEST_BRANCH=$PULL_REQUEST_HEADBRANCH
   else
-    echo -e "\033[0;31mMonica asset are not up to date.\033[0:37m"
+    echo -e "\033[0;31mMonica asset are not up to date.\033[0;37m"
     echo "We can't commit in $PULL_REQUEST_REPOSITORY to update them directly."
     echo "Please update the Monica assets yourself by running:"
     echo " ~ php artisan lang:generate"

diff --git a/scripts/tests/runsonar.sh b/scripts/tests/runsonar.sh
@@ -26,8 +26,9 @@ elif [ "$TF_BUILD" == "True" ]; then
   BRANCH=${SYSTEM_PULLREQUEST_SOURCEBRANCH:-$BUILD_SOURCEBRANCHNAME}
   PR_NUMBER=${SYSTEM_PULLREQUEST_PULLREQUESTNUMBER:-false}
   BUILD_NUMBER=$BUILD_BUILDNUMBER
-  GIT_COMMIT=$(git rev-parse --verify "HEAD^2" 2>/dev/null || echo $BUILD_SOURCEVERSION)
-  RUNREVPARSE=true
+  if [[ -z $GIT_COMMIT ]]; then
+    GIT_COMMIT=$(git rev-parse --verify "HEAD^2" 2>/dev/null || echo $BUILD_SOURCEVERSION)
+  fi
 elif [[ -n $BUILD_NUMBER ]]; then
   echo "CHANGE_ID=$CHANGE_ID"
   echo "CHANGE_URL=$CHANGE_URL"
@@ -56,7 +57,7 @@ function installSonar {
   # set version of sonar scanner to use :
   sonarversion=${SONAR_VERSION:-}
   if [ -z "${sonarversion:-}" ]; then
-    sonarversion=3.2.0.1227
+    sonarversion=3.3.0.1492
   fi
   echo "== Using sonarscanner $sonarversion"
 
@@ -116,7 +117,7 @@ function gitFetch {
 }
 
 function getSonarlauncher {
-  sonarlauncherversion=0.5.0
+  sonarlauncherversion=0.6.0
   mkdir -p ~/sonarlauncher
   pushd ~/sonarlauncher > /dev/null
   if [ ! -d "$sonarlauncherversion" ]; then

diff --git a/scripts/tests/runsonar.sh.sig b/scripts/tests/runsonar.sh.sig