xref: /openssl/.github/workflows/fips-label.yml (revision 27af422b) 
1# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
2#
3# Licensed under the Apache License 2.0 (the "License").  You may not use
4# this file except in compliance with the License.  You can obtain a copy
5# in the file LICENSE in the source distribution or at
6# https://www.openssl.org/source/license.html
7
8name: FIPS and ABI Changed Label
9on:
10  workflow_run:
11    workflows: ["FIPS Check and ABIDIFF"]
12    types:
13      - completed
14
15permissions:
16  contents: read
17
18jobs:
19  apply-label:
20    permissions:
21      actions: read
22      pull-requests: write
23    runs-on: ubuntu-latest
24    if: ${{ github.event.workflow_run.event == 'pull_request' }}
25    steps:
26      - name: 'Download fipscheck artifact'
27        if: ${{ github.event.workflow_run.conclusion == 'success' }}
28        uses: actions/github-script@v7
29        with:
30          script: |
31            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
32               owner: context.repo.owner,
33               repo: context.repo.repo,
34               run_id: ${{github.event.workflow_run.id }},
35            });
36            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
37              return artifact.name == "fips_checksum"
38            })[0];
39            var download = await github.rest.actions.downloadArtifact({
40               owner: context.repo.owner,
41               repo: context.repo.repo,
42               artifact_id: matchArtifact.id,
43               archive_format: 'zip',
44            });
45            var fs = require('fs');
46            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
47      - run: unzip artifact.zip
48        if: ${{ github.event.workflow_run.conclusion == 'success' }}
49      - name: 'Check artifact and apply'
50        if: ${{ github.event.workflow_run.conclusion == 'success' }}
51        uses: actions/github-script@v7
52        with:
53          github-token: ${{secrets.GITHUB_TOKEN}}
54          script: |
55            var fs = require('fs');
56            var pr_num = Number(fs.readFileSync('./pr_num'));
57            if ( fs.existsSync('./fips_changed') ) {
58              github.rest.issues.addLabels({
59                issue_number: pr_num,
60                owner: context.repo.owner,
61                repo: context.repo.repo,
62                labels: ['severity: fips change']
63              });
64            } else if ( fs.existsSync('./fips_unchanged') ) {
65              var labels = await github.rest.issues.listLabelsOnIssue({
66                issue_number: pr_num,
67                owner: context.repo.owner,
68                repo: context.repo.repo
69              });
70
71              for ( var label in labels.data ) {
72                if (labels.data[label].name == 'severity: fips change') {
73                  github.rest.issues.removeLabel({
74                    issue_number: pr_num,
75                    owner: context.repo.owner,
76                    repo: context.repo.repo,
77                    name: 'severity: fips change'
78                  });
79                }
80              }
81            }
82      - name: 'Cleanup artifact'
83        if: ${{ github.event.workflow_run.conclusion == 'success' }}
84        run: rm artifact.zip pr_num
85
86      - name: 'Download abidiff artifact'
87        if: ${{ github.event.workflow_run.conclusion == 'success' }}
88        uses: actions/github-script@v7
89        with:
90          script: |
91            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
92               owner: context.repo.owner,
93               repo: context.repo.repo,
94               run_id: ${{github.event.workflow_run.id }},
95            });
96            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
97              return artifact.name == "abidiff"
98            })[0];
99            var download = await github.rest.actions.downloadArtifact({
100               owner: context.repo.owner,
101               repo: context.repo.repo,
102               artifact_id: matchArtifact.id,
103               archive_format: 'zip',
104            });
105            var fs = require('fs');
106            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
107      - run: unzip artifact.zip
108        if: ${{ github.event.workflow_run.conclusion == 'success' }}
109      - name: 'Check artifact and apply'
110        if: ${{ github.event.workflow_run.conclusion == 'success' }}
111        uses: actions/github-script@v7
112        with:
113          github-token: ${{secrets.GITHUB_TOKEN}}
114          script: |
115            var fs = require('fs');
116            var pr_num = Number(fs.readFileSync('./pr_num'));
117            if ( fs.existsSync('./abi_changed') ) {
118              github.rest.issues.addLabels({
119                issue_number: pr_num,
120                owner: context.repo.owner,
121                repo: context.repo.repo,
122                labels: ['severity: ABI change']
123              });
124            } else if ( fs.existsSync('./abi_unchanged') ) {
125              var labels = await github.rest.issues.listLabelsOnIssue({
126                issue_number: pr_num,
127                owner: context.repo.owner,
128                repo: context.repo.repo
129              });
130
131              for ( var label in labels.data ) {
132                if (labels.data[label].name == 'severity: ABI change') {
133                  github.rest.issues.removeLabel({
134                    issue_number: pr_num,
135                    owner: context.repo.owner,
136                    repo: context.repo.repo,
137                    name: 'severity: fips change'
138                  });
139                }
140              }
141            }
142