xref: /openssl/.github/workflows/fips-label.yml (revision d1777546) 
1# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
2#
3# Licensed under the Apache License 2.0 (the "License").  You may not use
4# this file except in compliance with the License.  You can obtain a copy
5# in the file LICENSE in the source distribution or at
6# https://www.openssl.org/source/license.html
7
8name: FIPS and ABI Changed Label
9on:
10  workflow_run:
11    workflows: ["FIPS Check and ABIDIFF"]
12    types:
13      - completed
14
15permissions:
16  contents: read
17
18jobs:
19  apply-label:
20    permissions:
21      actions: read
22      pull-requests: write
23    runs-on: ubuntu-latest
24    if: ${{ github.event.workflow_run.event == 'pull_request' }}
25    steps:
26      - name: 'Download fipscheck artifact'
27        if: ${{ github.event.workflow_run.conclusion == 'success' }}
28        uses: actions/github-script@v7
29        with:
30          script: |
31            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
32               owner: context.repo.owner,
33               repo: context.repo.repo,
34               run_id: ${{github.event.workflow_run.id }},
35            });
36            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
37              return artifact.name == "fips_checksum"
38            })[0];
39            var download = await github.rest.actions.downloadArtifact({
40               owner: context.repo.owner,
41               repo: context.repo.repo,
42               artifact_id: matchArtifact.id,
43               archive_format: 'zip',
44            });
45            var fs = require('fs');
46            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
47      - run: unzip artifact.zip
48        if: ${{ github.event.workflow_run.conclusion == 'success' }}
49      - name: 'Check artifact and apply'
50        if: ${{ github.event.workflow_run.conclusion == 'success' }}
51        uses: actions/github-script@v7
52        with:
53          github-token: ${{secrets.GITHUB_TOKEN}}
54          script: |
55            var fs = require('fs');
56            var pr_num = Number(fs.readFileSync('./pr_num'));
57            if ( fs.existsSync('./fips_changed') ) {
58              github.rest.issues.addLabels({
59                issue_number: pr_num,
60                owner: context.repo.owner,
61                repo: context.repo.repo,
62                labels: ['severity: fips change']
63              });
64            } else if ( fs.existsSync('./fips_unchanged') ) {
65              var labels = await github.rest.issues.listLabelsOnIssue({
66                issue_number: pr_num,
67                owner: context.repo.owner,
68                repo: context.repo.repo
69              });
70
71              for ( var label in labels.data ) {
72                if (labels.data[label].name == 'severity: fips change') {
73                  github.rest.issues.removeLabel({
74                    issue_number: pr_num,
75                    owner: context.repo.owner,
76                    repo: context.repo.repo,
77                    name: 'severity: fips change'
78                  });
79                }
80              }
81            }
82      - name: 'Cleanup artifact'
83        run: rm artifact.zip pr_num
84
85      - name: 'Download abidiff artifact'
86        if: ${{ github.event.workflow_run.conclusion == 'success' }}
87        uses: actions/github-script@v7
88        with:
89          script: |
90            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
91               owner: context.repo.owner,
92               repo: context.repo.repo,
93               run_id: ${{github.event.workflow_run.id }},
94            });
95            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
96              return artifact.name == "abidiff"
97            })[0];
98            var download = await github.rest.actions.downloadArtifact({
99               owner: context.repo.owner,
100               repo: context.repo.repo,
101               artifact_id: matchArtifact.id,
102               archive_format: 'zip',
103            });
104            var fs = require('fs');
105            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
106      - run: unzip artifact.zip
107        if: ${{ github.event.workflow_run.conclusion == 'success' }}
108      - name: 'Check artifact and apply'
109        if: ${{ github.event.workflow_run.conclusion == 'success' }}
110        uses: actions/github-script@v7
111        with:
112          github-token: ${{secrets.GITHUB_TOKEN}}
113          script: |
114            var fs = require('fs');
115            var pr_num = Number(fs.readFileSync('./pr_num'));
116            if ( fs.existsSync('./abi_changed') ) {
117              github.rest.issues.addLabels({
118                issue_number: pr_num,
119                owner: context.repo.owner,
120                repo: context.repo.repo,
121                labels: ['severity: ABI change']
122              });
123            } else if ( fs.existsSync('./abi_unchanged') ) {
124              var labels = await github.rest.issues.listLabelsOnIssue({
125                issue_number: pr_num,
126                owner: context.repo.owner,
127                repo: context.repo.repo
128              });
129
130              for ( var label in labels.data ) {
131                if (labels.data[label].name == 'severity: ABI change') {
132                  github.rest.issues.removeLabel({
133                    issue_number: pr_num,
134                    owner: context.repo.owner,
135                    repo: context.repo.repo,
136                    name: 'severity: fips change'
137                  });
138                }
139              }
140            }
141