example-database-security/.github/workflows/1-bb-masking-semantic-type-global.yml at main · bytebase/example-database-security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
name: Bytebase Masking Policy Update Semantic Type and Global Masking Rule
on:
  pull_request:
    types: [closed]
    branches:
      - main
  workflow_dispatch:

jobs:
  bytebase-masking-semantic-type-global:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      issues: write
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0

      - name: Login Bytebase
        id: bytebase-login
        uses: bytebase/login-action@0.0.2
        with:
          bytebase-url: ${{ secrets.BYTEBASE_URL }}
          service-key: ${{ secrets.BYTEBASE_SERVICE_KEY }}
          service-secret: ${{ secrets.BYTEBASE_SERVICE_SECRET }}

      - name: Debug Bytebase Login Outputs
        run: |
          echo "Bytebase Login Outputs:"
          echo "${{ toJSON(steps.bytebase-login.outputs) }}"

      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v42
        with:
          files: |
            masking/semantic-type.json
            masking/global-masking-rule.json
          since_last_remote_commit: true
          fetch_depth: 0
          include_all_old_new_renamed_files: true

      - name: Debug changed files
        run: |
          echo "All changed and added files:"
          echo "Modified files: ${{ steps.changed-files.outputs.modified_files }}"
          echo "Added files: ${{ steps.changed-files.outputs.added_files }}"
          echo "All changes: ${{ steps.changed-files.outputs.all_changed_files }}"

      - name: Debug changed files in detail
        run: |
          echo "All changed files:"
          echo "${{ steps.changed-files.outputs.all_changed_files }}"
          echo "Contains semantic-type.json: ${{ contains(steps.changed-files.outputs.all_changed_files, 'semantic-type.json') }}"
          echo "Contains global-masking-rule.json: ${{ contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }}"
          echo "Raw output:"
          echo "${{ toJSON(steps.changed-files.outputs) }}"

      - name: Apply semantic type
        id: apply-semantic-type
        if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'semantic-type.json') }}
        run: |
          CHANGED_FILE="masking/semantic-type.json"
          echo "Processing: $CHANGED_FILE"

          # Check if file exists
          if [ ! -f "$CHANGED_FILE" ]; then
            echo "Error: $CHANGED_FILE does not exist"
            exit 1
          fi

          # Print file content for debugging
          echo "File content:"
          cat "$CHANGED_FILE"

          response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/settings/bb.workspace.semantic-types" \
            --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \
            --header "Content-Type: application/json" \
            --data @"$CHANGED_FILE")

          # Extract status code and response body
          status_code=$(echo "$response" | tail -n1)
          body=$(echo "$response" | sed '$d')

          # Save outputs for GitHub Actions
          echo "status_code=${status_code}" >> $GITHUB_OUTPUT
          echo "response_body<<EOF" >> $GITHUB_OUTPUT
          echo "${body}" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

          echo "Status Code: ${status_code}"
          echo "Response Body: ${body}"

          if [[ $status_code -lt 200 || $status_code -ge 300 ]]; then
            echo "Failed with status code: $status_code"
            echo "Response body: ${body}"
            exit 1
          fi

      - name: Apply global masking rule
        id: apply-global-masking-rule
        if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }}
        run: |
          CHANGED_FILE="masking/global-masking-rule.json"
          echo "Processing: $CHANGED_FILE"

          response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/policies/masking_rule?allow_missing=true&update_mask=payload" \
            --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \
            --data @"$CHANGED_FILE")

          # Extract status code and response body
          status_code=$(echo "$response" | tail -n1)
          body=$(echo "$response" | sed '$d')

          echo "status_code=${status_code}" >> $GITHUB_OUTPUT
          echo "response_body<<EOF" >> $GITHUB_OUTPUT
          echo "${body}" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

          echo "status_code=${status_code}"
          echo "response_body=${body}"

          if [[ $status_code -lt 200 || $status_code -ge 300 ]]; then
            echo "Failed with status code: $status_code"
            exit 1
          fi

      - name: Comment on PR
        uses: actions/github-script@v7
        env:
          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
        with:
          script: |
            const changedFiles = process.env.CHANGED_FILES || '';
            let commentBody = `### Update Semantic Type and Global Masking Rule Summary\n\n`;

            // Add status of merge
            commentBody += `✅ **PR Status:** Merged\n\n`;

            // Add changed files section
            commentBody += `📝 **Changed Files:**\n\n`;
            if (changedFiles.trim()) {
              commentBody += changedFiles.split(' ').map(f => `- ${f}`).join('\n');
            } else {
              commentBody += `None`;
            }
            commentBody += '\n\n';

            // Add API calls summary
            commentBody += `🔄 **API Calls:**\n\n`;
            let apiCallsFound = false;

            if (changedFiles.includes('semantic-type.json')) {
              const status = ${{ toJSON(steps.apply-semantic-type.outputs) }}.status_code;
              if (status) {
                apiCallsFound = true;
                const success = status >= 200 && status < 300;
                commentBody += `- Semantic Type: ${success ? '✅' : '❌'} ${status}\n`;
              }
            }

            if (changedFiles.includes('global-masking-rule.json')) {
              const status = ${{ toJSON(steps.apply-global-masking-rule.outputs) }}.status_code;
              if (status) {
                apiCallsFound = true;
                const success = status >= 200 && status < 300;
                commentBody += `- Global Masking Rule: ${success ? '✅' : '❌'} ${status}\n`;
              }
            }

            if (!apiCallsFound) {
              commentBody += `None`;
            }

            await github.rest.issues.createComment({
              ...context.repo,
              issue_number: context.issue.number,
              body: commentBody
            });