Merge pull request #1 from hashicorp/pault/actions-yml

Migrate to new yaml actions

Author: cam-stitt

Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:3 
+
+RUN ["/bin/sh", "-c", "apk add --update --no-cache bash ca-certificates curl git jq openssh"]
+
+COPY ["src", "/src/"]
+
+ENTRYPOINT ["/src/main.sh"]

README.md

@@ -1,30 +1,71 @@
 # Sentinel GitHub Actions
 
-These Sentinel GitHub Actions allow you to run `sentinel test` and `fmt` on your pull requests to help you review and validate Sentinel policy changes.
-
-The recommended workflow for using these actions is in the [Terraform Enterprise Sentinel VCS docs](https://www.terraform.io/docs/enterprise/sentinel/integrate-vcs.html). [tfe-policies-example](https://github.com/hashicorp/tfe-policies-example) includes an example of using these actions in practice.
-
-## Example
-
-```hcl
-workflow "Sentinel" {
-  resolves = ["sentinel-test", "sentinel-fmt"]
-  on = "pull_request"
-}
-
-action "sentinel-test" {
-  uses = "hashicorp/sentinel-github-actions/test@master"
-  secrets = ["GITHUB_TOKEN"]
-  env = {
-    STL_ACTION_WORKING_DIR = "."
-  }
-}
-
-action "sentinel-fmt" {
-  uses = "hashicorp/sentinel-github-actions/fmt@v0.1"
-  secrets = ["GITHUB_TOKEN"]
-  env = {
-    TF_ACTION_WORKING_DIR = "."
-  }
-}
+Sentinel GitHub Actions allow you to execute Sentinel commands within GitHub Actions.
+
+The output of the actions can be viewed from the Actions tab in the main repository view. If the actions are executed on a pull request event, a comment may be posted on the pull request.
+
+Sentinel GitHub Actions are a single GitHub Action that executes different Sentinel subcommands depending on the content of the GitHub Actions YAML file.
+
+# Success Criteria
+
+An exit code of `0` is considered a successful execution.
+
+## Usage
+
+The most common workflow is to run `sentinel fmt`, `sentinel test` on all of the Sentinel files in the root of the repository when a pull request is opened or updated. A comment will be posted to the pull request depending on the output of the Sentinel subcommand being executed. This workflow can be configured by adding the following content to the GitHub Actions workflow YAML file.
+
+```yaml
+name: 'Sentinel GitHub Actions'
+on:
+  - pull_request
+jobs:
+  sentinel:
+    name: 'Sentinel'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@master
+      - name: 'Sentinel Format'
+        uses: hashicorp/sentinel-github-actions@master
+        with:
+          stl_actions_version: 0.14.2
+          stl_actions_subcommand: 'fmt'
+          stl_actions_working_dir: '.'
+          stl_actions_comment: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: 'Sentinel Test'
+        uses: hashicorp/sentinel-github-actions@master
+        with:
+          stl_actions_version: 0.14.2
+          stl_actions_subcommand: 'test'
+          stl_actions_working_dir: '.'
+          stl_actions_comment: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
+
+This was a simplified example showing the basic features of these Sentinel GitHub Actions.
+
+## Inputs
+
+Inputs configure Sentinel GitHub Actions to perform different actions.
+
+* `stl_actions_subcommand` - (Required) The Sentinel subcommand to execute. Valid values are `fmt` and `test`.
+* `stl_actions_version` - (Required) The Sentinel version to install and execute. If set to `latest`, the latest stable version will be used.
+* `stl_actions_comment` - (Optional) Whether or not to comment on GitHub pull requests. Defaults to `true`.
+* `stl_actions_working_dir` - (Optional) The working directory to change into before executing Sentinel subcommands. Defaults to `.` which means use the root of the GitHub repository.
+
+## Outputs
+
+Outputs are used to pass information to subsequent GitHub Actions steps.
+
+* `stl_actions_output` - The Sentinel outputs.
+
+## Secrets
+
+Secrets are similar to inputs except that they are encrypted and only used by GitHub Actions. It's a convenient way to keep sensitive data out of the GitHub Actions workflow YAML file.
+
+* `GITHUB_TOKEN` - (Optional) The GitHub API token used to post comments to pull requests. Not required if the `stl_actions_comment` input is set to `false`.
+
+**WARNING:** These secrets could be exposed if the action is executed on a malicious Sentinel file. To avoid this, it is recommended not to use these Sentinel GitHub Actions on repositories where untrusted users can submit pull requests.

actions.yml

@@ -0,0 +1,25 @@
+name: "Sentinel GitHub Actions"
+description: "Runs Sentinel commands via GitHub Actions."
+author: "HashiCorp, Inc. Sentinel Team <Sentinel@hashicorp.com>"
+branding:
+  icon: "terminal"
+  color: "blue"
+inputs:
+  stl_actions_subcommand:
+    description: "Sentinel subcommand to execute."
+    required: true
+  stl_actions_version:
+    description: "Sentinel version to install."
+    required: true
+  stl_actions_comment:
+    description: "Whether or not to comment on pull requests."
+    default: true
+  stl_actions_working_dir:
+    description: "Sentinel working directory."
+    default: "."
+outputs:
+  stl_actions_output:
+    description: "The Sentinel outputs."
+runs:
+  using: "docker"
+  image: "./Dockerfile"

fmt/Dockerfile

@@ -0,0 +1,101 @@
+#!/bin/bash
+
+function stripColors {
+  echo "${1}" | sed 's/\x1b\[[0-9;]*m//g'
+}
+
+function hasPrefix {
+  case ${2} in
+    "${1}"*)
+      true
+      ;;
+    *)
+      false
+      ;;
+  esac
+}
+
+function parseInputs {
+  # Required inputs
+  if [ "${INPUT_STL_ACTIONS_VERSION}" != "" ]; then
+    stlVersion=${INPUT_STL_ACTIONS_VERSION}
+  else
+    echo "Input sentinel_version cannot be empty"
+    exit 1
+  fi
+
+  if [ "${INPUT_STL_ACTIONS_SUBCOMMAND}" != "" ]; then
+    stlSubcommand=${INPUT_STL_ACTIONS_SUBCOMMAND}
+  else
+    echo "Input sentinel_subcommand cannot be empty"
+    exit 1
+  fi
+
+  # Optional inputs
+  stlWorkingDir="."
+  if [ "${INPUT_STL_ACTIONS_WORKING_DIR}" != "" ] || [ "${INPUT_STL_ACTIONS_WORKING_DIR}" != "." ]; then
+    stlWorkingDir=${INPUT_STL_ACTIONS_WORKING_DIR}
+  fi
+
+  stlComment=0
+  if [ "${INPUT_STL_ACTIONS_COMMENT}" == "1" ] || [ "${INPUT_STL_ACTIONS_COMMENT}" == "true" ]; then
+    stlComment=1
+  fi
+}
+
+function installSentinel {
+  if [[ "${stlVersion}" == "latest" ]]; then
+    echo "Checking the latest version of Sentinel"
+    stlVersion=$(curl -sL https://releases.hashicorp.com/sentinel/index.json | jq -r '.versions[].version' | grep -v '[-].*' | sort -rV | head -n 1)
+
+    if [[ -z "${stlVersion}" ]]; then
+      echo "Failed to fetch the latest version"
+      exit 1
+    fi
+  fi
+
+  url="https://releases.hashicorp.com/sentinel/${stlVersion}/sentinel_${stlVersion}_linux_amd64.zip"
+
+  echo "Downloading Sentinel v${stlVersion}"
+  curl -s -S -L -o /tmp/sentinel_${stlVersion} ${url}
+  if [ "${?}" -ne 0 ]; then
+    echo "Failed to download Sentinel v${stlVersion}"
+    exit 1
+  fi
+  echo "Successfully downloaded Sentinel v${stlVersion}"
+
+  echo "Unzipping Sentinel v${stlVersion}"
+  unzip -d /usr/local/bin /tmp/sentinel_${stlVersion} &> /dev/null
+  if [ "${?}" -ne 0 ]; then
+    echo "Failed to unzip Sentinel v${stlVersion}"
+    exit 1
+  fi
+  echo "Successfully unzipped Sentinel v${stlVersion}"
+}
+
+function main {
+  # Source the other files to gain access to their functions
+  scriptDir=$(dirname ${0})
+  source ${scriptDir}/sentinel_fmt.sh
+  source ${scriptDir}/sentinel_test.sh
+
+  parseInputs
+  cd ${GITHUB_WORKSPACE}/${stlWorkingDir}
+
+  case "${stlSubcommand}" in
+    fmt)
+      installSentinel
+      sentinelFmt ${*}
+      ;;
+    test)
+      installSentinel
+      sentinelTest ${*}
+      ;;
+    *)
+      echo "Error: Must provide a valid value for sentinel_subcommand"
+      exit 1
+      ;;
+  esac
+}
+
+main "${*}"

fmt/README.md

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+function sentinelFmt {
+  # Gather the output of `sentinel fmt`.
+  echo "fmt: info: checking if Sentinel files in ${stlWorkingDir} are correctly formatted"
+  fmtOutput=$(sentinel fmt -check=true -write=false ${*} 2>&1)
+  fmtExitCode=${?}
+
+  # Exit code of 0 indicates success. Print the output and exit.
+  if [ ${fmtExitCode} -eq 0 ]; then
+    echo "fmt: info: Sentinel files in ${stlWorkingDir} are correctly formatted"
+    echo "${fmtOutput}"
+    echo
+    exit ${fmtExitCode}
+  fi
+
+  # Exit code of 2 indicates a parse error. Print the output and exit.
+  if [ ${fmtExitCode} -eq 2 ]; then
+    echo "fmt: error: failed to parse Sentinel files"
+    echo "${fmtOutput}"
+    echo
+    exit ${fmtExitCode}
+  fi
+
+  # Exit code of !0 and !2 indicates failure.
+  echo "fmt: error: Sentinel files in ${stlWorkingDir} are incorrectly formatted"
+  echo "${fmtOutput}"
+  echo
+  echo "fmt: error: the following files in ${stlWorkingDir} are incorrectly formatted"
+  fmtFileList=$(sentinel fmt -check=true -write=false ${stlWorkingDir})
+  echo "${fmtFileList}"
+  echo
+
+  # Comment on the pull request if necessary.
+  if [ "$GITHUB_EVENT_NAME" == "pull_request" ] && [ "${stlComment}" == "1" ]; then
+    fmtComment=""
+    for file in ${fmtFileList}; do
+      fmtFileDiff=$(sentinel fmt -write=false "${file}" | sed -n '/@@.*/,//{/@@.*/d;p}')
+      fmtComment="${fmtComment}
+<details><summary><code>${stlWorkingDir}/${file}</code></summary>
+\`\`\`diff
+${fmtFileDiff}
+\`\`\`
+</details>"
+
+    done
+
+    fmtCommentWrapper="#### \`sentinel fmt\` Failed
+${fmtComment}
+*Workflow: \`${GITHUB_WORKFLOW}\`, Action: \`${GITHUB_ACTION}\`, Working Directory: \`${stlWorkingDir}\`*"
+
+    fmtCommentWrapper=$(stripColors "${fmtCommentWrapper}")
+    echo "fmt: info: creating JSON"
+    fmtPayload=$(echo "${fmtCommentWrapper}" | jq -R --slurp '{body: .}')
+    fmtCommentsURL=$(cat ${GITHUB_EVENT_PATH} | jq -r .pull_request.comments_url)
+    echo "fmt: info: commenting on the pull request"
+    echo "${fmtPayload}" | curl -s -S -H "Authorization: token ${GITHUB_TOKEN}" --header "Content-Type: application/json" --data @- "${fmtCommentsURL}" > /dev/null
+  fi
+
+  exit ${fmtExitCode}
+}