wip

alphagov · Nov 29, 2023 · 078619c · 078619c
1 parent f4ef196
commit 078619c
Show file tree

Hide file tree

Showing 12 changed files with 102 additions and 18 deletions.
diff --git a/.github/workflows/afternoon_seal.yml b/.github/workflows/afternoon_seal.yml
@@ -7,14 +7,15 @@ on:
 
 env:
   SEAL_ORGANISATION: alphagov
+  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
 jobs:
   afternoon-seal:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
@@ -25,11 +26,10 @@ jobs:
         id: afternoon_seal
         run: |
           teams=(
-            govuk-accounts
             govuk-developers
             govuk-platform-security-reliability
           )
           
           for team in ${teams[*]} ; do
-            ./bin/seal_runner.rb $team quotes
+            ./bin/seal_runner.rb $team ci
           done
diff --git a/.github/workflows/ci_checks.yml b/.github/workflows/ci_checks.yml
@@ -0,0 +1,35 @@
+name: "CI Checks"
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron:  '00 9 * * 1-5' # Runs at 9:00, Monday through Friday.
+
+env:
+  SEAL_ORGANISATION: alphagov
+  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+
+jobs:
+  ci-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: CI Checks
+        id: ci_checks
+        run: |
+          teams=(
+            govuk-developers
+            govuk-platform-security-reliability
+          )
+          
+          for team in ${teams[*]} ; do
+            ./bin/seal_runner.rb $team ci
+          done
diff --git a/.github/workflows/dependapanda.yml b/.github/workflows/dependapanda.yml
@@ -26,8 +26,6 @@ jobs:
         id: dependapanda
         run: |
           teams=(
-            di-ipv-orange-cri-maintainers
-            govuk-accounts-tech
             govuk-datagovuk
             govuk-developers
             govuk-forms

diff --git a/.github/workflows/morning_seal.yml b/.github/workflows/morning_seal.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
@@ -26,8 +26,6 @@ jobs:
         id: morning_seal
         run: |
           teams=(
-            di-ipv-orange-cri-maintainers
-            govuk-accounts-tech
             govuk-datagovuk
             govuk-developers
             govuk-forms

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -15,7 +15,7 @@ jobs:
   tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
     - name: Install dependencies and run Rake
       run: |

diff --git a/ignored_ci_repos.yml b/ignored_ci_repos.yml
@@ -0,0 +1,3 @@
+- govuk-rfcs
+- bulk-merger
+- govuk-paas-office-ip-router
diff --git a/lib/github_fetcher.rb b/lib/github_fetcher.rb
@@ -1,4 +1,5 @@
 require "octokit"
+require "yaml"
 require_relative "security_alert_handler"
 
 class GithubFetcher
@@ -15,7 +16,7 @@ def initialize(team, dependabot_prs_only: false)
     @repos = team.repos
     @include_security_alerts = team.security_alerts
     @dependabot_prs_only = dependabot_prs_only
-    @repo_specific_alerts = {}
+    @repo_security_alerts = {}
     @security_alert_handler = dependabot_prs_only && @include_security_alerts ? SecurityAlertHandler.new(github, organisation, repos) : nil
   end
 
@@ -32,11 +33,15 @@ def list_pull_requests
 
   def pull_requests_from_github
     repos.flat_map do |repo|
-      @repo_specific_alerts[repo] = @security_alert_handler.filter_security_alerts(repo) if @security_alert_handler
+      @repo_security_alerts[repo] = @security_alert_handler.filter_security_alerts(repo) if @security_alert_handler
       fetch_pull_requests(repo).reject(&:draft)
     end
   end
 
+  def check_team_repos_ci
+    repos.each_with_object({}) { |repo, sca_sast_enabled| sca_sast_enabled[repo] = has_sas_sast_scans?(repo) }
+  end
+
   def security_alerts_count
     @security_alert_handler&.security_alerts_count
   end
@@ -64,7 +69,7 @@ def fetch_pull_requests(repo)
 
   def present_pull_request(pull_request)
     repo = pull_request.base.repo.name
-    security_label = @dependabot_prs_only && @include_security_alerts ? @security_alert_handler.label_for_branch(pull_request.head.ref, pull_request.title, @repo_specific_alerts[repo]) : nil
+    security_label = @dependabot_prs_only && @include_security_alerts ? @security_alert_handler.label_for_branch(pull_request.head.ref, pull_request.title, @repo_security_alerts[repo]) : nil
 
     {
       title: pull_request.title,
@@ -141,4 +146,20 @@ def marked_ready_for_review_at(pull_request, repo)
     puts "Error fetching marked ready for review time for PR #{pull_request.html_url}: #{e.message}"
     nil
   end
+
+  def ignored_ci_repos
+    YAML.load_file(File.join(File.dirname(__FILE__), "../ignored_ci_repos.yml"))
+  end
+
+  def has_sas_sast_scans?(repo)
+    return true if ignored_ci_repos.include?(repo)
+    ci_file = Base64.decode64(github.contents("alphagov/#{repo}", path: ".github/workflows/ci.yml").content)
+    sca_string = "uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main"
+    sast_string = "uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main"
+
+    ci_file.include?(sca_string) && ci_file.include?(sast_string)
+  rescue StandardError => e
+    puts "Error fetching CI file for repo #{repo}: #{e.message}"
+    false
+  end
 end
diff --git a/lib/message_builder.rb b/lib/message_builder.rb
@@ -7,17 +7,19 @@ class MessageBuilder
 
   attr_accessor :pull_requests, :report, :mood, :poster_mood
 
-  def initialize(team, animal)
+  def initialize(team, mode)
     @team = team
-    @animal = animal
+    @mode = mode
   end
 
   def build
-    case @animal
+    case @mode
     when :panda
       build_dependapanda_message
-    else
+    when :seal
       build_regular_message
+    when :ci
+      build_ci_message
     end
   rescue StandardError => e
     puts "Error building message: #{e.message}"
@@ -57,18 +59,33 @@ def build_regular_message
     end
   end
 
+  def build_ci_message
+    Message.new(ci_message, mood: "robot_face")
+  end
+
+  def ci_message
+    @repos = check_team_repos_ci.reject { |_,v| v }.keys
+    return nil if @repos.empty?
+
+    render "list_ci_issues"
+  end
+
   def pr_date(pr)
     pr[:marked_ready_for_review_at] || pr[:created]
   end
 
   def github_fetcher
-    @github_fetcher ||= GithubFetcher.new(team, dependabot_prs_only: @animal == :panda)
+    @github_fetcher ||= GithubFetcher.new(team, dependabot_prs_only: @mode == :panda)
   end
 
   def pull_requests
     @pull_requests ||= github_fetcher.list_pull_requests
   end
 
+  def check_team_repos_ci
+    @check_team_repos_ci ||= github_fetcher.check_team_repos_ci
+  end
+
   def old_pull_requests
     @old_pull_requests ||= pull_requests.select { |pr| rotten?(pr) }
   end

diff --git a/lib/seal.rb b/lib/seal.rb
@@ -28,6 +28,8 @@ def bark_at(team, mode: nil)
                 Message.new(team.quotes.sample) if team.quotes_days.map(&:downcase).include?(Date.today.strftime("%A").downcase)
               when "dependapanda"
                 MessageBuilder.new(team, :panda).build
+              when "ci"
+                MessageBuilder.new(team, :ci).build
               else
                 MessageBuilder.new(team, :seal).build
               end

diff --git a/lib/slack_poster.rb b/lib/slack_poster.rb
@@ -57,6 +57,8 @@ def assign_poster_settings
       [":#{@season_symbol}seal_of_approval:", "#{@season_name}Seal of Approval"]
     when "angry"
       [":#{@season_symbol}angrier_seal:", "#{@season_name}Angry Seal"]
+    when "robot_face"
+      [":#{@season_symbol}robot_face:", "#{@season_name}Angry CI Robot"]
     when "tea"
       [":manatea:", "Tea Seal"]
     when "charter"
@@ -100,6 +102,6 @@ def set_mood_from_team
   end
 
   def channel
-    @team_channel = "#bot-testing" if ENV["DEVELOPMENT"]
+    @team_channel = "#murilo-testing"
   end
 end
diff --git a/templates/list_ci_issues.compact.text.erb b/templates/list_ci_issues.compact.text.erb
@@ -0,0 +1,4 @@
+The following repos are missing <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> scans in their CI pipelines:
+<% @repos.each do |repo| %>
+<<%= "https://github.com/alphagov/#{repo}" %>|<%= html_encode(repo) %>>
+<% end %>
diff --git a/templates/list_ci_issues.text.erb b/templates/list_ci_issues.text.erb
@@ -0,0 +1,4 @@
+The following repos are missing <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> scans in their CI pipelines:
+<% @repos.each do |repo| %>
+<<%= "https://github.com/alphagov/#{repo}" %>|<%= html_encode(repo) %>>
+<% end %>