ssc-spc-ccoe-cei · alaincormier-ssc · Apr 21, 2023 · Apr 14, 2023 · Apr 14, 2023 · Apr 14, 2023
diff --git a/pipeline-samples/validate-yaml/.azure-pipelines/validate-yaml.yaml b/pipeline-samples/validate-yaml/.azure-pipelines/validate-yaml.yaml
@@ -21,3 +21,5 @@ jobs:
           echo "Running 'bash tools/scripts/cicd/validate-yaml.sh' ..."
           bash tools/scripts/cicd/validate-yaml.sh
         displayName: 'Validate YAML'
+        env:
+          ENABLE_PUSH_ON_DIFF: true
diff --git a/pipeline-samples/validate-yaml/.github/workflows/validate-yaml.yaml b/pipeline-samples/validate-yaml/.github/workflows/validate-yaml.yaml
@@ -12,6 +12,8 @@ on:
 jobs:
   # This workflow contains a single job called "validate-yaml"
   validate-yaml:
+    permissions:
+      contents: write
 
     runs-on: ubuntu-22.04
 
@@ -27,3 +29,5 @@ jobs:
         run: |
           echo "Running 'bash tools/scripts/cicd/validate-yaml.sh' ..."
           bash tools/scripts/cicd/validate-yaml.sh
+        env:
+          ENABLE_PUSH_ON_DIFF: true
diff --git a/pipeline-samples/validate-yaml/README.md b/pipeline-samples/validate-yaml/README.md
@@ -2,18 +2,24 @@
 
 A sample to validate that YAML configs have been properly hydrated.
 
+If the `ENABLE_PUSH_ON_DIFF` environment variable is set to true, the pipeline will attempt to commit and push to the branch when a change to hydrated files is detected.
+
 ## Requirements
 
 - `tools` sub module.
 - A deployment repo based on gcp-repo-template.
 - If using Azure DevOps:
   - A "Build Validation Policy" (PR trigger).
+  - "Read" permission on repo for user "{project} Build Service ({organization})". This may be enabled by default depending on security settings.
+  - "Contribute" permission on repo for user "{project} Build Service ({organization})" if `ENABLE_PUSH_ON_DIFF` is set to true.
 - If using GitHub:
-  - "contents" read permission on repo for GitHub Actions.  This may be enabled by default depending on security settings.
+  - "contents" read permission on repo for GitHub Actions if `ENABLE_PUSH_ON_DIFF` is set to false.
+  - "contents" write permission on repo for GitHub Actions if `ENABLE_PUSH_ON_DIFF` is set to true.
 
 ## Dependencies
 
 - `tools/scripts/cicd/validate-yaml.sh`
+- `tools/scripts/kpt/hydrate.sh`
 
 ## Usage
 

diff --git a/scripts/cicd/validate-yaml.sh b/scripts/cicd/validate-yaml.sh
@@ -7,6 +7,36 @@
 set -o errexit
 set -o pipefail
 
+# check if a new git commit should be created and pushed when diff in hydrated configs are detected
+if [[ "${ENABLE_PUSH_ON_DIFF}" == "true" ]] ; then
+
+    # set the branch name, it's stored in different env. variables in Azure DevOps and GitHub (and during Pull Requests)
+    # AzDO PR
+    if [[ "${BUILD_REASON}" == "PullRequest" && "${SYSTEM_PULLREQUEST_SOURCEBRANCH}" != "" ]] ; then
+        # the PR source branch is formatted as 'refs/heads/branch-name', the command below removes the starting 'refs/heads/'
+        export BRANCH_NAME_TO_UPDATE="${SYSTEM_PULLREQUEST_SOURCEBRANCH//'refs/heads/'/}"
+    # AzDO default
+    elif [[ "${BUILD_SOURCEBRANCHNAME}" != "" ]] ; then
+        export BRANCH_NAME_TO_UPDATE="${BUILD_SOURCEBRANCHNAME}"
+    # GitHub PR
+    elif [[ "${GITHUB_EVENT_NAME}" == "pull_request" && "${GITHUB_HEAD_REF}" != "" ]] ; then
+        export BRANCH_NAME_TO_UPDATE="${GITHUB_HEAD_REF}"
+    # GitHub default
+    elif [[ "${GITHUB_REF_NAME}" != "" ]] ; then
+        export BRANCH_NAME_TO_UPDATE="${GITHUB_REF_NAME}"
+    else
+        echo "Can't determine the branch name."
+    fi
+
+    # if a branch name was found, set the required git configs for adding a commit, fetch all branches
+    # TODO: future improvement, accept email/name as variables, possibly git creds as well (could be in scripts/common if tagging requires the same)
+    if [[ "${BRANCH_NAME_TO_UPDATE}" != "" ]] ; then
+        git config --global user.email "hydrate-script@example.com"
+        git config --global user.name "hydrate-script"
+        git fetch --recurse-submodules=no
+    fi
+fi
+
 bash tools/scripts/kpt/hydrate.sh