Merge pull request #18 from github/release-updates

Release Updates

.github/workflows/acceptance.yml

@@ -17,7 +17,7 @@ jobs:
       has_change: ${{ steps.diff.outputs.has_change}}
 
     steps:
-      - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - uses: actions/checkout@v3
 
       - id: fetch-base
         if: github.event_name == 'pull_request'
@@ -66,9 +66,9 @@ jobs:
         run: |
           echo "✅ Bypassing acceptance tests - they are not required for this change"
 
-      - name: Check out code
+      - name: checkout
         if: ${{ needs.changes.outputs.has_change == 'true' }}
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@v3
 
       # Use Docker layer caching for 'docker build' and 'docker-compose build' commands.
       # https://github.com/satackey/action-docker-layer-caching/releases/tag/v0.0.11

.github/workflows/build.yml

@@ -0,0 +1,41 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: build
+        run: |
+          GEM_NAME=$(ls | grep gemspec | cut -d. -f1)
+          echo "Attempting to build gem $GEM_NAME..."
+          gem build $GEM_NAME
+          if [ $? -eq 0 ]; then
+            echo "Gem built successfully!"
+          else
+            echo "Gem build failed!"
+            exit 1
+          fi

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -24,8 +24,8 @@ jobs:
         language: [ 'ruby' ]
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/lint.yml

@@ -14,12 +14,11 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d # pin@v1.110.0
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
-          ruby-version: 3.1.2
           bundler-cache: true
 
       - name: rubocop

.github/workflows/release.yml

@@ -0,0 +1,53 @@
+name: release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - lib/version.rb
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: lint
+        run: bundle exec rubocop -c .rubocop.yml lib/ spec/
+
+      - name: test
+        run: script/test
+
+      - name: set GEM_NAME from gemspec
+        run: echo "GEM_NAME=$(ls | grep gemspec | cut -d. -f1)" >> $GITHUB_ENV
+
+        # builds the gem and saves the version to GITHUB_ENV
+      - name: build
+        run: echo "GEM_VERSION=$(gem build ${{ env.GEM_NAME }}.gemspec 2>&1 | grep Version | cut -d':' -f 2 | tr -d " \t\n\r")" >> $GITHUB_ENV
+
+      - name: publish to GitHub packages
+        run: |
+          export OWNER=$( echo ${{ github.repository }} | cut -d "/" -f 1 )
+          GEM_HOST_API_KEY=${{ secrets.GITHUB_TOKEN }} gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
+
+      - name: release
+        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # pin@v1.12.0
+        with:
+          artifacts: "${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem"
+          tag: "v${{ env.GEM_VERSION }}"
+          generateReleaseNotes: true

.github/workflows/test.yml

@@ -14,12 +14,11 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d # pin@v1.110.0
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
-          ruby-version: 3.1.2
           bundler-cache: true
 
       - name: rspec tests

.rubocop.yml

@@ -3,8 +3,9 @@ inherit_gem:
     - config/default.yml
 
 AllCops:
+  SuggestExtensions: false
   DisplayCopNames: true
-  TargetRubyVersion: 2.7.5
+  TargetRubyVersion: 3.1
   Exclude:
     - 'bin/*'
     - 'spec/acceptance/fixtures/**/*'

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    entitlements-github-plugin (0.2.0)
+    entitlements-github-plugin (0.3.0)
       contracts (= 0.17.0)
       faraday (~> 2.0)
       faraday-retry (~> 2.0)

README.md

@@ -1,6 +1,6 @@
 # entitlements-github-plugin
 
-[![acceptance](https://github.com/github/entitlements-github-plugin/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-github-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-github-plugin/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/lint.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
+[![acceptance](https://github.com/github/entitlements-github-plugin/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-github-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-github-plugin/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/lint.yml) [![release](https://github.com/github/entitlements-github-plugin/actions/workflows/release.yml/badge.svg)](https://github.com/github/entitlements-github-plugin/actions/workflows/release.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
 
 `entitlements-github-plugin` is an [entitlements-app](https://github.com/github/entitlements-app) plugin allowing entitlements configs to be used to manage membership of github.com Organizations and Teams.
 
@@ -82,3 +82,13 @@ For example, if there were a file `github.com/github/teams/new-team.txt` with a
 Entitlements configs can contain metadata which the plugin will use to make further configuration decisions.
 
 `metadata_parent_team_name` - when defined in an entitlements config, the defined team will be made the parent team of this github.com Team.
+
+## Release 🚀
+
+To release a new version of this Gem, do the following:
+
+1. Update the version number in the [`lib/version.rb`](lib/version.rb) file
+2. Run `bundle install` to update the `Gemfile.lock` file with the new version
+3. Commit your changes, push them to GitHub, and open a PR
+
+Once your PR is approved and the changes are merged, a new release will be created automatically by the [`release.yml`](.github/workflows/release.yml) workflow. The latest version of the Gem will be published to the GitHub Package Registry.

entitlements-github-plugin.gemspec

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
+require_relative "lib/version"
+
 Gem::Specification.new do |s|
   s.name = "entitlements-github-plugin"
-  s.version = File.read("VERSION").chomp
+  s.version = Entitlements::Version::VERSION
   s.summary = "GitHub dotcom provider for entitlements-app"
-  s.description = ""
+  s.description = "Entitlements plugin to manage GitHub Orgs and Team memberships and access"
   s.authors = ["GitHub, Inc. Security Ops"]
   s.email = "security@github.com"
   s.license = "MIT"
-  s.files = Dir.glob("lib/**/*") + %w[VERSION]
+  s.files = Dir.glob("lib/**/*")
   s.homepage = "https://github.com/github/entitlements-github-plugin"
   s.executables = %w[]
 

lib/entitlements/backend/github_org/controller.rb

@@ -83,7 +83,7 @@ def calculate
           validate_no_dupes!       # calls read() for each group
 
           if changes.any?
-            print_differences(key: group_name, added: [], removed: [], changed: changes, ignored_users: ignored_users)
+            print_differences(key: group_name, added: [], removed: [], changed: changes, ignored_users:)
             @actions.concat(changes)
           else
             logger.debug "UNCHANGED: No GitHub organization changes for #{group_name}"
@@ -398,11 +398,11 @@ def categorized_changes
               if removed.key?(member.downcase)
                 # Already removed from a previous role. Therefore this is a move to a different role.
                 removed.delete(member.downcase)
-                moved[member.downcase] = { member: member, role: role }
+                moved[member.downcase] = { member:, role: }
               else
                 # Not removed from a previous role. Suspect this is an addition to the org (if we later spot a removal
                 # from a role, then the code below will update that to be a move instead).
-                added[member.downcase] = { member: member, role: role }
+                added[member.downcase] = { member:, role: }
               end
             end
 
@@ -414,12 +414,12 @@ def categorized_changes
               else
                 # Not added to a previous role. Suspect this is a removal from the org (if we later spot an addition
                 # to another role, then the code above will update that to be a move instead).
-                removed[member.downcase] = { member: member, role: role }
+                removed[member.downcase] = { member:, role: }
               end
             end
           end
 
-          { added: added, removed: removed, moved: moved }
+          { added:, removed:, moved: }
         end
 
         # Admins or members who are both `invited` and `pending` do not need to be re-invited. We're waiting for them

lib/entitlements/backend/github_org/service.rb

@@ -44,7 +44,7 @@ def sync(implementation, role)
         Contract String, String => C::Bool
         def add_user_to_organization(user, role)
           Entitlements.logger.debug "#{identifier} add_user_to_organization(user=#{user}, org=#{org}, role=#{role})"
-          new_membership = octokit.update_organization_membership(org, user: user, role: role)
+          new_membership = octokit.update_organization_membership(org, user:, role:)
 
           # Happy path
           if new_membership[:role] == role
@@ -70,7 +70,7 @@ def add_user_to_organization(user, role)
         Contract String => C::Bool
         def remove_user_from_organization(user)
           Entitlements.logger.debug "#{identifier} remove_user_from_organization(user=#{user}, org=#{org})"
-          result = octokit.remove_organization_membership(org, user: user)
+          result = octokit.remove_organization_membership(org, user:)
 
           # If we removed the user, remove them from the cache of members, so that any GitHub team
           # operations in this organization will ignore this user.

lib/entitlements/backend/github_team/controller.rb

@@ -61,12 +61,12 @@ def calculate
             end
 
             if diff[:metadata] && diff[:metadata][:create_team]
-              added << Entitlements::Models::Action.new(team_slug, provider.read(group), group, group_name, ignored_users: ignored_users)
+              added << Entitlements::Models::Action.new(team_slug, provider.read(group), group, group_name, ignored_users:)
             else
-              changed << Entitlements::Models::Action.new(team_slug, provider.read(group), group, group_name, ignored_users: ignored_users)
+              changed << Entitlements::Models::Action.new(team_slug, provider.read(group), group, group_name, ignored_users:)
             end
           end
-          print_differences(key: group_name, added: added, removed: [], changed: changed)
+          print_differences(key: group_name, added:, removed: [], changed:)
 
           @actions = added + changed
         end

lib/entitlements/backend/github_team/models/team.rb

@@ -27,7 +27,7 @@ def initialize(team_id:, team_name:, members:, ou:, metadata:)
             @team_id = team_id
             @team_name = team_name.downcase
             @team_dn = ["cn=#{team_name.downcase}", ou].join(",")
-            super(dn: @team_dn, members: Set.new(members.map { |m| m.downcase }), metadata: metadata)
+            super(dn: @team_dn, members: Set.new(members.map { |m| m.downcase }), metadata:)
           end
         end
       end

lib/entitlements/backend/github_team/provider.rb

@@ -127,7 +127,7 @@ def commit(entitlement_group)
           # Create the new team and invalidate the cache
           if github_team.nil?
             team_name = entitlement_group.cn.downcase
-            github.create_team(entitlement_group: entitlement_group)
+            github.create_team(entitlement_group:)
             github.invalidate_predictive_cache(entitlement_group)
             @github_team_cache.delete(team_name)
             github_team = github.read_team(entitlement_group)
@@ -168,7 +168,7 @@ def create_github_team_group(entitlement_group)
             team_name: entitlement_group.cn.downcase,
             members: Set.new,
             ou: github.ou,
-            metadata: metadata
+            metadata:
           )
         end
 

lib/entitlements/backend/github_team/service.rb

@@ -78,7 +78,7 @@ def read_team(entitlement_group)
                 team_id: -1,
                 team_name: team_identifier,
                 members: cached_members,
-                ou: ou,
+                ou:,
                 metadata: team_metadata
               )
 
@@ -108,7 +108,7 @@ def read_team(entitlement_group)
                   team_id: teamdata[:team_id],
                   team_name: team_identifier,
                   members: Set.new(teamdata[:members]),
-                  ou: ou,
+                  ou:,
                   metadata: team_metadata
                 )
               rescue TeamNotFound
@@ -380,7 +380,7 @@ def graphql_team_data(team_slug)
             break
           end
 
-          { members: result, team_id: team_id, parent_team_name: parent_team_name }
+          { members: result, team_id:, parent_team_name: }
         end
 
         # Ensure that the given team ID actually matches up to the team slug on GitHub. This is in place
@@ -425,7 +425,7 @@ def add_user_to_team(user:, team:, role: "member")
           end
           Entitlements.logger.debug "#{identifier} add_user_to_team(user=#{user}, org=#{org}, team_id=#{team.team_id}, role=#{role})"
           validate_team_id_and_slug!(team.team_id, team.team_name)
-          result = octokit.add_team_membership(team.team_id, user, role: role)
+          result = octokit.add_team_membership(team.team_id, user, role:)
           result[:state] == "active" || result[:state] == "pending"
         end