Add verify approval job

670a1375 · Kyle Wiebers · Lin Jen-Shin · cb06d0b1 · 670a1375 · 670a1375
Commit 670a1375 authored Apr 07, 2022 by Kyle Wiebers Committed by Lin Jen-Shin Apr 07, 2022
Showing with 52 additions and 0 deletions

.gitlab/ci/rules.gitlab-ci.yml .gitlab/ci/rules.gitlab-ci.yml +10 -0

.gitlab/ci/setup.gitlab-ci.yml .gitlab/ci/setup.gitlab-ci.yml +9 -0

tooling/bin/find_app_sec_approval tooling/bin/find_app_sec_approval +33 -0

No files found.
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -73,6 +73,9 @@
 .if-merge-request-labels-skip-undercoverage: &if-merge-request-labels-skip-undercoverage
  if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:skip-undercoverage/'
+.if-merge-request-labels-jh-contribution: &if-merge-request-labels-jh-contribution
+  if: '$CI_MERGE_REQUEST_LABELS =~ /JiHu contribution/'
 .if-security-merge-request: &if-security-merge-request
  if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_MERGE_REQUEST_IID'
@@ -1682,6 +1685,13 @@
    - <<: *if-default-refs
      changes: *code-backstage-patterns
+.setup:rules:jh-contribution:
+  rules:
+    - <<: *if-jh
+      when: never
+    - <<: *if-merge-request-labels-jh-contribution
 .setup:rules:generate-frontend-fixtures-mapping:
  rules:
    - <<: *if-not-ee

--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -68,6 +68,15 @@ verify-tests-yml:
    - install_tff_gem
    - scripts/verify-tff-mapping
+verify-approvals:
+  extends:
+    - .setup:rules:jh-contribution
+  needs: []
+  script:
+    - source scripts/utils.sh
+    - install_gitlab_gem
+    - tooling/bin/find_app_sec_approval
 generate-frontend-fixtures-mapping:
  extends:
    - .setup:rules:generate-frontend-fixtures-mapping

--- a/tooling/bin/find_app_sec_approval
+++ b/tooling/bin/find_app_sec_approval
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require 'gitlab'
+# This script is used to confirm that AppSec has approved upstream JiHu contributions
+#
+# It will error if the approval is missing from the MR when it is run.
+gitlab_token = ENV.fetch('PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE')
+gitlab_endpoint = ENV.fetch('CI_API_V4_URL')
+mr_project_path = ENV['CI_MERGE_REQUEST_PROJECT_PATH']
+mr_iid = ENV['CI_MERGE_REQUEST_IID']
+approval_label = "sec-planning::complete"
+warn "WARNING: CI_MERGE_REQUEST_PROJECT_PATH is missing." if mr_project_path.to_s.empty?
+warn "WARNING: CI_MERGE_REQUEST_IID is missing." if mr_iid.to_s.empty?
+unless mr_project_path && mr_iid
+  warn "ERROR: Exiting as this does not appear to be a merge request pipeline."
+  exit
+end
+Gitlab.configure do |config|
+  config.endpoint       = gitlab_endpoint
+  config.private_token  = gitlab_token
+end
+if Gitlab.merge_request(mr_project_path, mr_iid).labels.include?(approval_label)
+  puts 'INFO: No action required.'
+else
+  abort('ERROR: This merge request has not been approved by application security and is required prior to merge.')
+end