[PP-3687] Add JIRA version creation automation github workflow.#3058
[PP-3687] Add JIRA version creation automation github workflow.#3058dbernstein wants to merge 3 commits intomainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3058 +/- ##
=======================================
Coverage 93.18% 93.18%
=======================================
Files 489 489
Lines 44943 44943
Branches 6191 6191
=======================================
Hits 41880 41880
Misses 1986 1986
Partials 1077 1077 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
dbernstein
force-pushed
the
feature/PP-3687-automate-jira-version-creation
branch
from
fe381cf to
cc2ae43
Compare
dbernstein
force-pushed
the
feature/PP-3687-automate-jira-version-creation
branch
from
cc2ae43 to
2a2a416
Compare
jonathangreen
left a comment
jonathangreen
left a comment
There was a problem hiding this comment.
Looks good, added a couple comments
| curl -X POST \ | ||
| --url "${{ secrets.JIRA_BASE_URL }}/rest/api/3/version" \ | ||
| --user "${{ secrets.JIRA_USER_EMAIL }}:${{ secrets.JIRA_API_TOKEN }}" \ | ||
| --header 'Accept: application/json' \ | ||
| --header 'Content-Type: application/json' \ | ||
| --data "{ | ||
| \"name\": \"${RELEASE_NAME}\", | ||
| \"description\": \"Release created from GitHub build.\", | ||
| \"project\": \"${JIRA_PROJECT_KEY}\", | ||
| \"released\": false | ||
| }" |
There was a problem hiding this comment.
None of the curl calls check for failure. If the "Create New Jira Release" step fails (e.g., duplicate version name, auth failure), subsequent steps will still run and silently fail or produce confusing results.
Suggestions:
- Add
--failor--fail-with-bodyto all curl commands so non-2xx responses cause the step to fail. - Alternatively, capture the response, check the HTTP status code, and fail explicitly.
| - name: Login to Jira | ||
| uses: atlassian/gajira-login@v3 |
There was a problem hiding this comment.
Is this step needed? It doesn't appear any of the following steps use it and when I go to https://github.com/atlassian/gajira-login it says:
⚠️ This repository is no longer maintained and all Gajira actions have been deprecated.
| - name: Extract Jira Keys and Update Issues | ||
| shell: bash | ||
| run: | | ||
| KEYS=$(echo "${{ github.event.release.body }}" | grep -oE "${JIRA_PROJECT_KEY}-[0-9]+" | sort -u) |
There was a problem hiding this comment.
This step is intended to no-op when release notes contain no PP- keys, but I think run steps execute with bash -e -o pipefail, so grep -oE "${JIRA_PROJECT_KEY}-[0-9]+" returns exit code 1 and aborts before the if [ -z "$KEYS" ] check runs. Worth checking on this anyway.
| \"url\": \"$RELEASE_URL\", | ||
| \"type\": \"release notes\" | ||
| }" | ||
| - name: Extract Jira Keys and Update Issues |
There was a problem hiding this comment.
Line 58 directly interpolates github.event.release.body into a shell command:
KEYS=$(echo "${{ github.event.release.body }}" | grep -oE "PP-[0-9]+" | sort -u)
The release body is user-controlled input. If it contains shell metacharacters (e.g., "; rm -rf /; "), they will be executed. This is a well-known https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections vulnerability.
I don't think the security risk here is high, since we are controlling releases. If an attacker is creating a release we have big problems already, but I do think its worth addressing so that shell characters don't accidentally break this workflow. This is the fix suggested by the docs:
env:
RELEASE_BODY: ${{ github.event.release.body }}
run: |
KEYS=$(echo "$RELEASE_BODY" | grep -oE "PP-[0-9]+" | sort -u)
| # 1. Get the Version ID from Jira based on the name | ||
| VERSION_ID=$(curl --user "${JIRA_USER_EMAIL}:${JIRA_API_TOKEN}" \ | ||
| --url "${JIRA_BASE_URL}/rest/api/3/project/${JIRA_PROJECT_KEY}/versions" \ | ||
| | jq -r ".[] | select(.name == \"$RELEASE_NAME\") | .id") |
There was a problem hiding this comment.
Minor: Instead of creating the version in the "Create New Jira Release" step, and then immediately querying for it. It looks like the rest/api/3/version response contains the ID already. Can we just parse it in that step and pass it to this step? I think that would save us bugs around looking up the release name with JQ.
|
One other thing we might want to do here is turn this into an action like the poetry action: @dwilcox mentioned in the sprint planning today that he would like to have this run in our other repos, so it might be nice to have it as an action rather then copy paste this YAML file everywhere. |
2 participants
Description
This PR adds an AI generated workflow that will create a release page JIRA by grabbing the github release version, extracting all the JIRA ticket IDs from the release's body, associating those tickets with the release in JIRA, and updating the fixVersions property of each ticket with the release.
One caveat. It looks like the script will try to associate any PP-* issue key found in the github release notes, regardless of whether the issue is actually in the release. For example, if the release notes contain a reference to another ticket, the script will include that ticket in the JIRA release. I believe one ticket can be associated with multiple releases so it's not a technical issue per say. But there is the potential for muddying the waters. So we have to be careful to remove any secondary JIRA references in the release notes.
Motivation and Context
https://ebce-lyrasis.atlassian.net/browse/PP-3687
How Has This Been Tested?
This has been tested.
I pushed a tag associated with this PR. Then published an unofficial release with PP-3687 in the body. You can see the results here: https://ebce-lyrasis.atlassian.net/projects/PP/versions/12159/tab/release-report-all-issues
Checklist