-
Notifications
You must be signed in to change notification settings - Fork 86
Expand file tree
/
Copy pathbootstrap-template-protection.yml
More file actions
157 lines (137 loc) · 10 KB
/
bootstrap-template-protection.yml
File metadata and controls
157 lines (137 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# ~~ Generated by projen. To modify, edit .projenrc.ts and run "yarn projen".
name: bootstrap-template-protection
on:
pull_request:
types:
- opened
- synchronize
- reopened
- labeled
- unlabeled
merge_group: {}
jobs:
check-bootstrap-template:
name: Check Bootstrap Template Changes
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target')
steps:
- name: Checkout merge commit
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- name: Checkout base branch
run: git fetch origin ${{ github.event.pull_request.base.ref }}
- name: Check if bootstrap template changed
id: template-changed
run: |-
# Check if the bootstrap template differs between base and merge commit
if ! git diff --quiet --name-only origin/${{ github.event.pull_request.base.ref }}..HEAD -- packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml; then
echo "Bootstrap template modified - protection checks required"
echo "changed=true" >> $GITHUB_OUTPUT
else
echo "✅ Bootstrap template not modified - no protection required"
echo "changed=false" >> $GITHUB_OUTPUT
fi
- name: Extract current and previous bootstrap versions
id: version-check
if: steps.template-changed.outputs.changed == 'true'
run: |-
# Get current version from PR - look for CdkBootstrapVersion Value
CURRENT_VERSION=$(yq '.Resources.CdkBootstrapVersion.Properties.Value' packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml)
# Get previous version from base branch
git show origin/${{ github.event.pull_request.base.ref }}:packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml > /tmp/base-template.yaml
PREVIOUS_VERSION=$(yq '.Resources.CdkBootstrapVersion.Properties.Value' /tmp/base-template.yaml)
echo "current-version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
echo "previous-version=$PREVIOUS_VERSION" >> $GITHUB_OUTPUT
if [ "$CURRENT_VERSION" -gt "$PREVIOUS_VERSION" ]; then
echo "version-incremented=true" >> $GITHUB_OUTPUT
else
echo "version-incremented=false" >> $GITHUB_OUTPUT
fi
- name: Check for security review and exemption labels
id: label-check
if: steps.template-changed.outputs.changed == 'true'
run: |-
if [[ "${{ contains(github.event.pull_request.labels.*.name, 'pr/security-reviewed') }}" == "true" ]]; then
echo "has-security-label=true" >> $GITHUB_OUTPUT
else
echo "has-security-label=false" >> $GITHUB_OUTPUT
fi
if [[ "${{ contains(github.event.pull_request.labels.*.name, 'pr/exempt-bootstrap-version') }}" == "true" ]]; then
echo "has-version-exempt-label=true" >> $GITHUB_OUTPUT
else
echo "has-version-exempt-label=false" >> $GITHUB_OUTPUT
fi
- name: Post job summary
if: steps.template-changed.outputs.changed == 'true'
run: |-
cat << 'EOF' >> $GITHUB_STEP_SUMMARY
## ⚠️ Bootstrap Template Protection
This PR modifies the bootstrap template (`packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml`), which requires special protections.
${{ ((steps.version-check.outputs.version-incremented == 'true' || steps.label-check.outputs.has-version-exempt-label == 'true') && steps.label-check.outputs.has-security-label == 'true') && '**✅ All requirements met! This PR can proceed with normal review process.**' || '**❌ This PR cannot be merged until all requirements are met.**' }}
### Requirements
**Version Increment**
${{ (steps.version-check.outputs.version-incremented == 'true' && format('✅ Version incremented from {0} to {1}', steps.version-check.outputs.previous-version, steps.version-check.outputs.current-version)) || (steps.label-check.outputs.has-version-exempt-label == 'true' && format('✅ Version increment exempted (PR has `{0}` label)', 'pr/exempt-bootstrap-version')) || '❌ Version increment required' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Current version: `{0}`', steps.version-check.outputs.current-version) || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Previous version: `{0}`', steps.version-check.outputs.previous-version) || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && ' - Please increment the version in `CdkBootstrapVersion`' || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Or add the `{0}` label if not needed', 'pr/exempt-bootstrap-version') || '' }}
**Security Review**
${{ (steps.label-check.outputs.has-security-label == 'true' && format('✅ Review completed (PR has `{0}` label)', 'pr/security-reviewed')) || '❌ Review required' }}
${{ steps.label-check.outputs.has-security-label != 'true' && ' - A maintainer will conduct a security review' || '' }}
${{ steps.label-check.outputs.has-security-label != 'true' && format(' - Once reviewed, they will add the `{0}` label', 'pr/security-reviewed') || '' }}
### Why these protections exist
- The bootstrap template contains critical infrastructure
- Changes can affect IAM roles, policies, and resource access across all CDK deployments
- Version increments ensure users are notified of updates
EOF
- name: Post comment
if: steps.template-changed.outputs.changed == 'true' && github.event.pull_request.head.repo.fork != true
uses: thollander/actions-comment-pull-request@v3
with:
comment-tag: bootstrap-template-protection
mode: recreate
message: |
## ⚠️ Bootstrap Template Protection
This PR modifies the bootstrap template (`packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml`), which requires special protections.
${{ ((steps.version-check.outputs.version-incremented == 'true' || steps.label-check.outputs.has-version-exempt-label == 'true') && steps.label-check.outputs.has-security-label == 'true') && '**✅ All requirements met! This PR can proceed with normal review process.**' || '**❌ This PR cannot be merged until all requirements are met.**' }}
### Requirements
**Version Increment**
${{ (steps.version-check.outputs.version-incremented == 'true' && format('✅ Version incremented from {0} to {1}', steps.version-check.outputs.previous-version, steps.version-check.outputs.current-version)) || (steps.label-check.outputs.has-version-exempt-label == 'true' && format('✅ Version increment exempted (PR has `{0}` label)', 'pr/exempt-bootstrap-version')) || '❌ Version increment required' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Current version: `{0}`', steps.version-check.outputs.current-version) || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Previous version: `{0}`', steps.version-check.outputs.previous-version) || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && ' - Please increment the version in `CdkBootstrapVersion`' || '' }}
${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Or add the `{0}` label if not needed', 'pr/exempt-bootstrap-version') || '' }}
**Security Review**
${{ (steps.label-check.outputs.has-security-label == 'true' && format('✅ Review completed (PR has `{0}` label)', 'pr/security-reviewed')) || '❌ Review required' }}
${{ steps.label-check.outputs.has-security-label != 'true' && ' - A maintainer will conduct a security review' || '' }}
${{ steps.label-check.outputs.has-security-label != 'true' && format(' - Once reviewed, they will add the `{0}` label', 'pr/security-reviewed') || '' }}
### Why these protections exist
- The bootstrap template contains critical infrastructure
- Changes can affect IAM roles, policies, and resource access across all CDK deployments
- Version increments ensure users are notified of updates
- name: Check requirements
if: steps.template-changed.outputs.changed == 'true'
run: |-
# Check version requirement (either incremented or exempted)
VERSION_INCREMENTED="${{ steps.version-check.outputs.version-incremented }}"
VERSION_EXEMPTED="${{ steps.label-check.outputs.has-version-exempt-label }}"
SECURITY_REVIEWED="${{ steps.label-check.outputs.has-security-label }}"
# Both requirements must be met
if [[ "$VERSION_INCREMENTED" == "true" || "$VERSION_EXEMPTED" == "true" ]] && [[ "$SECURITY_REVIEWED" == "true" ]]; then
echo "✅ All requirements met!"
exit 0
fi
# Show what's missing
echo "❌ Requirements not met:"
if [[ "$VERSION_INCREMENTED" != "true" && "$VERSION_EXEMPTED" != "true" ]]; then
echo " - Version must be incremented OR add 'pr/exempt-bootstrap-version' label"
fi
if [[ "$SECURITY_REVIEWED" != "true" ]]; then
echo " - PR must have 'pr/security-reviewed' label"
fi
exit 1