Merge branch 'main' into knewbury01/fix-406

Author: nicolaswill

.github/actions/check-permissions/action.yml

@@ -0,0 +1,49 @@
+name: Check current actor permissions
+description: |
+  Checks whether the current actor has the specified permssions
+inputs:
+  minimum-permission:
+    description: |
+      The minimum required permission. One of: read, write, admin
+    required: true
+outputs:
+  has-permission:
+    description: "Whether the actor had the minimum required permission"
+    value: ${{ steps.check-permission.outputs.has-permission }}
+
+runs:
+  using: composite
+  steps:
+  - uses: actions/github-script@v7
+    id: check-permission
+    env:
+      INPUT_MINIMUM-PERMISSION: ${{ inputs.minimum-permission }}
+    with:
+      script: |
+        // Valid permissions are none, read, write, admin (legacy base permissions)
+        const permissionsRanking = ["none", "read", "write", "admin"];
+
+        // Note: core.getInput doesn't work by default in a composite action - in this case
+        //       it would try to fetch the input to the github-script instead of the action
+        //       itself. Instead, we set the appropriate magic env var with the actions input.
+        //       See: https://github.com/actions/runner/issues/665
+        const minimumPermission = core.getInput('minimum-permission');
+        if (!permissionsRanking.includes(minimumPermission)) {
+          core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
+          return;
+        }
+
+        const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          username: context.actor
+        });
+
+        // Confirm whether the actor permission is at least the selected permission
+        const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
+        core.setOutput('has-permission', hasPermission);
+        if (!hasPermission) {
+          core.info(`Current actor (${context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        } else {
+          core.info(`Current actor (${context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        }

.github/workflows/code-scanning-pack-gen.yml

@@ -103,10 +103,10 @@ jobs:
           codeql query compile --precompile --threads 0 c
 
           cd ..
-          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/schemas
+          zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip

.github/workflows/codeql_unit_tests.yml

@@ -151,7 +151,7 @@ jobs:
               file.close()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.language }}-test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -160,11 +160,18 @@ jobs:
 
   validate-test-results:
     name: Validate test results
+    if: ${{ always() }}
     needs: run-test-suites
     runs-on: ubuntu-22.04
     steps:
+      - name: Check if run-test-suites job failed to complete, if so fail
+        if: ${{ needs.run-test-suites.result == 'failure' }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+            core.setFailed('Test run job failed')
       - name: Collect test results
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
       - name: Validate test results
         run: |

.github/workflows/dispatch-matrix-check.yml

@@ -3,42 +3,45 @@ name: 🤖 Run Matrix Check (On Comment)
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
-
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
-
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
-      - name: Dispatch Matrix Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
-        uses: peter-evans/repository-dispatch@v2
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
-          repository: github/codeql-coding-standards-release-engineering
-          event-type: matrix-test
-          client-payload: '{"pr": "${{ github.event.issue.number }}"}'
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
+      - name: Invoke matrix testing job
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
+        env:
+          ISSUE_NR: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          jq -n \
+          --arg issue_nr "$ISSUE_NR" \
+          '{"issue-nr": $issue_nr}' \
+          | \
+          gh workflow run pr-compiler-validation.yml \
+          --json \
+            -R github/codeql-coding-standards-release-engineering
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -3,46 +3,50 @@ name: 🏁 Run Release Performance Check
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("jsinglet","mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "kraiouchkine") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
-
-      - name: Dispatch Performance Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
-        uses: peter-evans/repository-dispatch@v2
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
         with:
-          token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
-          repository: github/codeql-coding-standards-release-engineering
-          event-type: performance-test
-          client-payload: '{"pr": "${{ github.event.issue.number  }}"}'
+          minimum-permission: "write"
 
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: "codeql-coding-standards-release-engineering"
+
+      - name: Invoke performance test
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
+        env:
+          ISSUE_NR: ${{ github.event.issue.number }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          jq -n \
+          --arg issue_nr "$ISSUE_NR" \
+          '{"issue-nr": $issue_nr}' \
+          | \
+          gh workflow run pr-performance-testing.yml \
+          --json \
+          -R github/codeql-coding-standards-release-engineering
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
               body: '🏁 Beep Boop! Performance testing for this PR has been initiated. Please check back later for results. Note that the query package generation step must complete before testing  will start so it might be a minute. <br><br> :bulb: If you do not hear back from me please check my status! **I will report even if I fail!**'
-            })
+            })

.github/workflows/dispatch-release-performance-check.yml

@@ -103,7 +103,7 @@ jobs:
       - name: Generate token
         if: env.HOTFIX_RELEASE == 'false'
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/finalize-release.yml

@@ -35,7 +35,7 @@ jobs:
           python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
 
       - name: Upload HTML documentation
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: coding-standards-docs-${{ github.sha }}
           path: coding-standards-html-docs/

.github/workflows/generate-html-docs.yml

@@ -143,7 +143,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}

.github/workflows/prepare-release.yml

@@ -143,7 +143,7 @@ jobs:
               }, test_summary_file)
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
           path: |
@@ -162,7 +162,7 @@ jobs:
           python-version: "3.9"
 
       - name: Collect test results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
 
       - name: Validate test results
         shell: python

.github/workflows/standard_library_upgrade_tests.yml

@@ -43,7 +43,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@eaddb9eb7e4226c68cf4b39f167c83e5bd132b3e
+        uses: actions/create-github-app-token@v1
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}