Initial commit

Author: github-classroom[bot]

.github/tests/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# gem "rails"

.github/tests/Gemfile.lock

@@ -0,0 +1,12 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+
+PLATFORMS
+  arm64-darwin-21
+  x86_64-linux
+
+DEPENDENCIES
+
+BUNDLED WITH
+   2.3.11

.github/tests/src/script.rb

@@ -0,0 +1,83 @@
+require 'net/http'
+require 'uri'
+require 'json'
+class GithubApi
+  @@prefix = 'https://api.github.com/repos'
+
+  def initialize(repo_uri, token)
+    @repo_uri =  repo_uri
+    @token = token
+  end
+  def get(url)
+    uri = URI.parse("#{@@prefix}/#{@repo_uri}#{"/#{url}" if url != ''}")
+    request = Net::HTTP::Get.new(uri)
+    request["Accept"] = "application/vnd.github+json"
+    request["Authorization"] = "Bearer #{@token}"
+    request["X-Github-Api-Version"] = "2022-11-28"
+
+    req_options = {
+      use_ssl: uri.scheme == "https",
+    }
+
+    response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
+      http.request(request)
+    end
+  end
+
+  def branch_protected?(branch_name)
+    branches = JSON.parse(get('branches').body).select{|element| element["name"] == branch_name}
+    return "Branch with #{branch_name} doesn't exist" if branches.empty?
+    branches[0]["protected"]
+  end
+
+  def branch_exist?(branch_name)
+    !JSON.parse(get('branches').body).select{|element| element["name"] == branch_name}.empty?
+  end
+
+  def branches
+    JSON.parse(get('branches').body)
+  end
+
+  def branch(json_obj, branch_name)
+    JSON.parse(get('branches').body).select{|element| element["name"] == branch_name}
+  end
+
+  def default_branch
+    JSON.parse(get('').body)["default_branch"]
+  end
+
+  def file_branch(file_name, branch_name)
+    return nil if get("contents/#{file_name}?ref=#{branch_name}").code != '200'
+    old_uri = @@prefix
+    @@prefix =  'https://raw.githubusercontent.com'
+    result = get("#{branch_name}/#{file_name}").body
+    @@prefix = old_uri
+    result
+  end
+
+  def rules_required_pull_request_reviews(branch_name)
+    response = get("branches/#{branch_name}/protection")
+    return nil  if response.code != '200'
+    JSON.parse(response.body)["required_pull_request_reviews"]
+  end
+
+  def get_branch_ruleset(branch_name)
+    branch_ruleset = nil
+    response = get("rulesets")
+    JSON.parse(response.body).each do |ruleset|
+      id = ruleset['id']
+      details = get("rulesets/#{id}")
+      if JSON.parse(details.body)['conditions']['ref_name']['include'].any? {|elem| elem.include?(branch_name)}
+        branch_ruleset = JSON.parse(details.body)['rules']
+      end
+    end
+      branch_ruleset
+  end
+
+  def deploy_keys
+    response = get("keys")
+    return nil if response.code != '200'
+    JSON.parse(response.body)
+  end
+
+end

.github/tests/test/script_test.rb

@@ -0,0 +1,113 @@
+require 'test/unit'
+require_relative '../src/script'
+
+class ScriptTest < Test::Unit::TestCase
+
+  def setup
+    url = ENV['URL'].nil? ? '' : ENV["URL"]
+    token = ENV['TOKEN'].nil? ? '' : ENV["TOKEN"]
+    @secrets_token = ENV['SECRETS_TOKEN']
+    @obj = GithubApi.new(url, token)
+  end
+
+  def test_health_check
+    assert_not_nil(@obj.instance_variable_get('@repo_uri'), 'Url alive')
+    assert_not_nil(@obj.instance_variable_get('@token'), 'Token alive')
+  end
+  
+  def test_token_present
+    actual = @secrets_token =~ /^ghp_\w{36}$/
+    assert_not_nil(actual, "Secret with name 'PAT' with valid personal access token doesn't exist")
+  end
+
+  def test_deploy_key_present
+    response = @obj.deploy_keys
+    assert_not_nil(response, "Access denied")
+    deploy_key = response.find {|element| element['title'] == 'DEPLOY_KEY'}
+    assert_not_nil(deploy_key, "The deploy key with name 'DEPLOY_KEY' doesn't exist")
+  end
+
+  def test_main_present
+    actual = @obj.branch_exist?('main')
+    assert(actual, 'Branch main is not present')
+  end
+
+  def test_main_protected
+    actual = @obj.branch_protected?('main')
+    assert(actual, 'Branch main is not protected')
+  end
+
+  def test_develop_present
+    actual = @obj.branch_exist?('develop')
+    assert(actual, 'Branch develop is not present')
+  end
+
+  def test_develop_protected
+    actual = @obj.branch_protected?('develop')
+    assert(actual, 'Branch develop is not protected')
+  end
+
+  def test_develop_default
+    actual = @obj.default_branch
+    expected = 'develop'
+    assert_equal(expected, actual, 'Default branch isn\'t  develop')
+  end
+
+  def test_codeowners_contains_user
+    user_name = 'softservedata'
+    content = @obj.file_branch('CODEOWNERS', 'main') || @obj.file_branch('.github/CODEOWNERS', 'main') || @obj.file_branch('docs/CODEOWNERS', 'main')
+    assert_not_nil(content, 'File CODEOWNERS doesn\'t exist on main branch')
+    assert(content.include?(user_name), "User #{user_name} doesn't present in CODEOWNERS")
+  end
+
+  def test_codeowners_not_present_develop
+    content = @obj.file_branch('CODEOWNERS', 'develop')
+    assert_nil(content, 'File CODEOWNERS exist on develop branch')
+  end
+
+  def test_deny_merge_main
+    classic_rules = @obj.rules_required_pull_request_reviews('main')
+    rulesets = @obj.get_branch_ruleset('main')
+    rulesets_rules = rulesets&.find { |rule| rule['type'] == 'pull_request' }
+    assert_not_nil(classic_rules || rulesets_rules, 'We should not allow merge to main branch without PR')
+  end
+
+  def test_deny_merge_develop
+    classic_rules = @obj.rules_required_pull_request_reviews('develop')
+    rulesets = @obj.get_branch_ruleset('develop')
+    rulesets_rules = rulesets&.find { |rule| rule['type'] == 'pull_request' }
+    assert_not_nil(classic_rules || rulesets_rules, 'We should not allow merge to develop branch without PR ')
+  end
+
+  def test_2_approvals_develop
+    classic_required_approving_review_count = @obj.rules_required_pull_request_reviews('develop').nil? || @obj.rules_required_pull_request_reviews('develop')["required_approving_review_count"]
+    pull_request_rulesets_rules = @obj.get_branch_ruleset('develop')
+    rulesets_required_approving_review_count = pull_request_rulesets_rules&.find { |rule| rule['type'] == 'pull_request' }&.[]('parameters')&.[]('required_approving_review_count')
+    expected = 2
+    required_approving_review_count = classic_required_approving_review_count == expected || rulesets_required_approving_review_count == expected
+    assert_true(required_approving_review_count, 'We should have 2 approvals before merge to develop branch')
+  end
+
+  def test_without_approval_main
+    classic_required_approving_review_count = @obj.rules_required_pull_request_reviews('main').nil? || @obj.rules_required_pull_request_reviews('main')["required_approving_review_count"]
+    pull_request_rulesets_rules = @obj.get_branch_ruleset('main')
+    rulesets_required_approving_review_count = pull_request_rulesets_rules&.find { |rule| rule['type'] == 'pull_request' }&.[]('parameters')&.[]('required_approving_review_count')
+    expected = 0
+    required_approving_review_count = classic_required_approving_review_count == expected || rulesets_required_approving_review_count == expected
+    assert_true(required_approving_review_count, 'We shouldn\'t have any approvals before merge to main branch')
+  end
+
+  def test_approve_from_user
+    user_name = 'softservedata'
+    classic_require_code_owner_review = @obj.rules_required_pull_request_reviews('main')["require_code_owner_reviews"]
+    pull_request_rulesets_rules = @obj.get_branch_ruleset('main')
+    rulesets_require_code_owner_review = pull_request_rulesets_rules&.find { |rule| rule['type'] == 'pull_request' }&.[]('parameters')&.[]('require_code_owner_review')
+    assert(classic_require_code_owner_review || rulesets_require_code_owner_review, "We should not allow merge to main branch without approve from #{user_name}")
+  end
+
+  def test_PR_template_present
+    actual = @obj.file_branch('.github/pull_request_template.md', 'main')
+    assert_not_nil(actual, 'Pull request template is absent')
+  end
+
+end

.github/tests/test/test_cases.txt

@@ -0,0 +1,6 @@
+.planned_values.root_module.resources[] | select(.type=="github_branch_default").values.branch;"develop";default branch
+.planned_values.root_module.resources[] | select(.type=="github_repository_collaborator").values.username;"softservedata";collaborator
+.planned_values.root_module.resources[] | select(.type=="github_branch_protection").values | select(.pattern == "develop").required_pull_request_reviews[].required_approving_review_count;2;develop protection
+.planned_values.root_module.resources[] | select(.type=="github_branch_protection").values | select(.pattern == "main").required_pull_request_reviews[].require_code_owner_reviews;true;main protection
+.planned_values.root_module.resources[] | select(.type=="github_actions_secret").values.secret_name;"PAT";actions secret
+.planned_values.root_module.resources[] | select(.type=="github_repository_deploy_key").values.title;"DEPLOY_KEY";deploy key

.github/tests/test/tests.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+old_ifs="$IFS"
+IFS=";"
+exit_code=0
+
+function print() {
+  echo -e "$3 The configuration '$1' is $2"
+}
+
+while read property expected message
+do
+  if [[ $(echo $1 | jq $property) == $expected ]]; then
+    print $message OK '\033[0;32m'
+  else
+    print $message WRONG '\033[0;31m'
+    exit_code=1
+  fi
+done < $2
+
+IFS=$old_ifs
+exit $exit_code

.github/workflows/ruby.yml

@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: Ruby
+
+env:
+    SECRETS_TOKEN: ${{ secrets.PAT }}
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Install my-app token
+        id: my-app
+        uses: getsentry/action-github-app-token@v3
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v5
+      - name: Write code to file
+        run: |
+          cat << EOTFC > main.tf
+          ${{ secrets.TERRAFORM }}
+          EOTFC
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false
+      - name: Terraform Init
+        run: terraform init
+      - name: Test Terraform Config
+        run: |
+          terraform validate
+          terraform plan -no-color -out tfplan
+          PLAN=$(terraform show -json tfplan)
+          bash -e .github/tests/test/tests.sh "$PLAN" .github/tests/test/test_cases.txt
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          working-directory: '.github/tests'
+          bundler-cache: true
+      - name: Run tests
+        env:
+          URL: ${{ github.repository }}
+          TOKEN: ${{ steps.my-app.outputs.token }}
+        working-directory: '.github/tests'
+        run: 
+          ruby test/script_test.rb

README.md

@@ -0,0 +1,32 @@
+# Task on Terraform Topic
+
+Write Terraform code that configures the GitHub repository according to the following requirements, execute it and save your Terraform code in a repository secret named `TERRAFORM`.
+
+1. The GitHub repository should assign user `softservedata` as a collaborator.
+
+2. A branch named `develop` should be created as default branch.
+
+3. Protect the `main` and `develop` branches according to these rules:
+- a user cannot merge into both branches without a pull request
+- merging into the `develop` branch is allowed only if there are two approvals
+- merging into the `main` branch is allowed only if the owner has approved the pull request
+- assign the user `softservedata` as the code owner for all the files in the `main` branch
+4. A pull request template (pull_request_template.md) should be added to the `.github` directory to allow users to create an issue in the required format:
+
+## Describe your changes
+
+## Issue ticket number and link
+
+## Checklist before requesting a review
+- [ ] I have performed a self-review of my code
+- [ ] If it is a core feature, I have added thorough tests
+- [ ] Do we need to implement analytics?
+- [ ] Will this be part of a product update? If yes, please write one phrase about this update
+
+5. A deploy key named `DEPLOY_KEY` should be added to the repository.
+
+6. Create a Discord server and enable notifications when a pull request is created.
+
+7. For GitHub actions, perform the following: 
+- create PAT (Personal Access Token) with **Full control of private repositories** and **Full control of orgs and teams, read and write org projects**
+- add the PAT to the repository actions secrets key with the name `PAT` and the value of the created PAT.