# frozen_string_literal: true require "tempfile" require "uri" module GitHub module_function API_URL = "https://api.github.com" CREATE_GIST_SCOPES = ["gist"].freeze CREATE_ISSUE_FORK_OR_PR_SCOPES = ["public_repo"].freeze ALL_SCOPES = (CREATE_GIST_SCOPES + CREATE_ISSUE_FORK_OR_PR_SCOPES).freeze ALL_SCOPES_URL = Formatter.url( "https://github.com/settings/tokens/new?scopes=#{ALL_SCOPES.join(",")}&description=Homebrew", ).freeze PR_ENV_KEY = "HOMEBREW_NEW_FORMULA_PULL_REQUEST_URL" PR_ENV = ENV[PR_ENV_KEY] class Error < RuntimeError attr_reader :github_message end class HTTPNotFoundError < Error def initialize(github_message) @github_message = github_message super end end class RateLimitExceededError < Error def initialize(reset, github_message) @github_message = github_message super <<~EOS GitHub API Error: #{github_message} Try again in #{pretty_ratelimit_reset(reset)}, or create a personal access token: #{ALL_SCOPES_URL} #{Utils::Shell.set_variable_in_profile("HOMEBREW_GITHUB_API_TOKEN", "your_token_here")} EOS end def pretty_ratelimit_reset(reset) pretty_duration(Time.at(reset) - Time.now) end end class AuthenticationFailedError < Error def initialize(github_message) @github_message = github_message message = +"GitHub #{github_message}:" message << if Homebrew::EnvConfig.github_api_token <<~EOS HOMEBREW_GITHUB_API_TOKEN may be invalid or expired; check: #{Formatter.url("https://github.com/settings/tokens")} EOS else <<~EOS The GitHub credentials in the macOS keychain may be invalid. Clear them with: printf "protocol=https\\nhost=github.com\\n" | git credential-osxkeychain erase Or create a personal access token: #{ALL_SCOPES_URL} #{Utils::Shell.set_variable_in_profile("HOMEBREW_GITHUB_API_TOKEN", "your_token_here")} EOS end super message.freeze end end class ValidationFailedError < Error def initialize(github_message, errors) @github_message = if errors.empty? github_message else "#{github_message}: #{errors}" end super(@github_message) end end def env_username_password return unless Homebrew::EnvConfig.github_api_username return unless Homebrew::EnvConfig.github_api_password [Homebrew::EnvConfig.github_api_password, Homebrew::EnvConfig.github_api_username] end def keychain_username_password github_credentials = Utils.popen(["git", "credential-osxkeychain", "get"], "w+") do |pipe| pipe.write "protocol=https\nhost=github.com\n" pipe.close_write pipe.read end github_username = github_credentials[/username=(.+)/, 1] github_password = github_credentials[/password=(.+)/, 1] return unless github_username # Don't use passwords from the keychain unless they look like # GitHub Personal Access Tokens: # https://github.com/Homebrew/brew/issues/6862#issuecomment-572610344 return unless /^[a-f0-9]{40}$/i.match?(github_password) [github_password, github_username] rescue Errno::EPIPE # The above invocation via `Utils.popen` can fail, causing the pipe to be # prematurely closed (before we can write to it) and thus resulting in a # broken pipe error. The root cause is usually a missing or malfunctioning # `git-credential-osxkeychain` helper. nil end def api_credentials @api_credentials ||= begin Homebrew::EnvConfig.github_api_token || env_username_password || keychain_username_password end end def api_credentials_type if Homebrew::EnvConfig.github_api_token :env_token elsif env_username_password :env_username_password elsif keychain_username_password :keychain_username_password else :none end end def api_credentials_error_message(response_headers, needed_scopes) return if response_headers.empty? @api_credentials_error_message ||= begin unauthorized = (response_headers["http/1.1"] == "401 Unauthorized") scopes = response_headers["x-accepted-oauth-scopes"].to_s.split(", ") if unauthorized && scopes.blank? needed_human_scopes = needed_scopes.join(", ") credentials_scopes = response_headers["x-oauth-scopes"] return if needed_human_scopes.blank? && credentials_scopes.blank? needed_human_scopes = "none" if needed_human_scopes.blank? credentials_scopes = "none" if credentials_scopes.blank? case GitHub.api_credentials_type when :keychain_username_password onoe <<~EOS Your macOS keychain GitHub credentials do not have sufficient scope! Scopes they need: #{needed_human_scopes} Scopes they have: #{credentials_scopes} Create a personal access token: #{ALL_SCOPES_URL} #{Utils::Shell.set_variable_in_profile("HOMEBREW_GITHUB_API_TOKEN", "your_token_here")} EOS when :env_token onoe <<~EOS Your HOMEBREW_GITHUB_API_TOKEN does not have sufficient scope! Scopes it needs: #{needed_human_scopes} Scopes it has: #{credentials_scopes} Create a new personal access token: #{ALL_SCOPES_URL} #{Utils::Shell.set_variable_in_profile("HOMEBREW_GITHUB_API_TOKEN", "your_token_here")} EOS end end true end end def open_api(url, data: nil, request_method: nil, scopes: [].freeze, parse_json: true) # This is a no-op if the user is opting out of using the GitHub API. return block_given? ? yield({}) : {} if Homebrew::EnvConfig.no_github_api? args = ["--header", "Accept: application/vnd.github.v3+json", "--write-out", "\n%\{http_code}"] args += ["--header", "Accept: application/vnd.github.antiope-preview+json"] token, username = api_credentials case api_credentials_type when :env_username_password, :keychain_username_password args += ["--user", "#{username}:#{token}"] when :env_token args += ["--header", "Authorization: token #{token}"] end data_tmpfile = nil if data begin data = JSON.generate data data_tmpfile = Tempfile.new("github_api_post", HOMEBREW_TEMP) rescue JSON::ParserError => e raise Error, "Failed to parse JSON request:\n#{e.message}\n#{data}", e.backtrace end end headers_tmpfile = Tempfile.new("github_api_headers", HOMEBREW_TEMP) begin if data data_tmpfile.write data data_tmpfile.close args += ["--data", "@#{data_tmpfile.path}"] args += ["--request", request_method.to_s] if request_method end args += ["--dump-header", headers_tmpfile.path] output, errors, status = curl_output("--location", url.to_s, *args, secrets: [token]) output, _, http_code = output.rpartition("\n") output, _, http_code = output.rpartition("\n") if http_code == "000" headers = headers_tmpfile.read ensure if data_tmpfile data_tmpfile.close data_tmpfile.unlink end headers_tmpfile.close headers_tmpfile.unlink end begin raise_api_error(output, errors, http_code, headers, scopes) if !http_code.start_with?("2") || !status.success? return if http_code == "204" # No Content output = JSON.parse output if parse_json if block_given? yield output else output end rescue JSON::ParserError => e raise Error, "Failed to parse JSON response\n#{e.message}", e.backtrace end end def raise_api_error(output, errors, http_code, headers, scopes) json = begin JSON.parse(output) rescue nil end message = json&.[]("message") || "curl failed! #{errors}" meta = {} headers.lines.each do |l| key, _, value = l.delete(":").partition(" ") key = key.downcase.strip next if key.empty? meta[key] = value.strip end if meta.fetch("x-ratelimit-remaining", 1).to_i <= 0 reset = meta.fetch("x-ratelimit-reset").to_i raise RateLimitExceededError.new(reset, message) end GitHub.api_credentials_error_message(meta, scopes) case http_code when "401", "403" raise AuthenticationFailedError, message when "404" raise HTTPNotFoundError, message when "422" errors = json&.[]("errors") || [] raise ValidationFailedError.new(message, errors) else raise Error, message end end def check_runs(repo: nil, commit: nil, pr: nil) if pr repo = pr.fetch("base").fetch("repo").fetch("full_name") commit = pr.fetch("head").fetch("sha") end open_api(url_to("repos", repo, "commits", commit, "check-runs")) end def create_check_run(repo:, data:) open_api(url_to("repos", repo, "check-runs"), data: data) end def search_issues(query, **qualifiers) search("issues", query, **qualifiers) end def repository(user, repo) open_api(url_to("repos", user, repo)) end def search_code(**qualifiers) search("code", **qualifiers) end def issues_for_formula(name, options = {}) tap = options[:tap] || CoreTap.instance tap_full_name = options[:tap_full_name] || tap.full_name search_issues(name, state: "open", repo: tap_full_name, in: "title") end def user @user ||= open_api("#{API_URL}/user") end def permission(repo, user) open_api("#{API_URL}/repos/#{repo}/collaborators/#{user}/permission") end def write_access?(repo, user = nil) user ||= self.user["login"] ["admin", "write"].include?(permission(repo, user)["permission"]) end def pull_requests(repo, **options) url = "#{API_URL}/repos/#{repo}/pulls?#{URI.encode_www_form(options)}" open_api(url) end def merge_pull_request(repo, number:, sha:, merge_method:, commit_message: nil) url = "#{API_URL}/repos/#{repo}/pulls/#{number}/merge" data = { sha: sha, merge_method: merge_method } data[:commit_message] = commit_message if commit_message open_api(url, data: data, request_method: :PUT, scopes: CREATE_ISSUE_FORK_OR_PR_SCOPES) end def print_pull_requests_matching(query) open_or_closed_prs = search_issues(query, type: "pr", user: "Homebrew") open_prs = open_or_closed_prs.select { |i| i["state"] == "open" } prs = if !open_prs.empty? puts "Open pull requests:" open_prs else puts "Closed pull requests:" unless open_or_closed_prs.empty? open_or_closed_prs.take(20) end prs.each { |i| puts "#{i["title"]} (#{i["html_url"]})" } end def create_fork(repo) url = "#{API_URL}/repos/#{repo}/forks" data = {} scopes = CREATE_ISSUE_FORK_OR_PR_SCOPES open_api(url, data: data, scopes: scopes) end def check_fork_exists(repo) _, reponame = repo.split("/") case api_credentials_type when :env_username_password, :keychain_username_password _, username = api_credentials when :env_token username = open_api(url_to("user")) { |json| json["login"] } end json = open_api(url_to("repos", username, reponame)) return false if json["message"] == "Not Found" true end def create_pull_request(repo, title, head, base, body) url = "#{API_URL}/repos/#{repo}/pulls" data = { title: title, head: head, base: base, body: body } scopes = CREATE_ISSUE_FORK_OR_PR_SCOPES open_api(url, data: data, scopes: scopes) end def private_repo?(full_name) uri = url_to "repos", full_name open_api(uri) { |json| json["private"] } end def query_string(*main_params, **qualifiers) params = main_params params += qualifiers.flat_map do |key, value| Array(value).map { |v| "#{key}:#{v}" } end "q=#{URI.encode_www_form_component(params.join(" "))}&per_page=100" end def url_to(*subroutes) URI.parse([API_URL, *subroutes].join("/")) end def search(entity, *queries, **qualifiers) uri = url_to "search", entity uri.query = query_string(*queries, **qualifiers) open_api(uri) { |json| json.fetch("items", []) } end def create_issue_comment(body) return false unless PR_ENV _, user, repo, pr = *PR_ENV.match(HOMEBREW_PULL_OR_COMMIT_URL_REGEX) if !user || !repo || !pr opoo <<-EOS.undent #{PR_ENV_KEY} set but regex matched: user: #{user.inspect}, repo: #{repo.inspect}, pr: #{pr.inspect} EOS return false end url = "#{API_URL}/repos/#{user}/#{repo}/issues/#{pr}/comments" data = { "body" => body } if issue_comment_exists?(user, repo, pr, body) ohai "Skipping: identical comment exists on #{PR_ENV}" return true end scopes = CREATE_ISSUE_FORK_OR_PR_SCOPES open_api(url, data: data, scopes: scopes) end def issue_comment_exists?(user, repo, pr, body) url = "#{API_URL}/repos/#{user}/#{repo}/issues/#{pr}/comments" comments = open_api(url) return unless comments comments.any? { |comment| comment["body"].eql?(body) } end def dispatch_event(user, repo, event, **payload) url = "#{API_URL}/repos/#{user}/#{repo}/dispatches" open_api(url, data: { event_type: event, client_payload: payload }, request_method: :POST, scopes: CREATE_ISSUE_FORK_OR_PR_SCOPES) end def get_artifact_url(user, repo, pr, workflow_id: "tests.yml", artifact_name: "bottles") scopes = CREATE_ISSUE_FORK_OR_PR_SCOPES base_url = "#{API_URL}/repos/#{user}/#{repo}" pr_payload = open_api("#{base_url}/pulls/#{pr}", scopes: scopes) pr_sha = pr_payload["head"]["sha"] pr_branch = URI.encode_www_form_component(pr_payload["head"]["ref"]) workflow = open_api("#{base_url}/actions/workflows/#{workflow_id}/runs?branch=#{pr_branch}", scopes: scopes) workflow_run = workflow["workflow_runs"].select do |run| run["head_sha"] == pr_sha end if workflow_run.empty? raise Error, <<~EOS No matching workflow run found for these criteria! Commit SHA: #{pr_sha} Branch ref: #{pr_branch} Pull request: #{pr} Workflow: #{workflow_id} EOS end status = workflow_run.first["status"].sub("_", " ") if status != "completed" raise Error, <<~EOS The newest workflow run for ##{pr} is still #{status}! #{Formatter.url workflow_run.first["html_url"]} EOS end artifacts = open_api(workflow_run.first["artifacts_url"], scopes: scopes) artifact = artifacts["artifacts"].select do |art| art["name"] == artifact_name end if artifact.empty? raise Error, <<~EOS No artifact with the name `#{artifact_name}` was found! #{Formatter.url workflow_run.first["html_url"]} EOS end artifact.first["archive_download_url"] end def sponsors_by_tier(user) url = "https://api.github.com/graphql" data = { query: <<~EOS, { organization(login: "#{user}") { sponsorsListing { tiers(first: 100) { nodes { monthlyPriceInDollars adminInfo { sponsorships(first: 100) { totalCount nodes { sponsor { login } } } } } } } } } EOS } open_api(url, scopes: ["admin:org", "user"], data: data, request_method: "POST") end def api_errors [GitHub::AuthenticationFailedError, GitHub::HTTPNotFoundError, GitHub::RateLimitExceededError, GitHub::Error, JSON::ParserError].freeze end end