This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bytebase Masking Policy Update 3 | |
| on: | |
| pull_request: | |
| types: [closed] | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| jobs: | |
| bytebase-masking-3: | |
| if: github.event.pull_request.merged == true | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| issues: write | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| - name: Login Bytebase | |
| id: bytebase-login | |
| uses: bytebase/[email protected] | |
| with: | |
| bytebase-url: ${{ secrets.BYTEBASE_URL }} | |
| service-key: ${{ secrets.BYTEBASE_SERVICE_KEY }} | |
| service-secret: ${{ secrets.BYTEBASE_SERVICE_SECRET }} | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v42 | |
| with: | |
| files: | | |
| masking/data-classification.json | |
| masking/global-masking-rule.json | |
| since_last_remote_commit: true | |
| fetch_depth: 0 | |
| include_all_old_new_renamed_files: true | |
| - name: Debug changed files | |
| run: | | |
| echo "All changed and added files:" | |
| echo "Modified files: ${{ steps.changed-files.outputs.modified_files }}" | |
| echo "Added files: ${{ steps.changed-files.outputs.added_files }}" | |
| echo "All changes: ${{ steps.changed-files.outputs.all_changed_files }}" | |
| - name: Debug changed files in detail | |
| run: | | |
| echo "All changed files:" | |
| echo "${{ steps.changed-files.outputs.all_changed_files }}" | |
| echo "Contains data-classification.json: ${{ contains(steps.changed-files.outputs.all_changed_files, 'data-classification.json') }}" | |
| echo "Contains global-masking-rule.json: ${{ contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }}" | |
| echo "Raw output:" | |
| echo "${{ toJSON(steps.changed-files.outputs) }}" | |
| - name: Apply data classification | |
| id: apply-data-classification | |
| if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'data-classification.json') }} | |
| run: | | |
| CHANGED_FILE="masking/data-classification.json" | |
| echo "Processing: $CHANGED_FILE" | |
| response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/settings/bb.workspace.data-classification" \ | |
| --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ | |
| --header "Content-Type: application/json" \ | |
| --data @"$CHANGED_FILE") | |
| # Extract status code and response body | |
| status_code=$(echo "$response" | tail -n1) | |
| body=$(echo "$response" | sed '$d') | |
| echo "status_code=${status_code}" >> $GITHUB_OUTPUT | |
| echo "response_body<<EOF" >> $GITHUB_OUTPUT | |
| echo "${body}" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| if [[ $status_code -lt 200 || $status_code -ge 300 ]]; then | |
| echo "Failed with status code: $status_code" | |
| exit 1 | |
| fi | |
| - name: Apply global masking rule | |
| id: apply-global-masking-rule | |
| if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }} | |
| run: | | |
| # Process all global-masking-rule.json files | |
| echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "global-masking-rule.json" | while read -r CHANGED_FILE; do | |
| echo "Processing: $CHANGED_FILE" | |
| response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/policies/masking_rule?allow_missing=true&update_mask=payload" \ | |
| --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ | |
| --header "Content-Type: application/json" \ | |
| --data @"$CHANGED_FILE") | |
| # Extract status code and response body | |
| status_code=$(echo "$response" | tail -n1) | |
| body=$(echo "$response" | sed '$d') | |
| echo "Status code: $status_code" | |
| echo "Response body: $body" | |
| # Append to outputs (with unique identifiers) | |
| if [[ $status_code -ge 200 && $status_code -lt 300 ]]; then | |
| echo "${body}" >> $GITHUB_OUTPUT | |
| else | |
| echo "Failed with status code: $status_code" | |
| echo "Response body: ${body}" | |
| if [[ $status_code -eq 403 ]]; then | |
| echo "Access denied. Please check your permissions and API token." | |
| fi | |
| exit 1 | |
| fi | |
| done | |
| - name: Comment on PR | |
| uses: actions/github-script@v7 | |
| env: | |
| CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| with: | |
| script: | | |
| const changedFiles = process.env.CHANGED_FILES || ''; | |
| let commentBody = `### Masking Policy Update 3 Summary\n\n`; | |
| // Add status of merge | |
| commentBody += `✅ **PR Status:** Merged\n\n`; | |
| // Add changed files section | |
| commentBody += `📝 **Changed Files:**\n\n`; | |
| if (changedFiles.trim()) { | |
| commentBody += changedFiles.split(' ').map(f => `- ${f}`).join('\n'); | |
| } else { | |
| commentBody += `None`; | |
| } | |
| commentBody += '\n\n'; | |
| // Add API calls summary | |
| commentBody += `🔄 **API Calls:**\n\n`; | |
| let apiCallsFound = false; | |
| if (changedFiles.includes('masking-algorithm.json')) { | |
| const status = ${{ toJSON(steps.apply-masking-algorithm.outputs) }}.status_code; | |
| if (status) { | |
| apiCallsFound = true; | |
| const success = status >= 200 && status < 300; | |
| commentBody += `- Column Masking: ${success ? '✅' : '❌'} ${status}\n`; | |
| } | |
| } | |
| if (changedFiles.includes('semantic-type.json')) { | |
| const exceptionStatuses = Object.keys(${{ toJSON(steps.apply-semantic-type.outputs) }} || {}) | |
| .filter(key => key.startsWith('status_code_')) | |
| .map(key => ({ | |
| name: key.replace('status_code_', ''), | |
| status: ${{ toJSON(steps.apply-semantic-type.outputs) }}[key] | |
| })); | |
| exceptionStatuses.forEach(({name, status}) => { | |
| apiCallsFound = true; | |
| const success = status >= 200 && status < 300; | |
| commentBody += `- Masking Exception (${name}): ${success ? '✅' : '❌'} ${status}\n`; | |
| }); | |
| } | |
| if (!apiCallsFound) { | |
| commentBody += `None`; | |
| } | |
| await github.rest.issues.createComment({ | |
| ...context.repo, | |
| issue_number: context.issue.number, | |
| body: commentBody | |
| }); |