internal/task: add a workflow for publishing private x/ patches

This adds a workflow to relui which takes a patch from the private
internal gerrit instance for one of the golang.org/x/ repos and sends it
to the public gerrit, waits for it to be submitted, tags the repo, and
emails an announcement message to the various lists.

Requires a minor change to the HTML workflow template to allow for
non-slice textareas.

Updates golang/go#65756

Change-Id: Ica1ec5982545ddd7fff1e71bd33eb3281572017d
Reviewed-on: https://go-review.googlesource.com/c/build/+/559295
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

Author: rolandshoemaker

cmd/relui/main.go

@@ -307,6 +307,18 @@ func main() {
 	}
 	dh.RegisterDefinition("Sync go-private master branch with public", privateSyncTask.NewDefinition())
 
+	privateXPatchTask := &task.PrivXPatch{
+		PublicGerrit:  gerritClient,
+		PrivateGerrit: privateGerritClient,
+		PublicRepoURL: func(repo string) string {
+			return "https://go.googlesource.com/" + repo
+		},
+		ApproveAction:      relui.ApproveActionDep(dbPool),
+		SendMail:           mailFunc,
+		AnnounceMailHeader: annMail,
+	}
+	dh.RegisterDefinition("Publish a private patch to a x/ repo", privateXPatchTask.NewDefinition(tagTasks))
+
 	var base *url.URL
 	if *baseURL != "" {
 		base, err = url.Parse(*baseURL)

internal/relui/static/styles.css

@@ -229,6 +229,11 @@ h6 {
 .NewWorkflow-parameter--string input {
   flex-grow: 1;
 }
+.NewWorkflow-parameter--string textarea {
+  font-family: inherit;
+  height: 4rem;
+  width: 100%;
+}
 .NewWorkflow-parameter--slice textarea {
   font-family: inherit;
   height: 4rem;

internal/relui/templates/new_workflow.html

@@ -83,16 +83,6 @@ <h2>New Go Release</h2>
                 {{end}}
               </select>
             </div>
-          {{else if or (eq $p.Type.String "string") (eq $p.Type.String "task.Date")}}
-            <div class="NewWorkflow-parameter NewWorkflow-parameter--{{$p.Type.String}}">
-              <label for="workflow.params.{{$p.Name}}" title="{{$p.Doc}}">{{$p.Name}}</label>
-              <input
-                id="workflow.params.{{$p.Name}}"
-                name="workflow.params.{{$p.Name}}"
-                {{- with $p.HTMLInputType}}type="{{.}}"{{end}}
-                {{- if $p.RequireNonZero}}required{{end}}
-                placeholder="{{$p.Example}}" />
-            </div>
           {{else if eq $p.Type.String "[]string"}}
             <div class="NewWorkflow-parameter NewWorkflow-parameter--slice">
               <div class="NewWorkflow-parameterRow">
@@ -109,7 +99,25 @@ <h2>New Go Release</h2>
                 </button>
               </div>
             </div>
-            {{else if eq $p.Type.String "bool"}}
+          {{else if eq $p.HTMLElement "textarea"}}
+            <div class="NewWorkflow-parameter NewWorkflow-parameter--{{$p.Type.String}}">
+              <label for="workflow.params.{{$p.Name}}" title="{{$p.Doc}}">{{$p.Name}}</label>
+              <textarea
+                id="workflow.params.{{$p.Name}}"
+                name="workflow.params.{{$p.Name}}"
+                placeholder="{{$p.Example}}"></textarea>
+            </div>
+          {{else if or (eq $p.Type.String "string") (eq $p.Type.String "task.Date")}}
+            <div class="NewWorkflow-parameter NewWorkflow-parameter--{{$p.Type.String}}">
+              <label for="workflow.params.{{$p.Name}}" title="{{$p.Doc}}">{{$p.Name}}</label>
+              <input
+                id="workflow.params.{{$p.Name}}"
+                name="workflow.params.{{$p.Name}}"
+                {{- with $p.HTMLInputType}}type="{{.}}"{{end}}
+                {{- if $p.RequireNonZero}}required{{end}}
+                placeholder="{{$p.Example}}" />
+            </div>
+          {{else if eq $p.Type.String "bool"}}
             <div class="NewWorkflow-parameter NewWorkflow-parameter--bool">
               <label for="workflow.params.{{$p.Name}}" title="{{$p.Doc}}">{{$p.Name}}</label>
               <input

internal/task/fakes.go

@@ -118,10 +118,15 @@ func NewFakeRepo(t *testing.T, name string) *FakeRepo {
 		t.Skip("test requires git")
 	}
 
+	tmpDir := t.TempDir()
+	repoDir := filepath.Join(tmpDir, name)
+	if err := os.Mkdir(repoDir, 0700); err != nil {
+		t.Fatalf("failed to create repository directory: %s", err)
+	}
 	r := &FakeRepo{
 		t:    t,
 		name: name,
-		dir:  &GitDir{&Git{}, t.TempDir()},
+		dir:  &GitDir{&Git{}, repoDir},
 	}
 	t.Cleanup(func() { r.dir.Close() })
 	r.runGit("init")
@@ -330,6 +335,10 @@ func (*FakeGerrit) SetHashtags(_ context.Context, changeID string, _ gerrit.Hash
 	return fmt.Errorf("pretend that SetHashtags failed")
 }
 
+func (*FakeGerrit) GetChange(_ context.Context, _ string, _ ...gerrit.QueryChangesOpt) (*gerrit.ChangeInfo, error) {
+	return nil, nil
+}
+
 // NewFakeSignService returns a fake signing service that can sign PKGs, MSIs,
 // and generate GPG signatures. MSIs are "signed" by adding a suffix to them.
 // PKGs must actually be tarballs with a prefix of "I'm a PKG!\n". Any files

internal/task/gerrit.go

@@ -49,6 +49,8 @@ type GerritClient interface {
 	QueryChanges(ctx context.Context, query string) ([]*gerrit.ChangeInfo, error)
 	// SetHashtags modifies the hashtags for a CL.
 	SetHashtags(ctx context.Context, changeID string, hashtags gerrit.HashtagsInput) error
+	// GetChange gets information about a specific change.
+	GetChange(ctx context.Context, changeID string, opts ...gerrit.QueryChangesOpt) (*gerrit.ChangeInfo, error)
 }
 
 type RealGerritClient struct {
@@ -226,6 +228,10 @@ func (c *RealGerritClient) QueryChanges(ctx context.Context, query string) ([]*g
 	return c.Client.QueryChanges(ctx, query)
 }
 
+func (c *RealGerritClient) GetChange(ctx context.Context, changeID string, opts ...gerrit.QueryChangesOpt) (*gerrit.ChangeInfo, error) {
+	return c.Client.GetChange(ctx, changeID, opts...)
+}
+
 func (c *RealGerritClient) SetHashtags(ctx context.Context, changeID string, hashtags gerrit.HashtagsInput) error {
 	_, err := c.Client.SetHashtags(ctx, changeID, hashtags)
 	return err

internal/task/privx.go

@@ -0,0 +1,195 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package task
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net/mail"
+	"regexp"
+	"slices"
+	"text/template"
+	"time"
+
+	"golang.org/x/build/gerrit"
+	wf "golang.org/x/build/internal/workflow"
+)
+
+type PrivXPatch struct {
+	PublicGerrit  GerritClient
+	PrivateGerrit GerritClient
+	// PublicRepoURL returns a git clone URL for repo
+	PublicRepoURL func(repo string) string
+
+	ApproveAction      func(*wf.TaskContext) error
+	SendMail           func(MailHeader, MailContent) error
+	AnnounceMailHeader MailHeader
+}
+
+func (x *PrivXPatch) NewDefinition(tagx *TagXReposTasks) *wf.Definition {
+	wd := wf.New()
+	// TODO: this should be simpler, CL number + patchset?
+	clNumber := wf.Param(wd, wf.ParamDef[string]{Name: "go-internal CL number", Example: "536316"})
+	reviewers := wf.Param(wd, reviewersParam)
+	repoName := wf.Param(wd, wf.ParamDef[string]{Name: "Repository name", Example: "net"})
+	// TODO: probably always want to skip, might make sense to not include this
+	skipPostSubmit := wf.Param(wd, wf.ParamDef[bool]{Name: "Skip post submit result (optional)", ParamType: wf.Bool})
+	cve := wf.Param(wd, wf.ParamDef[string]{Name: "CVE"})
+	githubIssue := wf.Param(wd, wf.ParamDef[string]{Name: "GitHub issue", Doc: "The GitHub issue number of the report.", Example: "#12345"})
+	relNote := wf.Param(wd, wf.ParamDef[string]{Name: "Release note", ParamType: wf.LongString})
+	acknowledgement := wf.Param(wd, wf.ParamDef[string]{Name: "Acknowledgement"})
+
+	repos := wf.Task0(wd, "Load all repositories", tagx.SelectRepos)
+
+	repos = wf.Task4(wd, "Publish change", func(ctx *wf.TaskContext, clNumber string, reviewers []string, repos []TagRepo, repoName string) ([]TagRepo, error) {
+		if !slices.ContainsFunc(repos, func(r TagRepo) bool { return r.Name == repoName }) {
+			return nil, fmt.Errorf("no repository %q", repoName)
+		}
+
+		changeInfo, err := x.PrivateGerrit.GetChange(ctx, clNumber, gerrit.QueryChangesOpt{Fields: []string{"CURRENT_REVISION"}})
+		if err != nil {
+			return nil, err
+		}
+		if changeInfo.Project != repoName {
+			return nil, fmt.Errorf("CL is for unexpected project, got: %s, want %s", changeInfo.Project, repoName)
+		}
+		if changeInfo.Status != gerrit.ChangeStatusMerged {
+			return nil, fmt.Errorf("CL %s not merged, status is %s", clNumber, changeInfo.Status)
+		}
+		rev, ok := changeInfo.Revisions[changeInfo.CurrentRevision]
+		if !ok {
+			return nil, errors.New("current revision not found")
+		}
+		fetch, ok := rev.Fetch["http"]
+		if !ok {
+			return nil, errors.New("fetch info not found")
+		}
+		origin, ref := fetch.URL, fetch.Ref
+
+		// We directly use Git here, rather than the Gerrit API, as there are
+		// limitations to the types of patches which you can create using said
+		// API. In particular patches which contain any binary content are hard
+		// to replicate from one instance to another using the API alone. Rather
+		// than adding workarounds for those edge cases, we just use Git
+		// directly, which makes the process extremely simple.
+		git := &Git{}
+
+		repo, err := git.Clone(ctx, x.PublicRepoURL(repoName))
+		if err != nil {
+			return nil, err
+		}
+		ctx.Printf("cloned repo into %s", repo.dir)
+
+		ctx.Printf("fetching %s from %s", ref, origin)
+		if _, err := repo.RunCommand(ctx.Context, "fetch", origin, ref); err != nil {
+			return nil, err
+		}
+		ctx.Printf("fetched")
+		if _, err := repo.RunCommand(ctx.Context, "cherry-pick", "FETCH_HEAD"); err != nil {
+			return nil, err
+		}
+		ctx.Printf("cherry-picked")
+		refspec := "HEAD:refs/for/master%l=Auto-Submit,l=Commit-Queue+1"
+		for _, reviewer := range reviewers {
+			refspec += ",r=" + reviewer
+		}
+
+		// Beyond this point we don't want to retry any of the following steps.
+		ctx.DisableRetries()
+
+		ctx.Printf("pusing to %s", x.PublicRepoURL(repoName))
+		// We are unable to use repo.RunCommand here, because of strange i/o
+		// changes that git made. The messages sent by the remote are printed by
+		// git to stderr, and no matter what combination of options you pass it
+		// (--verbose, --porcelain, etc), you cannot reasonably convince it to
+		// print those messages to stdout. Because of this we need to use the
+		// underlying repo.git.runGitStreamed method, so that we can inspect
+		// stderr in order to extract the new CL number that gerrit sends us.
+		var stdout, stderr bytes.Buffer
+		err = repo.git.runGitStreamed(ctx.Context, &stdout, &stderr, repo.dir, "push", x.PublicRepoURL(repoName), refspec)
+		if err != nil {
+			return nil, err
+		}
+
+		// Extract the CL number from the output using a quick and dirty regex.
+		re, err := regexp.Compile(fmt.Sprintf(`https:\/\/go-review.googlesource.com\/c\/%s\/\+\/(\d+)`, regexp.QuoteMeta(repoName)))
+		if err != nil {
+			return nil, err
+		}
+		matches := re.FindSubmatch(stderr.Bytes())
+		if len(matches) != 2 {
+			return nil, errors.New("unable to find CL number")
+		}
+		changeID := string(matches[1])
+
+		ctx.Printf("Awaiting review/submit of %v", changeID)
+		_, err = AwaitCondition(ctx, 10*time.Second, func() (string, bool, error) {
+			return x.PublicGerrit.Submitted(ctx, changeID, "")
+		})
+		if err != nil {
+			return nil, err
+		}
+		return repos, nil
+	}, clNumber, reviewers, repos, repoName)
+
+	tagged := wf.Expand4(wd, "Create single-repo plan", tagx.BuildSingleRepoPlan, repos, repoName, skipPostSubmit, reviewers)
+
+	okayToAnnoucne := wf.Action0(wd, "Wait to Announce", x.ApproveAction, wf.After(tagged))
+
+	wf.Task5(wd, "Mail announcement", func(ctx *wf.TaskContext, tagged TagRepo, cve string, githubIssue string, relNote string, acknowledgement string) (string, error) {
+		var buf bytes.Buffer
+		if err := privXPatchAnnouncementTmpl.Execute(&buf, map[string]string{
+			"Module":          tagged.ModPath,
+			"Version":         tagged.NewerVersion,
+			"RelNote":         relNote,
+			"Acknowledgement": acknowledgement,
+			"CVE":             cve,
+			"GithubIssue":     githubIssue,
+		}); err != nil {
+			return "", err
+		}
+		m, err := mail.ReadMessage(&buf)
+		if err != nil {
+			return "", err
+		}
+		html, text, err := renderMarkdown(m.Body)
+		if err != nil {
+			return "", err
+		}
+
+		mc := MailContent{m.Header.Get("Subject"), html, text}
+
+		ctx.Printf("announcement subject: %s\n\n", mc.Subject)
+		ctx.Printf("announcement body HTML:\n%s\n", mc.BodyHTML)
+		ctx.Printf("announcement body text:\n%s", mc.BodyText)
+
+		ctx.DisableRetries()
+		err = x.SendMail(x.AnnounceMailHeader, mc)
+		if err != nil {
+			return "", err
+		}
+
+		return "", nil
+	}, tagged, cve, githubIssue, relNote, acknowledgement, wf.After(okayToAnnoucne))
+
+	wf.Output(wd, "done", tagged)
+	return wd
+}
+
+var privXPatchAnnouncementTmpl = template.Must(template.New("").Parse(`Subject: [security] Vulnerability in {{.Module}}
+
+Hello gophers,
+
+We have tagged version {{.Version}} of {{.Module}} in order to address a security issue.
+
+{{.RelNote}}
+
+Thanks to {{.Acknowledgement}} for reporting this issue.
+
+This is {{.CVE}} and Go issue {{.GithubIssue}}.
+
+Cheers,
+Go Security team`))