Merge pull request #7243 from jonchang/artifact-scopes

pr-pull: update for GPG, various permission fixes

Library/Homebrew/bintray.rb

@@ -24,9 +24,11 @@ class Bintray
       end
     end
 
+    raise UsageError, "Must set a Bintray organisation!" unless @bintray_org
+
     ENV["HOMEBREW_FORCE_HOMEBREW_ON_LINUX"] = "1" if @bintray_org == "homebrew" && !OS.mac?
 
-    ENV.clear_sensitive_environment! if clear
+    ENV.delete "HOMEBREW_BINTRAY_KEY" if clear
   end
 
   def open_api(url, *extra_curl_args, auth: true)
@@ -98,6 +100,7 @@ class Bintray
         filename = tag_hash["filename"]
         sha256 = tag_hash["sha256"]
 
+        odebug "Checking remote file #{@bintray_org}/#{bintray_repo}/#{filename}"
         if file_published? repo: bintray_repo, remote_file: filename
           raise Error, <<~EOS
             #{filename} is already published.
@@ -110,10 +113,12 @@ class Bintray
         end
 
         if !formula_packaged[formula_name] && !package_exists?(repo: bintray_repo, package: bintray_package)
+          odebug "Creating package #{@bintray_org}/#{bintray_repo}/#{package}"
           create_package repo: bintray_repo, package: bintray_package
           formula_packaged[formula_name] = true
         end
 
+        odebug "Uploading #{@bintray_org}/#{bintray_repo}/#{bintray_package}/#{version}/#{tag_hash["local_filename"]}"
         upload(tag_hash["local_filename"],
                repo:        bintray_repo,
                package:     bintray_package,
@@ -121,7 +126,10 @@ class Bintray
                remote_file: filename,
                sha256:      sha256)
       end
-      publish repo: bintray_repo, package: bintray_package, version: version if publish_package
+      if publish_package
+        odebug "Publishing #{@bintray_org}/#{bintray_repo}/#{bintray_package}/#{version}"
+        publish repo: bintray_repo, package: bintray_package, version: version
+      end
     end
   end
 end

Library/Homebrew/dev-cmd/pr-pull.rb

@@ -46,6 +46,27 @@ module Homebrew
     end
   end
 
+  def setup_git_environment!
+    # Passthrough Git environment variables
+    ENV["GIT_COMMITTER_NAME"] = ENV["HOMEBREW_GIT_NAME"] if ENV["HOMEBREW_GIT_NAME"]
+    ENV["GIT_COMMITTER_EMAIL"] = ENV["HOMEBREW_GIT_EMAIL"] if ENV["HOMEBREW_GIT_EMAIL"]
+
+    # Depending on user configuration, git may try to invoke gpg.
+    return unless Utils.popen_read("git config --get --bool commit.gpgsign").chomp == "true"
+
+    begin
+      gnupg = Formula["gnupg"]
+    rescue FormulaUnavailableError
+      nil
+    else
+      if gnupg.installed?
+        path = PATH.new(ENV.fetch("PATH"))
+        path.prepend(gnupg.installed_prefix/"bin")
+        ENV["PATH"] = path
+      end
+    end
+  end
+
   def signoff!(pr, path: ".", dry_run: false)
     message = Utils.popen_read "git", "-C", path, "log", "-1", "--pretty=%B"
     close_message = "Closes ##{pr}."
@@ -98,18 +119,20 @@ module Homebrew
 
     bintray_user = ENV["HOMEBREW_BINTRAY_USER"]
     bintray_key = ENV["HOMEBREW_BINTRAY_KEY"]
-    ENV.clear_sensitive_environment!
+    bintray_org = args.bintray_org || "homebrew"
 
     if bintray_user.blank? || bintray_key.blank?
       odie "Missing HOMEBREW_BINTRAY_USER or HOMEBREW_BINTRAY_KEY variables!" if !args.dry_run? && !args.no_upload?
     else
-      bintray = Bintray.new(user: bintray_user, key: bintray_key, org: args.bintray_org)
+      bintray = Bintray.new(user: bintray_user, key: bintray_key, org: bintray_org)
     end
 
     workflow = args.workflow || "tests.yml"
     artifact = args.artifact || "bottles"
     tap = Tap.fetch(args.tap || "homebrew/core")
 
+    setup_git_environment!
+
     args.named.each do |arg|
       arg = "#{tap.default_remote}/pull/#{arg}" if arg.to_i.positive?
       url_match = arg.match HOMEBREW_PULL_OR_COMMIT_URL_REGEX

Library/Homebrew/utils/github.rb

@@ -440,12 +440,13 @@ module GitHub
   end
 
   def fetch_artifact(user, repo, pr, dir, workflow_id: "tests.yml", artifact_name: "bottles")
+    scopes = CREATE_ISSUE_FORK_OR_PR_SCOPES
     base_url = "#{API_URL}/repos/#{user}/#{repo}"
-    pr_payload = open_api("#{base_url}/pulls/#{pr}")
+    pr_payload = open_api("#{base_url}/pulls/#{pr}", scopes: scopes)
     pr_sha = pr_payload["head"]["sha"]
     pr_branch = pr_payload["head"]["ref"]
 
-    workflow = open_api("#{base_url}/actions/workflows/#{workflow_id}/runs?branch=#{pr_branch}")
+    workflow = open_api("#{base_url}/actions/workflows/#{workflow_id}/runs?branch=#{pr_branch}", scopes: scopes)
     workflow_run = workflow["workflow_runs"].select do |run|
       run["head_sha"] == pr_sha
     end
@@ -468,7 +469,7 @@ module GitHub
       EOS
     end
 
-    artifacts = open_api(workflow_run.first["artifacts_url"])
+    artifacts = open_api(workflow_run.first["artifacts_url"], scopes: scopes)
 
     artifact = artifacts["artifacts"].select do |art|
       art["name"] == artifact_name
@@ -489,6 +490,8 @@ module GitHub
       curl_args = { user: "#{username}:#{token}" }
     when :env_token
       curl_args = { header: "Authorization: token #{token}" }
+    when :none
+      raise Error, "Credentials must be set to access the Artifacts API"
     end
 
     # Download the artifact as a zip file and unpack it into `dir`. This is