Triggering CI based on approval for PR

Problem statement:

Currently, for every pull request, there will be CircleCI and Sonarcloud check for all the repositories.For CircleCI build, we are passing few secrets (encrypted) like sonar token and npm token. This secret can be viewed by updating the CircleCI steps(using echo/cat command).

Solution:

Approval based CI trigger for a pull request:

By adding this approval based trigger reviewer can make sure that there is no such configuration changes that expose the secrets and approve the CI build.

Using manual job approval in CircleCI:

In CircleCI itself we can set manual approval for a job. Workflows can be configured to wait for manual approval of a job before continuing to the next job. Anyone who has to push access to the repository can click the Approval button to continue the workflow.

To achieve this we have to update the CircleCI config file. Below is the sample config file.

version: 2.1
jobs:
  hold:
    docker:
      - image: circleci/node:12
    steps:
      - run: printf "A hold job to wait for a manual approval"
  build:
    working_directory: ~/project
    docker:
      - image: circleci/node:12 
    steps:
      - checkout
      - run: npm install
   
      - run:
          name: Publish to NPM
          command: |
            if [ -z $CIRCLE_PR_NUMBER ]; then 
              npm set //registry.npmjs.org/:_authToken=$NPM_TOKEN
              npm publish ~/project 
            else
              echo "Nothing to publish!" 
            fi
      - run:
          name: comment jira id
          command: |
             ticket=$(curl -XGET https://api.github.com/repos/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/pulls/$CIRCLE_PR_NUMBER | jq .title -r | awk -F ' ' '{print $2}' | sed 's/\#//g' | sed 's/\://'g)
             curl \
              -X POST \
              -u $OAUTH_TOKEN:x-oauth-basic \
              -d '{"body": "The Respective JIRA ticket URL for the PR is - https://project-sunbird.atlassian.net/browse/'"$ticket"/'."}' \
                     https://api.github.com/repos/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME/issues/$CIRCLE_PR_NUMBER/comments
workflows:
  version: 2
  build-workflow:
    jobs:
      - hold:
          type: approval
      - build:
          requires:
            - hold

Commenting back the Jira URL in the pull request.

As part of the last step in the CircleCI build, we can comment by constructing the respective Jira ticket URL so that anyone can just click on the URL and see the respective Jira ticket. This can be achieved by using conventional commit message format.

Commenting on the pull request to approve the CI.

Triggering the CircleCI build just be commenting on the pull request with specified commands/words.