From 029c655adca03bdcac79da80aa9f0136a0bd1515 Mon Sep 17 00:00:00 2001
From: Gary Verhaegen <gary.verhaegen@digitalasset.com>
Date: Thu, 10 Dec 2020 10:08:28 +0100
Subject: [PATCH] blackduck: open PR on NOTICES file change (#8215)

CHANGELOG_BEGIN
CHANGELOG_END
---
 azure-pipelines.yml      | 26 +++++---------------------
 ci/bash-lib.yml          | 23 +++++++++++++++++++++++
 ci/cron/daily-compat.yml | 23 ++++++++++++++++++++---
 3 files changed, 48 insertions(+), 24 deletions(-)

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 19bafc97b0..957cc74239 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -578,32 +578,16 @@ jobs:
             fi
         done
 
-        AUTH="$(get_gh_auth_header)"
-
         trap "git checkout $(branch_sha)" EXIT
         git checkout origin/master
-        BRANCH=update-compat-versions-for-$(release_tag)
-        # if this is a rerun, branch might already exist
-        git branch -D $BRANCH || true
-        git checkout -b $BRANCH
         cp .bazelrc compatibility/
         compatibility/update-versions.sh
-        # Note that maven_install.json might be unchanged but
-        # git add is happy about that.
         git add compatibility/versions.bzl compatibility/maven_install.json
-        git -c user.name="Azure Pipelines DAML Build" \
-            -c user.email="support@digitalasset.com" \
-            commit \
-            -m "$(printf "update compat versions for $(release_tag)\n\nCHANGELOG_BEGIN\nCHANGELOG_END\n")"
-        git push origin $BRANCH:$BRANCH
-        curl -H "Content-Type: application/json" \
-             -H "$AUTH" \
-             --silent \
-             --fail \
-             --include \
-             --location \
-             -d "{\"title\": \"update compat versions for $(release_tag)\", \"head\": \"$BRANCH\", \"base\": \"master\"}" \
-             https://api.github.com/repos/digital-asset/daml/pulls
+
+        BRANCH=update-compat-versions-for-$(release_tag)-$(Build.BuildId)
+        TITLE="update compat versions for $(release_tag)"
+        open_pr "$BRANCH" "$TITLE"
+
         setvar "branch" "$BRANCH"
       name: out
 
diff --git a/ci/bash-lib.yml b/ci/bash-lib.yml
index d662cc32f7..c8ea7baa2b 100644
--- a/ci/bash-lib.yml
+++ b/ci/bash-lib.yml
@@ -22,6 +22,29 @@ steps:
             echo "Authorization: basic $(git config remote.origin.url | grep -o '://.*:.*@' | cut -c4- | rev | cut -c2- | rev | tr -d '\n' | base64 -w0)"
         fi
     }
+    open_pr() {
+      local branch title
+      branch="$1"
+      title="$2"
+      git branch -D $branch || true
+      git checkout -b $branch
+      git -c user.name="Azure Pipelines DAML Build" \
+          -c user.email="support@digitalasset.com" \
+          commit \
+          -m "$(printf "$title\n\nCHANGELOG_BEGIN\nCHANGELOG_END\n")"
+      git push origin $branch:$branch
+      jq -n --arg title "$title" \
+            --arg branch "$branch" \
+            '{"title": $title, "head": $branch, "base": "master"}' \
+        | curl -H "Content-Type: application/json" \
+               -H "$(get_gh_auth_header)" \
+               --fail \
+               --silent \
+               --include \
+               --location \
+               -d @- \
+               https://api.github.com/repos/digital-asset/daml/pulls
+    }
     user_slack_handle() {
         local email sha
         sha=$1
diff --git a/ci/cron/daily-compat.yml b/ci/cron/daily-compat.yml
index f3f354aac6..b99c49955a 100644
--- a/ci/cron/daily-compat.yml
+++ b/ci/cron/daily-compat.yml
@@ -204,6 +204,7 @@ jobs:
       demands: assignment -equals default
     steps:
       - checkout: self
+        persistCredentials: true
       - bash: ci/dev-env-install.sh
         displayName: 'Build/Install the Developer Environment'
       - bash: ci/configure-bazel.sh
@@ -211,15 +212,15 @@ jobs:
         env:
           IS_FORK: $(System.PullRequest.IsFork)
           # to upload to the bazel cache
-          GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)        
+          GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
       - bash: |
           set -euo pipefail
           eval "$(dev-env/bin/dade assist)"
           export LC_ALL=en_US.UTF-8
-          
+
           bazel build //...
           # Make sure that Bazel query works
-          bazel query 'deps(//...)'
+          bazel query 'deps(//...)' >/dev/null
         displayName: 'Build'
       - bash: |
           set -euo pipefail
@@ -258,4 +259,20 @@ jobs:
         displayName: 'Blackduck Scan'
         env:
           BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
+      - template: ../bash-lib.yml
+        parameters:
+          var_name: bash_lib
+      - bash: |
+          set -euo pipefail
+          eval "$(./dev-env/bin/dade-assist)"
+          source $(bash_lib)
+
+          tr -d '\015' <*_Black_Duck_Notices_Report.txt | grep -v digital-asset_daml >NOTICES
+          if git diff --exit-code -- NOTICES; then
+              echo "NOTICES file already up-to-date."
+          else
+              git add NOTICES
+              open_pr "notices-update-$(Build.BuildId)" "update NOTICES file"
+          fi
+        displayName: notices
       - template: ../daily_tell_slack.yml