Skip to content

Commit

Permalink
ci: debug the "Safe for CI" workflow (#999)
Browse files Browse the repository at this point in the history 
Replace the label approach with one suggested here:

https://dvc.ai/blog/testing-external-contributions-using-github-actions-secrets
  • Loading branch information
@triceo
triceo authored Jul 30, 2024
1 parent de9b02d commit dc3e067
Show file tree
Hide file tree
Showing 5 changed files with 106 additions and 73 deletions.
36 changes: 26 additions & 10 deletions .github/workflows/downstream_benchmarks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,13 @@ name: Downstream - Integration Tests

on:
# Enables the workflow to run on PRs from forks.
# CI will only run once the PR is labeled as "Safe for CI", in order to prevent stealing of secrets.
# CI will only run for trusted users, to prevent stealing of secrets.
pull_request_target:
branches: [main] # Benchmarks aren't branched, so they will only ever work against current main.
types:
- opened
- reopened
- synchronize
- labeled
paths-ignore:
- 'LICENSE*'
- '.gitignore'
Expand All @@ -18,17 +17,34 @@ on:
- '*.txt'

jobs:
safe_for_ci:
name: "Ensure that PR is safe for CI"
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- name: Fail if not safe
if: ${{ !contains( github.event.pull_request.labels.*.name, 'Safe for CI') }}
shell: bash
run:
exit 1
- id: auth_check
uses: morfien101/actions-authorized-user@v3
with:
username: ${{ github.actor }}
org: "TimefoldAI"
whitelist: "timefold-release,dependabot[bot]" # We trust dependabot to not steal secrets.
github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
!needs.known_user.outputs.is_member_of_org &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
build:
needs: safe_for_ci
needs: approval_required
runs-on: ubuntu-latest
concurrency:
group: pr-${{ github.event_name }}-${{ github.head_ref }}
Expand Down
36 changes: 26 additions & 10 deletions .github/workflows/downstream_enterprise.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,13 @@ name: Downstream - Timefold Solver Enterprise Edition

on:
# Enables the workflow to run on PRs from forks.
# CI will only run once the PR is labeled as "Safe for CI", in order to prevent stealing of secrets.
# CI will only run for trusted users, to prevent stealing of secrets.
pull_request_target:
branches: [main, '*.x']
types:
- opened
- reopened
- synchronize
- labeled
paths-ignore:
- 'LICENSE*'
- '.gitignore'
Expand All @@ -18,17 +17,34 @@ on:
- '*.txt'

jobs:
safe_for_ci:
name: "Ensure that PR is safe for CI"
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- name: Fail if not safe
if: ${{ !contains( github.event.pull_request.labels.*.name, 'Safe for CI') }}
shell: bash
run:
exit 1
- id: auth_check
uses: morfien101/actions-authorized-user@v3
with:
username: ${{ github.actor }}
org: "TimefoldAI"
whitelist: "timefold-release,dependabot[bot]" # We trust dependabot to not steal secrets.
github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
!needs.known_user.outputs.is_member_of_org &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
build:
needs: safe_for_ci
needs: approval_required
runs-on: ubuntu-latest
concurrency:
group: downstream-enterprise-${{ github.event_name }}-${{ github.head_ref }}
Expand Down
36 changes: 26 additions & 10 deletions .github/workflows/downstream_python_enterprise.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,13 @@ name: Downstream - Timefold Solver Enterprise for Python

on:
# Enables the workflow to run on PRs from forks.
# CI will only run once the PR is labeled as "Safe for CI", in order to prevent stealing of secrets.
# CI will only run for trusted users, to prevent stealing of secrets.
pull_request_target:
branches: [ main, '*.x' ]
types:
- opened
- reopened
- synchronize
- labeled
paths-ignore:
- 'LICENSE*'
- '.gitignore'
Expand All @@ -23,17 +22,34 @@ defaults:
shell: bash

jobs:
safe_for_ci:
name: "Ensure that PR is safe for CI"
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- name: Fail if not safe
if: ${{ !contains( github.event.pull_request.labels.*.name, 'Safe for CI') }}
shell: bash
run:
exit 1
- id: auth_check
uses: morfien101/actions-authorized-user@v3
with:
username: ${{ github.actor }}
org: "TimefoldAI"
whitelist: "timefold-release,dependabot[bot]" # We trust dependabot to not steal secrets.
github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
!needs.known_user.outputs.is_member_of_org &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
build:
needs: safe_for_ci
needs: approval_required
concurrency:
group: downstream-enterprise-python-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
Expand Down
34 changes: 0 additions & 34 deletions .github/workflows/safe_for_ci.yml
View file

This file was deleted.

37 changes: 28 additions & 9 deletions .github/workflows/sonarcloud.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,43 @@ on:
push:
branches:
- main
pull_request_target: # This workflow will be triggered by the opening, reopening, or updating of a PR, and the first run will not require approval.
# Enables the workflow to run on PRs from forks.
# CI will only run for trusted users, to prevent stealing of secrets.
pull_request_target:
types:
- opened
- reopened
- synchronize
- labeled
jobs:
safe_for_ci:
name: "Ensure that PR is safe for CI"
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- name: Fail if not safe
if: ${{ !contains( github.event.pull_request.labels.*.name, 'Safe for CI') }}
shell: bash
run:
exit 1
- id: auth_check
uses: morfien101/actions-authorized-user@v3
with:
username: ${{ github.actor }}
org: "TimefoldAI"
whitelist: "timefold-release,dependabot[bot]" # We trust dependabot to not steal secrets.
github_token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
!needs.known_user.outputs.is_member_of_org &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
build:
needs: safe_for_ci
needs: approval_required
name: Build and analyze
runs-on: ubuntu-latest
steps:
Expand Down

0 comments on commit dc3e067

Please sign in to comment.