From 9c3f38e10f87239f5c2fdc74166d90e7f9db5168 Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Tue, 12 Sep 2023 16:53:13 +0100 Subject: [PATCH] Document how to run CI for external contributors (#5279) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Problem We don't have this instruction written anywhere but in internal Slack ## Summary of changes - Add `How to run a CI pipeline on Pull Requests from external contributors` section to `CONTRIBUTING.md` --------- Co-authored-by: Arpad Müller --- CONTRIBUTING.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c5b3ff7459..5de7842f1a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,3 +27,28 @@ your patch's fault. Help to fix the root cause if something else has broken the CI, before pushing. *Happy Hacking!* + +# How to run a CI pipeline on Pull Requests from external contributors +_An instruction for maintainers_ + +## TL;DR: +- Review the PR +- If and only if it looks **safe** (i.e. it doesn't contain any malicious code which could expose secrets or harm the CI), then: + - Press the "Approve and run" button in GitHub UI + - Add the `approved-for-ci-run` label to the PR + +Repeat all steps after any change to the PR. +- When the changes are ready to get merged — merge the original PR (not the internal one) + +## Longer version: + +GitHub Actions triggered by the `pull_request` event don't share repository secrets with the forks (for security reasons). +So, passing the CI pipeline on Pull Requests from external contributors is impossible. + +We're using the following approach to make it work: +- After the review, assign the `approved-for-ci-run` label to the PR if changes look safe +- A GitHub Action will create an internal branch and a new PR with the same changes (for example, for a PR `#1234`, it'll be a branch `ci-run/pr-1234`) +- Because the PR is created from the internal branch, it is able to access repository secrets (that's why it's crucial to make sure that the PR doesn't contain any malicious code that could expose our secrets or intentionally harm the CI) +- The label gets removed automatically, so to run CI again with new changes, the label should be added again (after the review) + +For details see [`approved-for-ci-run.yml`](.github/workflows/approved-for-ci-run.yml)