From edccef45142023879b154a6c6d4227ec6c99b586 Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Sat, 15 Jul 2023 11:58:15 +0100 Subject: [PATCH] Make CI more friendly for external contributors (#4663) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Problem CI doesn't work for external contributors (for PRs from forks), see #2222 for more information. I'm proposing the following: - External PR is created - PR is reviewed so that it doesn't contain any malicious code - Label `approved-for-ci-run` is added to that PR (by the reviewer) - A new workflow picks up this label and creates an internal branch from that PR (the branch name is `ci-run/pr-*`) - CI is run on the branch, but the results are also propagated to the PRs check - We can merge a PR itself if it's green; if not — repeat. ## Summary of changes - Create `approved-for-ci-run.yml` workflow which handles `approved-for-ci-run` label - Trigger `build_and_test.yml` and `neon_extra_builds.yml` workflows on `ci-run/pr-*` branches --- .github/workflows/approved-for-ci-run.yml | 55 +++++++++++++++++++++++ .github/workflows/build_and_test.yml | 1 + .github/workflows/neon_extra_builds.yml | 3 +- 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/approved-for-ci-run.yml diff --git a/.github/workflows/approved-for-ci-run.yml b/.github/workflows/approved-for-ci-run.yml new file mode 100644 index 0000000000..ac9e908c09 --- /dev/null +++ b/.github/workflows/approved-for-ci-run.yml @@ -0,0 +1,55 @@ +name: Handle `approved-for-ci-run` label +# This workflow helps to run CI pipeline for PRs made by external contributors (from forks). + +on: + pull_request: + types: + # Default types that triggers a workflow ([1]): + # - [1] https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request + - opened + - synchronize + - reopened + # Types that we wand to handle in addition to keep labels tidy: + - closed + # Actual magic happens here: + - labeled + +env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number }} + +jobs: + remove-label: + # Remove `approved-for-ci-run` label if the workflow is triggered by changes in a PR. + # The PR should be reviewed and labelled manually again. + + runs-on: [ ubuntu-latest ] + + if: | + contains(fromJSON('["opened", "synchronize", "reopened", "closed"]'), github.event.action) && + contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run') + + steps: + - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run" + + create-branch: + # Create a local branch for an `approved-for-ci-run` labelled PR to run CI pipeline in it. + + runs-on: [ ubuntu-latest ] + + if: | + github.event.action == 'labeled' && + contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run') + + steps: + - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run" + + - uses: actions/checkout@v3 + with: + ref: main + + - run: gh pr checkout "${PR_NUMBER}" + + - run: git checkout -b "ci-run/pr-${PR_NUMBER}" + + - run: git push --force origin "ci-run/pr-${PR_NUMBER}" diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index fb19d54aaa..f024db9d94 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -5,6 +5,7 @@ on: branches: - main - release + - ci-run/pr-* pull_request: defaults: diff --git a/.github/workflows/neon_extra_builds.yml b/.github/workflows/neon_extra_builds.yml index 1196881541..a21ddb0414 100644 --- a/.github/workflows/neon_extra_builds.yml +++ b/.github/workflows/neon_extra_builds.yml @@ -3,7 +3,8 @@ name: Check neon with extra platform builds on: push: branches: - - main + - main + - ci-run/pr-* pull_request: defaults: