name: Pre-merge checks on: pull_request: paths: - .github/workflows/_check-codestyle-python.yml - .github/workflows/_check-codestyle-rust.yml - .github/workflows/build-build-tools-image.yml - .github/workflows/pre-merge-checks.yml merge_group: defaults: run: shell: bash -euxo pipefail {0} # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job. permissions: {} jobs: meta: runs-on: ubuntu-22.04 permissions: contents: read outputs: python-changed: ${{ steps.python-src.outputs.any_changed }} rust-changed: ${{ steps.rust-src.outputs.any_changed }} branch: ${{ steps.group-metadata.outputs.branch }} pr-number: ${{ steps.group-metadata.outputs.pr-number }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 id: python-src with: files: | .github/workflows/_check-codestyle-python.yml .github/workflows/build-build-tools-image.yml .github/workflows/pre-merge-checks.yml **/**.py poetry.lock pyproject.toml - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 id: rust-src with: files: | .github/workflows/_check-codestyle-rust.yml .github/workflows/build-build-tools-image.yml .github/workflows/pre-merge-checks.yml **/**.rs **/Cargo.toml Cargo.toml Cargo.lock - name: PRINT ALL CHANGED FILES FOR DEBUG PURPOSES env: PYTHON_CHANGED_FILES: ${{ steps.python-src.outputs.all_changed_files }} RUST_CHANGED_FILES: ${{ steps.rust-src.outputs.all_changed_files }} run: | echo "${PYTHON_CHANGED_FILES}" echo "${RUST_CHANGED_FILES}" - name: Merge group metadata if: ${{ github.event_name == 'merge_group' }} id: group-metadata env: MERGE_QUEUE_REF: ${{ github.event.merge_group.head_ref }} run: | echo $MERGE_QUEUE_REF | jq -Rr 'capture("refs/heads/gh-readonly-queue/(?.*)/pr-(?[0-9]+)-[0-9a-f]{40}") | ["branch=" + .branch, "pr-number=" + .pr_number] | .[]' | tee -a "${GITHUB_OUTPUT}" build-build-tools-image: if: | false || needs.meta.outputs.python-changed == 'true' || needs.meta.outputs.rust-changed == 'true' needs: [ meta ] permissions: contents: read packages: write uses: ./.github/workflows/build-build-tools-image.yml with: # Build only one combination to save time archs: '["x64"]' debians: '["bookworm"]' secrets: inherit check-codestyle-python: if: needs.meta.outputs.python-changed == 'true' needs: [ meta, build-build-tools-image ] permissions: contents: read packages: read uses: ./.github/workflows/_check-codestyle-python.yml with: # `-bookworm-x64` suffix should match the combination in `build-build-tools-image` build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm-x64 secrets: inherit check-codestyle-rust: if: needs.meta.outputs.rust-changed == 'true' needs: [ meta, build-build-tools-image ] permissions: contents: read packages: read uses: ./.github/workflows/_check-codestyle-rust.yml with: # `-bookworm-x64` suffix should match the combination in `build-build-tools-image` build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm-x64 archs: '["x64"]' secrets: inherit # To get items from the merge queue merged into main we need to satisfy "Status checks that are required". # Currently we require 2 jobs (checks with exact name): # - conclusion # - neon-cloud-e2e conclusion: # Do not run job on Pull Requests as it interferes with the `conclusion` job from the `build_and_test` workflow if: always() && github.event_name == 'merge_group' permissions: statuses: write # for `github.repos.createCommitStatus(...)` contents: write needs: - meta - check-codestyle-python - check-codestyle-rust runs-on: ubuntu-22.04 steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - name: Create fake `neon-cloud-e2e` check uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: # Retry script for 5XX server errors: https://github.com/actions/github-script#retries retries: 5 script: | const { repo, owner } = context.repo; const targetUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`; await github.rest.repos.createCommitStatus({ owner: owner, repo: repo, sha: context.sha, context: `neon-cloud-e2e`, state: `success`, target_url: targetUrl, description: `fake check for merge queue`, }); - name: Fail the job if any of the dependencies do not succeed or skipped run: exit 1 if: | false || (github.event_name == 'merge_group' && needs.meta.outputs.branch != 'main') || (needs.check-codestyle-python.result == 'skipped' && needs.meta.outputs.python-changed == 'true') || (needs.check-codestyle-rust.result == 'skipped' && needs.meta.outputs.rust-changed == 'true') || contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - name: Add fast-forward label to PR to trigger fast-forward merge if: >- ${{ always() && github.event_name == 'merge_group' && contains(fromJSON('["release", "release-proxy", "release-compute"]'), needs.meta.outputs.branch) }} env: GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }} run: >- gh pr edit ${{ needs.meta.outputs.pr-number }} --repo "${GITHUB_REPOSITORY}" --add-label "fast-forward"