Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security clearance for TGS test workflow on PRs #1650

Closed
wants to merge 2 commits into from
Closed

Add security clearance for TGS test workflow on PRs #1650

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c28d68
Fix TGS test from PRs
Cyberboss Feb 2, 2024
6f2d8e5
Use the compatible submodule-dependency action
Cyberboss Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 65 additions & 3 deletions .github/workflows/test-tgs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
branches: [ master ]
pull_request:
branches: [ master ]
pull_request_target:
types: [ opened, reopened, labeled, synchronize ]
branches: [ master ]

concurrency:
group: "tgs-${{ github.head_ref || github.run_id }}-${{ github.event_name }}"
Expand All @@ -17,7 +20,56 @@ env:
TGS_TEST_GITHUB_TOKEN: ${{ secrets.TGS_TEST_GITHUB_TOKEN }}

jobs:
build:
security-checkpoint:
name: Check CI Clearance
runs-on: ubuntu-latest
permissions:
pull-requests: write
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.id != github.event.pull_request.base.repo.id && github.event.pull_request.state == 'open'
steps:
- name: Comment on new Fork PR
if: github.event.action == 'opened' && !contains(github.event.pull_request.labels.*.name, 'CI Cleared')
uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308
with:
message: Thank you for contributing to ${{ github.event.pull_request.base.repo.name }}! The workflow '${{ github.workflow }}' requires repository secrets amd will not run without approval. Maintainers can add the `CI Cleared` label to allow the CI suite to run. Please note that any changes to the workflow file will not be reflected in the CI run.

- name: "Remove Stale 'CI Cleared' Label"
if: github.event.action == 'synchronize' || github.event.action == 'reopened'
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
with:
labels: CI Cleared

- name: "Add 'CI Approval Required' Label"
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8
with:
labels: CI Approval Required
github_token: ${{ github.token }}

- name: "Remove 'CI Approval Required' Label"
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0
with:
labels: CI Approval Required

- name: Fail Clearance Check if PR has Unlabeled new Commits from Fork
if: (github.event.action == 'synchronize' || github.event.action == 'reopened') || ((github.event.action == 'opened' || github.event.action == 'labeled') && !contains(github.event.pull_request.labels.*.name, 'CI Cleared'))
run: exit 1

start-ci-run-gate:
name: CI Start Gate
needs: security-checkpoint
runs-on: ubuntu-latest
if: (!(cancelled() || failure()) && (needs.security-checkpoint.result == 'success' || (needs.security-checkpoint.result == 'skipped' && (github.event_name == 'push' || github.event_name == 'schedule' || (github.event.pull_request.head.repo.id == github.event.pull_request.base.repo.id && github.event_name != 'pull_request_target')))))
steps:
- name: Artificial Delay to Allow GitHub to get PR Mergability Status
if: github.event_name == 'pull_request_target' || github.event_name == 'pull_request'
run: sleep 10

tgs-test:
name: TGS Test
needs: start-ci-run-gate
if: (!(cancelled() || failure()) && needs.start-ci-run-gate.result == 'success')
strategy:
fail-fast: false
matrix:
Expand All @@ -41,15 +93,25 @@ jobs:
${{ env.TGS_DOTNET_VERSION }}.0.x
${{ env.OD_DOTNET_VERSION }}.0.x

- name: Checkout OpenDream
- name: Checkout OpenDream (Branch)
uses: actions/checkout@v4
if: github.event_name == 'push' || github.event_name == 'schedule'
with:
fetch-depth: 0
fetch-tags: true
submodules: true

- name: Checkout OpenDream (PR Merge)
uses: actions/checkout@v4
if: github.event_name != 'push' && github.event_name != 'schedule'
with:
ref: ${{ github.event.pull_request.merge_commit_sha }}
fetch-depth: 0
fetch-tags: true
submodules: true

- name: Pull engine updates
uses: space-wizards/submodule-dependency@v0.1.5
uses: space-wizards/submodule-dependency@c236e9954c5e8e0034d7d0ba16fbba23494ba557

- name: Update Engine Submodules
run: |
Expand Down
Loading