From a851910808445d2d366b3b0a816cf972d6820356 Mon Sep 17 00:00:00 2001 From: Firelight Flagboy Date: Mon, 25 Nov 2024 09:13:19 +0100 Subject: [PATCH] Fix CI failing dependabot PR because no access to secrets --- .github/workflows/package-client.yml | 23 ++++++++++++++++------- .github/workflows/publish.yml | 2 ++ .github/workflows/releaser.yml | 3 ++- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/package-client.yml b/.github/workflows/package-client.yml index 769d968a218..b55b8e5805d 100644 --- a/.github/workflows/package-client.yml +++ b/.github/workflows/package-client.yml @@ -135,7 +135,7 @@ jobs: needs: version runs-on: ubuntu-22.04 # Always run the job if `version` job is skipped otherwise only if `version` job was successful. - if: ${{ inputs.version_patch_run_id != '' && always() || success() }} + if: inputs.version_patch_run_id != '' && always() || success() steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin v4.2.2 with: @@ -176,7 +176,9 @@ jobs: working-directory: client/electron # We need to patch the vite.config.js because we cannot pass the secret to the snap build (either via build-args or env). + # Build we only do that is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build). - name: Patch vite config for snap build + if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') run: >- sed -i -e s'/if (process.env.PARSEC_APP_SENTRY_AUTH_TOKEN)/if (true)/' @@ -184,12 +186,16 @@ jobs: vite.config.ts working-directory: client - - name: Patch snapcraft file for sentry auth token and vite mode + # We only patch snapcraft.yaml is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build). + - name: Patch snapcraft file for sentry auth token + if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') run: >- - sed -i - -e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";' - -e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/' - snap/snapcraft.yaml + sed -i -e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";' snap/snapcraft.yaml + working-directory: client/electron + + - name: Patch snapcraft file for vite mode + run: >- + sed -i -e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/' snap/snapcraft.yaml working-directory: client/electron - name: Build snap @@ -344,9 +350,10 @@ jobs: working-directory: client timeout-minutes: 1 + # Do not prepare codesign if the PR is from dependabot (it does not have access to secrets). - name: Prepare codesign shell: bash -o pipefail -eux {0} - if: matrix.platform == 'macos' + if: matrix.platform == 'macos' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') run: | printenv MACOS_CERT | base64 --decode > certificate.p12 @@ -387,7 +394,9 @@ jobs: working-directory: client/electron timeout-minutes: 10 + # Do not upload sourcemaps if it's a PR from dependabot because it does not have access to secrets. - name: Upload client electron sourcemaps + if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') run: npm run sentry:sourcemaps env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d3c4b4c2cf8..4866532d769 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -50,6 +50,8 @@ env: jobs: publish: runs-on: ubuntu-24.04 + # We don't want to run this workflow on dependabot PRs because it will not be able to read the secrets + if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') permissions: contents: read id-token: write diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index 873baf59b33..87dee4d5f94 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -54,7 +54,8 @@ jobs: package-parsec-client: needs: version - if: needs.version.result == 'success' && always() + # Do not run this job if the event is a pull request from dependabot. + if: needs.version.result == 'success' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') && always() uses: ./.github/workflows/package-client.yml with: version: ${{ needs.version.outputs.full }}