ci: add org member check #5434
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "gha: macOS & Windows" | ||
# Build on pull requests and pushes to `main`. The PR builds will be | ||
# non-blocking for now, but that is configured elsewhere. | ||
on: | ||
# Start these builds on pushes (think "after the merge") too. Normally there | ||
# are no `ci-gha**` branches in our repository. The contributors to the repo | ||
# can create such branches when testing or troubleshooting builds. In such | ||
# branches we can disable builds (to speed up the testing) or add new ones, | ||
# without impacting the rest of the team. | ||
push: | ||
branches: [ 'v[2-9]**', 'ci-gha**' ] | ||
# Start the build in the context of the target branch. This is considered | ||
# "safe", as the workflow files are already committed. These types of builds | ||
# have access to the secrets in the build, which we need to use the remote | ||
# caches (Bazel and sccache). | ||
pull_request_target: | ||
types: | ||
- opened | ||
- synchronize | ||
- reopened | ||
schedule: | ||
- cron: '0 5 * * 1,2,3,4,5' | ||
workflow_dispatch: | ||
# Cancel in-progress runs of the workflow if somebody adds a new commit to the | ||
# PR or branch. That reduces billing, but it creates more noise about cancelled | ||
# jobs | ||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }} | ||
cancel-in-progress: true | ||
jobs: | ||
# Require that the PR author be a member of the same organization as this | ||
# repository in order to continue execution. | ||
author-association-member: | ||
name: Require Org Membership | ||
steps: | ||
- name: Check Membership | ||
if: ${{ github.event.pull_request.author_association != 'MEMBER' }} | ||
run: | | ||
echo "Event not triggered by organization member." | ||
exit 1 | ||
pre-flight: | ||
# For external contributors, run the build in the `external` environment. | ||
# This requires manual approval from a contributor. It also saves the | ||
# `ref` of the pull request, so downstream jobs know what to checkout. | ||
environment: >- | ||
${{ | ||
(github.event_name != 'pull_request_target' && 'internal') || | ||
(github.event.pull_request.head.repo.full_name == github.repository && 'internal') || | ||
(contains(fromJSON(vars.TRUSTED_FORKS), github.actor) && 'internal') || | ||
'external' | ||
}} | ||
name: Require Approval for External PRs | ||
needs: [author-association-member] | ||
runs-on: ubuntu-latest | ||
outputs: | ||
checkout-sha: ${{ steps.save-pull-request.outputs.sha }} | ||
steps: | ||
- name: Save Pull Request | ||
id: save-pull-request | ||
run: > | ||
echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT | ||
# Run other jobs once the `pre-flight` job passes. When the `pre-flight` | ||
# job requires approval, these blocks all the other jobs. The jobs are defined | ||
# in separate files to keep the size of this file under control. Note how | ||
# the additional jobs inherit any secrets needed to use the remote caches and | ||
# receive what version to checkout as an input. | ||
external-account-integration: | ||
name: External Account Integration | ||
needs: [pre-flight] | ||
uses: ./.github/workflows/external-account-integration.yml | ||
with: | ||
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
secrets: inherit | ||
macos-bazel: | ||
# Build the full matrix only on push events to the default branch, or | ||
# when PR gets the has a `gha:full-build` label, or when it had the | ||
# label already and it gets a new commit. | ||
if: |- | ||
${{ | ||
github.event_name == 'schedule' || | ||
github.event_name == 'push' || | ||
github.event_name == 'workflow_dispatch' || | ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build') | ||
}} | ||
name: macOS-Bazel | ||
needs: [pre-flight] | ||
uses: ./.github/workflows/macos-bazel.yml | ||
with: | ||
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
secrets: inherit | ||
windows-bazel: | ||
# Build the full matrix only on push events to the default branch, or | ||
# when PR gets the has a `gha:full-build` label, or when it had the | ||
# label already and it gets a new commit. | ||
if: |- | ||
${{ | ||
github.event_name == 'schedule' || | ||
github.event_name == 'push' || | ||
github.event_name == 'workflow_dispatch' || | ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build') | ||
}} | ||
name: Windows-Bazel | ||
needs: [pre-flight] | ||
uses: ./.github/workflows/windows-bazel.yml | ||
with: | ||
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
secrets: inherit | ||
macos-cmake: | ||
name: macOS-CMake | ||
needs: [pre-flight] | ||
uses: ./.github/workflows/macos-cmake.yml | ||
with: | ||
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
# Build the full matrix only on push events to the default branch, or | ||
# when PR gets the has a `gha:full-build` label, or when it had the | ||
# label already and it gets a new commit. | ||
full-matrix: |- | ||
${{ | ||
github.event_name == 'schedule' || | ||
github.event_name == 'push' || | ||
github.event_name == 'workflow_dispatch' || | ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build') | ||
}} | ||
secrets: inherit | ||
windows-cmake: | ||
name: Windows-CMake | ||
needs: [pre-flight] | ||
uses: ./.github/workflows/windows-cmake.yml | ||
with: | ||
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
# Build the full matrix only on push events to the default branch, or | ||
# when PR gets the has a `gha:full-build` label, or when it had the | ||
# label already and it gets a new commit. | ||
full-matrix: |- | ||
${{ | ||
github.event_name == 'schedule' || | ||
github.event_name == 'push' || | ||
github.event_name == 'workflow_dispatch' || | ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build') | ||
}} | ||
secrets: inherit | ||
notify: | ||
name: Notify-Google-Chat | ||
# Wait until all the other jobs have completed. | ||
needs: | ||
- external-account-integration | ||
- macos-bazel | ||
- macos-cmake | ||
- windows-bazel | ||
- windows-cmake | ||
# Run even if the other jobs failed or were skipped. | ||
if: always() | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Notify Google Chat | ||
shell: bash | ||
run: | | ||
event_name="${{ github.event_name }}" | ||
case "${event_name}" in | ||
schedule) | ||
;; | ||
push) | ||
;; | ||
workflow_dispatch) | ||
;; | ||
*) | ||
exit 0 | ||
;; | ||
esac | ||
failure="${{ contains(needs.*.result, 'failure') }}" | ||
cancelled="${{ contains(needs.*.result, 'cancelled') }}" | ||
status="" | ||
# Report whether any of the jobs failed or were cancelled. | ||
if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi | ||
if [[ "${failure}" == "true" ]]; then status="failure"; fi | ||
# Exit early if there is nothing interesting to report. | ||
if [[ -z "${status}" ]]; then exit 0; fi | ||
printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \ | ||
"${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" | | ||
curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}' |