ci: add org member check #14531
ci: add org member check #14531
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #14531 +/- ##
=======================================
Coverage 93.59% 93.59%
=======================================
Files 2316 2316
Lines 207132 207132
=======================================
+ Hits 193864 193867 +3
+ Misses 13268 13265 -3 ☔ View full report in Codecov by Sentry. |
.github/workflows/test-runner.yml
Outdated
| if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.author_association != 'MEMBER' }} | ||
| run: | | ||
| echo "Event not triggered by organization member." | ||
| exit 1 |
There was a problem hiding this comment.
Doesn't this make the PR fail hard? How would we run the CI builds for any such PR after it failed?
.github/workflows/test-runner.yml
Outdated
| @@ -43,6 +55,7 @@ jobs: | |||
| 'external' | |||
| }} | |||
| name: Require Approval for External PRs | |||
| needs: [author-association-member] | |||
There was a problem hiding this comment.
I think you also need to remove the code from line 54? Or is that for a future PR?
There was a problem hiding this comment.
Reviewable status: 0 of 2 files reviewed, 2 unresolved discussions (waiting on @coryan)
.github/workflows/test-runner.yml line 44 at r1 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
Doesn't this make the PR fail hard? How would we run the CI builds for any such PR after it failed?
Added alternate untrusted workflow.
.github/workflows/test-runner.yml line 58 at r1 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
I think you also need to remove the code from line 54? Or is that for a future PR?
Done.
| external-account-integration: | ||
| name: External Account Integration | ||
| if: ${{ github.event.pull_request.author_association != 'MEMBER' }} | ||
| needs: [pre-flight] | ||
| uses: ./.github/workflows/external-account-integration.yml | ||
| with: | ||
| checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} |
There was a problem hiding this comment.
I do not think it makes any sense to run this test on a pull request.
| external-account-integration: | |
| name: External Account Integration | |
| if: ${{ github.event.pull_request.author_association != 'MEMBER' }} | |
| needs: [pre-flight] | |
| uses: ./.github/workflows/external-account-integration.yml | |
| with: | |
| checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} |
| *) | ||
| exit 0 | ||
| ;; |
There was a problem hiding this comment.
This will do nothing on a pull request, and will only run on pull requests.
| notify: | ||
| name: Notify-Google-Chat | ||
| # Wait until all the other jobs have completed. | ||
| needs: | ||
| - external-account-integration | ||
| - macos-bazel | ||
| - macos-cmake | ||
| - windows-bazel | ||
| - windows-cmake | ||
| # Run even if the other jobs failed or were skipped. | ||
| if: always() | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Notify Google Chat | ||
| shell: bash | ||
| run: | | ||
| event_name="${{ github.event_name }}" | ||
| case "${event_name}" in | ||
| schedule) | ||
| ;; | ||
| push) | ||
| ;; | ||
| workflow_dispatch) | ||
| ;; | ||
| *) | ||
| exit 0 | ||
| ;; | ||
| esac | ||
| failure="${{ contains(needs.*.result, 'failure') }}" | ||
| cancelled="${{ contains(needs.*.result, 'cancelled') }}" | ||
| status="" | ||
| # Report whether any of the jobs failed or were cancelled. | ||
| if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi | ||
| if [[ "${failure}" == "true" ]]; then status="failure"; fi | ||
| # Exit early if there is nothing interesting to report. | ||
| if [[ -z "${status}" ]]; then exit 0; fi | ||
| printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \ | ||
| "${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" | | ||
| curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}' |
There was a problem hiding this comment.
| notify: | |
| name: Notify-Google-Chat | |
| # Wait until all the other jobs have completed. | |
| needs: | |
| - external-account-integration | |
| - macos-bazel | |
| - macos-cmake | |
| - windows-bazel | |
| - windows-cmake | |
| # Run even if the other jobs failed or were skipped. | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Notify Google Chat | |
| shell: bash | |
| run: | | |
| event_name="${{ github.event_name }}" | |
| case "${event_name}" in | |
| schedule) | |
| ;; | |
| push) | |
| ;; | |
| workflow_dispatch) | |
| ;; | |
| *) | |
| exit 0 | |
| ;; | |
| esac | |
| failure="${{ contains(needs.*.result, 'failure') }}" | |
| cancelled="${{ contains(needs.*.result, 'cancelled') }}" | |
| status="" | |
| # Report whether any of the jobs failed or were cancelled. | |
| if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi | |
| if [[ "${failure}" == "true" ]]; then status="failure"; fi | |
| # Exit early if there is nothing interesting to report. | |
| if [[ -z "${status}" ]]; then exit 0; fi | |
| printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \ | |
| "${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" | | |
| curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}' |
| uses: ./.github/workflows/macos-bazel.yml | ||
| with: | ||
| checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }} | ||
| windows-bazel: |
There was a problem hiding this comment.
Consider adding just one of these until you have finished testing, and then adding them back.
.github/workflows/test-runner.yml
Outdated
| if: >- | ||
| ${{ | ||
| github.event_name == 'pull_request_target' && | ||
| github.event.pull_request.author_association != 'MEMBER' | ||
| }} |
There was a problem hiding this comment.
Why not move this if: section to the pre-flight job?
There was a problem hiding this comment.
Reviewable status: 0 of 2 files reviewed, 7 unresolved discussions (waiting on @coryan)
.github/workflows/test-runner.yml line 44 at r3 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
Why not move this
if:section to thepre-flightjob?
Done.
.github/workflows/test-runner-untrusted.yml line 52 at r3 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
I do not think it makes any sense to run this test on a pull request.
Removed
.github/workflows/test-runner-untrusted.yml line 69 at r3 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
Consider adding just one of these until you have finished testing, and then adding them back.
Done.
.github/workflows/test-runner-untrusted.yml line 143 at r3 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
This will do nothing on a pull request, and will only run on pull requests.
Removed notify job
.github/workflows/test-runner-untrusted.yml line 155 at r3 (raw file):
Previously, coryan (Carlos O'Ryan) wrote…
Done.
This change is