googleapis · scotthart · Jul 22, 2024 · Jul 19, 2024 · Jul 22, 2024 · Jul 22, 2024
@@ -0,0 +1,155 @@
+name: "gha: macOS & Windows Untrusted"
+
+# Build on pull requests and pushes to `main`. The PR builds will be
+# non-blocking for now, but that is configured elsewhere.
+on:
+  # Start the build in the context of the target branch. This is considered
+  # "safe", as the workflow files are already committed. These types of builds
+  # have access to the secrets in the build, which we need to use the remote
+  # caches (Bazel and sccache).
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+  workflow_dispatch:
+
+# Cancel in-progress runs of the workflow if somebody adds a new commit to the
+# PR or branch. That reduces billing, but it creates more noise about cancelled
+# jobs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-flight:
+    # For external contributors, run the build in the `external` environment.
+    # This requires manual approval from a contributor. It also saves the
+    # `ref` of the pull request, so downstream jobs know what to checkout.
+    environment: 'external'
+    name: Require Approval for External PRs
+    if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
+    runs-on: ubuntu-latest
+    outputs:
+      checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
+    steps:
+      - name: Save Pull Request
+        id: save-pull-request
+        run: >
+          echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
+
+  # Run other jobs once the `pre-flight` job passes. When the `pre-flight`
+  # job requires approval, these blocks all the other jobs. The jobs are defined
+  # in separate files to keep the size of this file under control. Note how
+  # the additional jobs inherit any secrets needed to use the remote caches and
+  # receive what version to checkout as an input.
+  external-account-integration:
+    name: External Account Integration
+    if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
+    needs: [pre-flight]
+    uses: ./.github/workflows/external-account-integration.yml
+    with:
+      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-  external-account-integration:
-    name: External Account Integration
-    if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
-    needs: [pre-flight]
-    uses: ./.github/workflows/external-account-integration.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
-  external-account-integration:
-    name: External Account Integration
-    if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
-    needs: [pre-flight]
-    uses: ./.github/workflows/external-account-integration.yml
-    with:
-      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
+  macos-bazel:
+    # Build the full matrix only on push events to the default branch, or
+    # when PR gets the has a `gha:full-build` label, or when it had the
+    # label already and it gets a new commit.
+    if: |-
+      ${{
+        github.event.pull_request.author_association != 'MEMBER' &&
+        (github.event_name == 'push' ||
+        github.event_name == 'workflow_dispatch' ||
+        contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
+      }}
+    name: macOS-Bazel
+    needs: [pre-flight]
+    uses: ./.github/workflows/macos-bazel.yml
+    with:
+      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
+  windows-bazel:
+    # Build the full matrix only on push events to the default branch, or
+    # when PR gets the has a `gha:full-build` label, or when it had the
+    # label already and it gets a new commit.
+    if: |-
+      ${{
+        github.event.pull_request.author_association != 'MEMBER' &&
+        (github.event_name == 'push' ||
+        github.event_name == 'workflow_dispatch' ||
+        contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
+      }}
+    name: Windows-Bazel
+    needs: [pre-flight]
+    uses: ./.github/workflows/windows-bazel.yml
+    with:
+      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
+  macos-cmake:
+    name: macOS-CMake
+    needs: [pre-flight]
+    uses: ./.github/workflows/macos-cmake.yml
+    with:
+      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
+      # Build the full matrix only on push events to the default branch, or
+      # when PR gets the has a `gha:full-build` label, or when it had the
+      # label already and it gets a new commit.
+      full-matrix: |-
+        ${{
+          github.event.pull_request.author_association != 'MEMBER' &&
+          (github.event_name == 'push' ||
+          github.event_name == 'workflow_dispatch' ||
+          contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
+        }}
+  windows-cmake:
+    name: Windows-CMake
+    needs: [pre-flight]
+    uses: ./.github/workflows/windows-cmake.yml
+    with:
+      checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
+      # Build the full matrix only on push events to the default branch, or
+      # when PR gets the has a `gha:full-build` label, or when it had the
+      # label already and it gets a new commit.
+      full-matrix: |-
+        ${{
+          github.event.pull_request.author_association != 'MEMBER' &&
+          (github.event_name == 'push' ||
+          github.event_name == 'workflow_dispatch' ||
+          contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
+        }}
+  notify:
+    name: Notify-Google-Chat
+    # Wait until all the other jobs have completed.
+    needs:
+      - external-account-integration
+      - macos-bazel
+      - macos-cmake
+      - windows-bazel
+      - windows-cmake
+    # Run even if the other jobs failed or were skipped.
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Google Chat
+        shell: bash
+        run: |
+          event_name="${{ github.event_name }}"
+          case "${event_name}" in
+            schedule)
+              ;;
+            push)
+              ;;
+            workflow_dispatch)
+              ;;
+            *)
+              exit 0
+              ;;
+          esac
+          failure="${{ contains(needs.*.result, 'failure') }}"
+          cancelled="${{ contains(needs.*.result, 'cancelled') }}"
+          status=""
+          # Report whether any of the jobs failed or were cancelled.
+          if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi
+          if [[ "${failure}" == "true" ]]; then status="failure"; fi
+          # Exit early if there is nothing interesting to report.
+          if [[ -z "${status}" ]]; then exit 0; fi
+          printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \
+            "${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" |
+          curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}'
-  notify:
-    name: Notify-Google-Chat
-    # Wait until all the other jobs have completed.
-    needs:
-      - external-account-integration
-      - macos-bazel
-      - macos-cmake
-      - windows-bazel
-      - windows-cmake
-    # Run even if the other jobs failed or were skipped.
-    if: always()
-    runs-on: ubuntu-latest
-    steps:
-      - name: Notify Google Chat
-        shell: bash
-        run: |
-          event_name="${{ github.event_name }}"
-          case "${event_name}" in
-            schedule)
-              ;;
-            push)
-              ;;
-            workflow_dispatch)
-              ;;
-            *)
-              exit 0
-              ;;
-          esac
-          failure="${{ contains(needs.*.result, 'failure') }}"
-          cancelled="${{ contains(needs.*.result, 'cancelled') }}"
-          status=""
-          # Report whether any of the jobs failed or were cancelled.
-          if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi
-          if [[ "${failure}" == "true" ]]; then status="failure"; fi
-          # Exit early if there is nothing interesting to report.
-          if [[ -z "${status}" ]]; then exit 0; fi
-          printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \
-            "${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" |
-          curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}'
-  notify:
-    name: Notify-Google-Chat
-    # Wait until all the other jobs have completed.
-    needs:
-      - external-account-integration
-      - macos-bazel
-      - macos-cmake
-      - windows-bazel
-      - windows-cmake
-    # Run even if the other jobs failed or were skipped.
-    if: always()
-    runs-on: ubuntu-latest
-    steps:
-      - name: Notify Google Chat
-        shell: bash
-        run: |
-          event_name="${{ github.event_name }}"
-          case "${event_name}" in
-            schedule)
-              ;;
-            push)
-              ;;
-            workflow_dispatch)
-              ;;
-            *)
-              exit 0
-              ;;
-          esac
-          failure="${{ contains(needs.*.result, 'failure') }}"
-          cancelled="${{ contains(needs.*.result, 'cancelled') }}"
-          status=""
-          # Report whether any of the jobs failed or were cancelled.
-          if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi
-          if [[ "${failure}" == "true" ]]; then status="failure"; fi
-          # Exit early if there is nothing interesting to report.
-          if [[ -z "${status}" ]]; then exit 0; fi
-          printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \
-            "${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" |
-          curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}'
@@ -21,7 +21,6 @@ on:
     - reopened
   schedule:
     - cron: '0 5 * * 1,2,3,4,5'
-  workflow_dispatch:
 
 # Cancel in-progress runs of the workflow if somebody adds a new commit to the
 # PR or branch. That reduces billing, but it creates more noise about cancelled
@@ -31,18 +30,31 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  # Require that the PR author be a member of the same organization as this
+  # repository in order to continue execution.
+  author-association-member:
+    name: Require Org Membership
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Membership
+        if: >-
+          ${{
+              github.event_name == 'pull_request_target' &&
+              github.event.pull_request.author_association != 'MEMBER'
+          }}
+        run: |
+          echo "Event not triggered by organization member."
+          exit 0
+
   pre-flight:
-    # For external contributors, run the build in the `external` environment.
-    # This requires manual approval from a contributor. It also saves the
-    # `ref` of the pull request, so downstream jobs know what to checkout.
+    # Save the `ref` of the pull request, so downstream jobs know what to checkout.
     environment: >-
       ${{
           (github.event_name != 'pull_request_target' && 'internal') ||
-          (github.event.pull_request.head.repo.full_name == github.repository && 'internal') ||
-          (contains(fromJSON(vars.TRUSTED_FORKS), github.actor) && 'internal') ||
-          'external'
+          (github.event.pull_request.head.repo.full_name == github.repository && 'internal')
       }}
-    name: Require Approval for External PRs
+    name: Save PR ref
+    needs: [author-association-member]
     runs-on: ubuntu-latest
     outputs:
       checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
@@ -72,7 +84,6 @@ jobs:
       ${{
         github.event_name == 'schedule' ||
         github.event_name == 'push' ||
-        github.event_name == 'workflow_dispatch' ||
         contains(github.event.pull_request.labels.*.name, 'gha:full-build')
       }}
     name: macOS-Bazel
@@ -89,7 +100,6 @@ jobs:
       ${{
         github.event_name == 'schedule' ||
         github.event_name == 'push' ||
-        github.event_name == 'workflow_dispatch' ||
         contains(github.event.pull_request.labels.*.name, 'gha:full-build')
       }}
     name: Windows-Bazel
@@ -111,7 +121,6 @@ jobs:
         ${{
           github.event_name == 'schedule' ||
           github.event_name == 'push' ||
-          github.event_name == 'workflow_dispatch' ||
           contains(github.event.pull_request.labels.*.name, 'gha:full-build')
         }}
     secrets: inherit
@@ -128,7 +137,6 @@ jobs:
         ${{
           github.event_name == 'schedule' ||
           github.event_name == 'push' ||
-          github.event_name == 'workflow_dispatch' ||
           contains(github.event.pull_request.labels.*.name, 'gha:full-build')
         }}
     secrets: inherit
@@ -154,8 +162,6 @@ jobs:
               ;;
             push)
               ;;
-            workflow_dispatch)
-              ;;
             *)
               exit 0
               ;;