From 08084709a7a2d9b0fd91643e539a315158b00ce8 Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Mon, 2 Dec 2024 14:43:30 -0300 Subject: [PATCH] Remove unused workflow input --- .changeset/nine-grapes-promise.md | 2 ++ .github/workflows/ci.yml | 38 +++++++++++-------------------- 2 files changed, 15 insertions(+), 25 deletions(-) create mode 100644 .changeset/nine-grapes-promise.md diff --git a/.changeset/nine-grapes-promise.md b/.changeset/nine-grapes-promise.md new file mode 100644 index 00000000000..a845151cc84 --- /dev/null +++ b/.changeset/nine-grapes-promise.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 910af8f0c2f..187ed679205 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,13 +2,8 @@ name: CI on: workflow_dispatch: - inputs: - run_integration_tests: - description: 'Run integration tests' - type: boolean - default: false merge_group: - pull_request: + pull_request_target: branches: - main - release/v4 @@ -18,7 +13,17 @@ concurrency: cancel-in-progress: true jobs: + approve: + name: Require approval for external contribution + runs-on: ubuntu-latest + environment: + name: approve_external_contribution + steps: + - name: Confirm external contribution + run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi + formatting-linting: + needs: [approve] name: Formatting, linting & changeset checks runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -85,6 +90,7 @@ jobs: retention-days: 5 unit-tests: + needs: [approve] name: Unit Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -136,6 +142,7 @@ jobs: retention-days: 5 integration-tests: + needs: [approve] name: Integration Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} @@ -157,30 +164,11 @@ jobs: next-version: '15' steps: - # Skip integration tests from fork PRs to prevent secret exfiltration - - name: Get User Permission - id: checkAccess - uses: actions-cool/check-user-permission@v2 - with: - require: write - username: ${{ github.triggering_actor }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Check User Permission - if: steps.checkAccess.outputs.require-result == 'false' - run: | - echo "${{ github.triggering_actor }} does not have permissions on this repo." - echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" - echo "Job originally triggered by ${{ github.actor }}" - exit 1 - - name: Checkout Repo uses: actions/checkout@v4 with: fetch-depth: 0 show-progress: false - # We must first verify the user permissions before checking out PR code - ref: ${{ github.event.pull_request.head.sha }} - name: Setup id: config