Skip to content

Commit

Permalink
Require environment rule to run CI steps
Browse files Browse the repository at this point in the history
  • Loading branch information
LauraBeatris committed Dec 2, 2024
1 parent bf8e185 commit 42e6729
Showing 1 changed file with 20 additions and 25 deletions.
45 changes: 20 additions & 25 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,19 @@ concurrency:
cancel-in-progress: true

jobs:
approve:
runs-on: ubuntu-latest

steps:
- name: Approve external contribution
run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
if: ${{ github.event.pull_request.head.repo.fork }}

formatting-linting:
needs: [approve]
environment:
name: Run CI for external contribution

name: Formatting, linting & changeset checks
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
Expand Down Expand Up @@ -80,6 +92,10 @@ jobs:
retention-days: 5

unit-tests:
needs: [approve]
environment:
name: Run CI for external contribution

name: Unit Tests
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
Expand Down Expand Up @@ -131,6 +147,10 @@ jobs:
retention-days: 5

integration-tests:
needs: [approve]
environment:
name: Run CI for external contribution

name: Integration Tests
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
Expand All @@ -152,31 +172,6 @@ jobs:
next-version: '15'

steps:
# Skip integration tests from fork PRs to prevent secret exfiltration
- name: Get User Permission
id: checkAccess
uses: actions-cool/check-user-permission@v2
with:
require: write
username: ${{ github.triggering_actor }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check User Permission
if: steps.checkAccess.outputs.require-result == 'false'
run: |
echo "${{ github.triggering_actor }} does not have permissions on this repo."
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
echo "Job originally triggered by ${{ github.actor }}"
exit 1
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
show-progress: false
# We must first verify the user permissions before checking out PR code
ref: ${{ github.event.pull_request.head.sha }}

- name: Setup
id: config
uses: ./.github/actions/init-blacksmith
Expand Down

0 comments on commit 42e6729

Please sign in to comment.