diff --git a/.changeset/nine-grapes-promise.md b/.changeset/nine-grapes-promise.md new file mode 100644 index 0000000000..a845151cc8 --- /dev/null +++ b/.changeset/nine-grapes-promise.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 910af8f0c2..a2e04b775e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,11 +2,6 @@ name: CI on: workflow_dispatch: - inputs: - run_integration_tests: - description: 'Run integration tests' - type: boolean - default: false merge_group: pull_request: branches: @@ -18,7 +13,16 @@ concurrency: cancel-in-progress: true jobs: + approve: + runs-on: ubuntu-latest + environment: + name: approve_external_contributions + steps: + - name: Approve external contribution + run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi + formatting-linting: + needs: [approve] name: Formatting, linting & changeset checks runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -85,6 +89,7 @@ jobs: retention-days: 5 unit-tests: + needs: [approve] name: Unit Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -136,6 +141,7 @@ jobs: retention-days: 5 integration-tests: + needs: [approve] name: Integration Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} @@ -157,31 +163,6 @@ jobs: next-version: '15' steps: - # Skip integration tests from fork PRs to prevent secret exfiltration - - name: Get User Permission - id: checkAccess - uses: actions-cool/check-user-permission@v2 - with: - require: write - username: ${{ github.triggering_actor }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Check User Permission - if: steps.checkAccess.outputs.require-result == 'false' - run: | - echo "${{ github.triggering_actor }} does not have permissions on this repo." - echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" - echo "Job originally triggered by ${{ github.actor }}" - exit 1 - - - name: Checkout Repo - uses: actions/checkout@v4 - with: - fetch-depth: 0 - show-progress: false - # We must first verify the user permissions before checking out PR code - ref: ${{ github.event.pull_request.head.sha }} - - name: Setup id: config uses: ./.github/actions/init-blacksmith