Skip to content

Commit

Permalink
Do not use environment protection rule, rely on workflow run
Browse files Browse the repository at this point in the history
  • Loading branch information
LauraBeatris committed Dec 3, 2024
1 parent ee328e0 commit f8f0d1f
Showing 1 changed file with 26 additions and 14 deletions.
40 changes: 26 additions & 14 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
workflow_dispatch:
merge_group:
pull_request_target:
types: [opened, synchronize]
branches:
- main
- release/v4
Expand All @@ -13,22 +14,33 @@ concurrency:
cancel-in-progress: true

jobs:
check-approval:
name: Check approval for external contribution
# We must first check whether it is a external contribution, before processing to checkout the code and running jobs with access to secrets
check-permissions:
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
steps:
- name: Verify if it's external contribution
run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi

trigger-approval:
name: 'Trigger approval for external contribution'
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
environment:
name: approve_external_contribution
if: ${{ github.event.pull_request.head.repo.fork }}
- name: Get User Permission
id: checkAccess
uses: actions-cool/check-user-permission@v2
with:
require: write
username: ${{ github.triggering_actor }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check User Permission
if: steps.checkAccess.outputs.require-result == 'false'
run: |
echo "${{ github.triggering_actor }} does not have permissions on this repo."
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
echo "Job originally triggered by ${{ github.actor }}"
exit 1
# This is dangerous without the first access check
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

formatting-linting:
needs: [check-approval]
needs: [check-permissions]
name: Formatting, linting & changeset checks
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
Expand Down Expand Up @@ -95,7 +107,7 @@ jobs:
retention-days: 5

unit-tests:
needs: [check-approval]
needs: [check-permissions]
name: Unit Tests
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
Expand Down Expand Up @@ -147,7 +159,7 @@ jobs:
retention-days: 5

integration-tests:
needs: [check-approval]
needs: [check-permissions]
name: Integration Tests
runs-on: 'blacksmith-8vcpu-ubuntu-2204'
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
Expand Down

0 comments on commit f8f0d1f

Please sign in to comment.