From cf29b5f188c83f02ea3d1f8cb9a064dfebaca3eb Mon Sep 17 00:00:00 2001 From: shortstacked Date: Tue, 20 May 2025 09:57:11 +0100 Subject: [PATCH] fix: Fix jobs for secrets inherit (#15532) --- .github/workflows/test-workflows-nightly.yml | 35 ++---- .../workflows/test-workflows-pr-approved.yml | 19 ++- .../workflows/test-workflows-pr-comment.yml | 112 ++++++++++++------ 3 files changed, 88 insertions(+), 78 deletions(-) diff --git a/.github/workflows/test-workflows-nightly.yml b/.github/workflows/test-workflows-nightly.yml index 8350920ea5..28d6e6d391 100644 --- a/.github/workflows/test-workflows-nightly.yml +++ b/.github/workflows/test-workflows-nightly.yml @@ -11,35 +11,16 @@ on: type: string default: 'master' + permissions: contents: read jobs: - run_tests: + run_workflow_tests: name: Run Workflow Tests - runs-on: blacksmith-2vcpu-ubuntu-2204 - timeout-minutes: 10 - - steps: - - name: Determine Git Ref for Testing - id: determine_ref - shell: bash - run: | - if [[ "${{ github.event_name }}" == "schedule" ]]; then - echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT - echo "Scheduled run: Using 'master' branch." - elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo "EFFECTIVE_GIT_REF=${{ github.event.inputs.git_ref_to_test }}" >> $GITHUB_OUTPUT - echo "Manual dispatch: Using ref '${{ github.event.inputs.git_ref_to_test }}'." - else - echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT - echo "Warning: Unknown event type '${{ github.event_name }}', defaulting to 'master'." - fi - - - name: Call Reusable Test Workflow - uses: ./.github/workflows/run-test-workflows.yml - with: - git_ref: ${{ steps.determine_ref.outputs.EFFECTIVE_GIT_REF }} - send_webhook_report: false - pr_number: '' - secrets: inherit \ No newline at end of file + uses: ./.github/workflows/test-workflows-callable.yml + with: + git_ref: ${{ github.event_name == 'schedule' && 'master' || github.event.inputs.git_ref_to_test }} + send_webhook_report: false + pr_number: '' + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/test-workflows-pr-approved.yml b/.github/workflows/test-workflows-pr-approved.yml index 1b0a71527a..1121ab4473 100644 --- a/.github/workflows/test-workflows-pr-approved.yml +++ b/.github/workflows/test-workflows-pr-approved.yml @@ -9,17 +9,12 @@ permissions: pull-requests: read jobs: - run_tests_after_approval: + run_workflow_tests_after_approval: name: Run Tests on Approved PR if: github.event.review.state == 'approved' - runs-on: blacksmith-2vcpu-ubuntu-2204 - timeout-minutes: 10 - - steps: - - name: Call Reusable Test Workflow on Approved PR - uses: ./.github/workflows/test-workflows-callable.yml - with: - git_ref: ${{ github.event.pull_request.head.sha }} - send_webhook_report: true - pr_number: ${{ github.event.pull_request.number }} - secrets: inherit \ No newline at end of file + uses: ./.github/workflows/test-workflows-callable.yml + with: + git_ref: ${{ github.event.pull_request.head.sha }} + send_webhook_report: true + pr_number: ${{ github.event.pull_request.number }} + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/test-workflows-pr-comment.yml b/.github/workflows/test-workflows-pr-comment.yml index cf9fec9c32..d1b2615765 100644 --- a/.github/workflows/test-workflows-pr-comment.yml +++ b/.github/workflows/test-workflows-pr-comment.yml @@ -9,70 +9,104 @@ permissions: contents: read jobs: - trigger_tests_on_comment: - name: Handle /test-workflows command + handle_comment_command: + name: Handle /test-workflows Command if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/test-workflows') runs-on: ubuntu-latest + outputs: + permission_granted: ${{ steps.pr_check_and_details.outputs.permission_granted }} + git_ref: ${{ steps.pr_check_and_details.outputs.head_sha }} + pr_number: ${{ steps.pr_check_and_details.outputs.pr_number_string }} steps: - - name: Check User Permission and Get PR Details - id: pr_check + - name: Validate User, Get PR Details, and React + id: pr_check_and_details uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} - result-encoding: json script: | const commenter = context.actor; - const issue = context.issue; - let hasPermission = false; - let prDetails = null; + const issueOwner = context.repo.owner; + const issueRepo = context.repo.repo; + const commentId = context.payload.comment.id; + const prNumber = context.issue.number; // In issue_comment on a PR, issue.number is the PR number + // Function to add a reaction to the comment + async function addReaction(content) { + try { + await github.rest.reactions.createForIssueComment({ + owner: issueOwner, + repo: issueRepo, + comment_id: commentId, + content: content + }); + } catch (reactionError) { + // Log if reaction fails but don't fail the script for this + console.log(`Failed to add reaction '${content}': ${reactionError.message}`); + } + } + + // Initialize outputs to a non-triggering state + core.setOutput('permission_granted', 'false'); + core.setOutput('head_sha', ''); + core.setOutput('pr_number_string', ''); + + // 1. Check user permissions try { const { data: permissions } = await github.rest.repos.getCollaboratorPermissionLevel({ - owner: issue.owner, - repo: issue.repo, + owner: issueOwner, + repo: issueRepo, username: commenter }); const allowedPermissions = ['admin', 'write', 'maintain']; - if (allowedPermissions.includes(permissions.permission)) { - console.log(`User @${commenter} has '${permissions.permission}' permission.`); - hasPermission = true; - } else { - core.setFailed(`User @${commenter} does not have sufficient permissions (admin/write/maintain) to trigger workflows.`); + if (!allowedPermissions.includes(permissions.permission)) { + console.log(`User @${commenter} has '${permissions.permission}' permission. Needs 'admin', 'write', or 'maintain'.`); + await addReaction('-1'); // User does not have permission + return; // Exit script, tests will not be triggered } + console.log(`User @${commenter} has '${permissions.permission}' permission.`); } catch (error) { - core.setFailed(`Could not verify permissions for @${commenter}: ${error.message}`); + console.log(`Could not verify permissions for @${commenter}: ${error.message}`); + await addReaction('confused'); // Error checking permissions + return; // Exit script } - if (!hasPermission) { - return { permission_granted: false }; - } - - const prNumber = issue.number; + // 2. Fetch PR details (if permission check passed) + let headSha; try { const { data: pr } = await github.rest.pulls.get({ - owner: context.repo.owner, - repo: context.repo.repo, + owner: issueOwner, + repo: issueRepo, pull_number: prNumber, }); - prDetails = { - head_sha: pr.head.sha, - pr_number_string: prNumber.toString() - }; - console.log(`Workspaceed PR details: SHA - ${prDetails.head_sha}, PR Number - ${prDetails.pr_number_string}`); + headSha = pr.head.sha; + console.log(`Workspaced PR details: SHA - ${headSha}, PR Number - ${prNumber}`); + + // Set outputs for the next job + core.setOutput('permission_granted', 'true'); + core.setOutput('head_sha', headSha); + core.setOutput('pr_number_string', prNumber.toString()); + await addReaction('+1'); // Command accepted, tests will be triggered + } catch (error) { - core.setFailed(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`); - return { permission_granted: true, pr_fetch_error: true }; + console.log(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`); + core.setOutput('permission_granted', 'false'); // Ensure this is false if PR fetch fails + await addReaction('confused'); // Error fetching PR details } - return { permission_granted: true, ...prDetails }; + trigger_reusable_tests: + name: Trigger Reusable Test Workflow + needs: handle_comment_command - - name: Call Reusable Test Workflow - if: steps.pr_check.outcome == 'success' && fromJson(steps.pr_check.outputs.result).permission_granted == true && fromJson(steps.pr_check.outputs.result).head_sha - uses: ./.github/workflows/test-workflows-callable.yml - with: - git_ref: ${{ fromJson(steps.pr_check.outputs.result).head_sha }} - send_webhook_report: true - pr_number: ${{ fromJson(steps.pr_check.outputs.result).pr_number_string }} - secrets: inherit \ No newline at end of file + if: > + always() && + needs.handle_comment_command.result != 'skipped' && + needs.handle_comment_command.outputs.permission_granted == 'true' && + needs.handle_comment_command.outputs.git_ref != '' + uses: ./.github/workflows/test-workflows-callable.yml + with: + git_ref: ${{ needs.handle_comment_command.outputs.git_ref }} + send_webhook_report: true + pr_number: ${{ needs.handle_comment_command.outputs.pr_number }} + secrets: inherit