nextstrain · joverlee521 · Oct 19, 2023 · Oct 19, 2023 · Oct 20, 2023
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -17,20 +17,52 @@ jobs:
 
   test-pathogen-repo-ci:
     uses: ./.github/workflows/pathogen-repo-ci.yaml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
     with:
       repo: nextstrain/zika
     secrets: inherit
 
   test-pathogen-repo-ci-no-example-data:
     uses: ./.github/workflows/pathogen-repo-ci.yaml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
     with:
       repo: nextstrain/zika-tutorial
 
+  test-pathogen-repo-ci-with-build-dir:
+    uses: ./.github/workflows/pathogen-repo-ci.yaml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
+    with:
+      repo: nextstrain/monkeypox
+      run: |
+        mkdir -p phylogenetic/data;
+        cp -r -v phylogenetic/example_data/* phylogenetic/data/;
+        nextstrain build phylogenetic
+      artifact-name: mpox-phylogenetic
+      artifact-paths: |
+        phylogenetic/auspice/
+        phylogenetic/results/
+        phylogenetic/benchmarks/
+        phylogenetic/logs/
+        phylogenetic/.snakemake/log/
+
   test-pathogen-repo-ci-failure:
     uses: ./.github/workflows/pathogen-repo-ci.yaml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
     with:
       repo: nextstrain/zika-tutorial
-      build-args: __BOGUS_BUILD_TARGET__
+      run: nextstrain build . __BOGUS_BUILD_TARGET__
       continue-on-error: true
 
   test-docs-ci-conda:
@@ -49,6 +81,8 @@ jobs:
 
   test-pathogen-repo-build:
     permissions:
+      contents: read
+      packages: read
       id-token: write
     strategy:
       matrix:

diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
@@ -133,6 +133,25 @@ on:
         type: string
         required: false
 
+      continue-on-error:
+        description: >-
+          Pass thru for <https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error>.
+        type: boolean
+        default: false
+        required: false
+
+      copy-example-data:
+        description: >-
+          Copy top level `example_data` if available in the pathogen repo to `data`
+          This will only work if your run command use the top level directory
+          since it only copies the data to the top level.
+
+          Added to keep the pathogen-repo-ci backwards compatible, but we expect
+          workflows to prepare their own example data within subdirectories.
+        type: boolean
+        default: false
+        required: false
+
 env:
   NEXTSTRAIN_GITHUB_DIR: .git/nextstrain/.github
 
@@ -151,7 +170,42 @@ jobs:
   run-build:
     needs: workflow-context
     runs-on: ubuntu-latest
+    continue-on-error: ${{ inputs.continue-on-error }}
+    permissions:
+      contents: read
+      packages: read
     steps:
+      # Log in, if possible, to docker.io (Docker Hub), since authenticated
+      # requests get higher rate limits (e.g. for image pulls).  Our org-level
+      # secret DOCKER_TOKEN_PUBLIC_READ_ONLY is available to all our public
+      # repos on GitHub but only available here to this reusable workflow when
+      # called with "secrets: inherit".  On Docker Hub, the token is granted
+      # "public read-only" access.
+      #
+      # The secrets context is not allowed in "if:" conditions, so we must
+      # launder it thru env.
+      - if: env.token-available == 'true'
+        env:
+          token-available: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY != '' }}
+        name: Log in to docker.io
+        uses: docker/login-action@v2
+        with:
+          registry: docker.io
+          username: nextstrainbot
+          password: ${{ secrets.DOCKER_TOKEN_PUBLIC_READ_ONLY }}
+        continue-on-error: true
+
+      # Log in, if possible, to ghcr.io which we use for staging images in
+      # nextstrain/docker-base.  The automatic GITHUB_TOKEN is restricted to
+      # read-only access by the "permissions:" block above.
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
       - name: Checkout build repository
         uses: actions/checkout@v3
         with:
@@ -199,6 +253,16 @@ jobs:
           | "$NEXTSTRAIN_GITHUB_DIR"/bin/json-to-envvars
           | tee -a "$GITHUB_ENV"
 
+      - if: inputs.copy-example-data
+        name: Copy example data
+        run: |
+          if [[ -d example_data ]]; then
+            mkdir -p data/
+            cp -r -v example_data/* data/
+          else
+            echo No example data to copy.
+          fi
+
       - name: Run build via ${{ inputs.runtime }}
         env:
           NEXTSTRAIN_BUILD_COMMAND: ${{ inputs.run }}