Allow PRs from forks to access CODECOV_TOKEN
#1192
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| # Though GitHub's documentation mostly says you only need this for reusable | |
| # workflows (i.e. workflows that call other workflows), it seems that GitHub | |
| # does not pass secrets to `pull_request` events that come from forks (which | |
| # it seems Dependabot's PRs do?) unless they are explicitly passed through, | |
| # because they do not want a forker's PR to be able to exfiltrate secret data | |
| # from the forked repo. This behavior is not really documented with respect to | |
| # Dependabot but some hints are here: | |
| # - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow | |
| # - https://github.com/pypa/gh-action-pypi-publish/discussions/49 | |
| workflow_call: | |
| secrets: | |
| CODECOV_TOKEN: | |
| required: true | |
| jobs: | |
| ci: | |
| name: CI | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # Due to https://github.com/actions/runner/issues/849, we have to use | |
| # quotes for '3.0' -- without quotes, CI sees '3' and runs the latest. | |
| ruby: [2.7, '3.0', 3.1, 3.2, 3.3, jruby, truffleruby-head] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Conditionally configure bundler via environment variables as advised | |
| # * https://github.com/ruby/setup-ruby#bundle-config | |
| - name: Set bundler environment variables | |
| run: | | |
| echo "BUNDLE_WITH=checks:docs" >> $GITHUB_ENV | |
| if: matrix.ruby == 3.3 | |
| - name: Set bundler environment variables | |
| run: | | |
| echo "BUNDLE_WITH=dokaz" >> $GITHUB_ENV | |
| if: matrix.ruby == 3.2 | |
| # Use 'bundler-cache: true' instead of actions/cache as advised: | |
| # * https://github.com/actions/cache/blob/main/examples.md#ruby---bundler | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby }} | |
| bundler-cache: true | |
| - run: bundle exec rspec | |
| - uses: codecov/codecov-action@v4 | |
| with: | |
| files: ./coverage/coverage.xml | |
| fail_ci_if_error: true # optional (default = false) | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| verbose: true # optional (default = false) | |
| if: matrix.ruby == 3.3 | |
| - run: bundle exec rubocop | |
| if: matrix.ruby == 3.3 | |
| - run: bundle exec yard doctest | |
| if: matrix.ruby == 3.3 | |
| - run: bundle exec dokaz | |
| if: matrix.ruby == 3.2 # Does not yet work on Ruby 3.3+: https://github.com/zverok/dokaz/issues/3 | |
| - name: Run benchmarks on Ruby 2.7 or 3.3 | |
| run: | | |
| BUNDLE_GEMFILE=benchmarks/Gemfile bundle install --jobs 4 --retry 3 | |
| BUNDLE_GEMFILE=benchmarks/Gemfile bundle exec ruby benchmarks/benchmarks.rb | |
| if: matrix.ruby == '2.7' || matrix.ruby == '3.3' |