Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grant write permissions only when a maintainer triggered a CI #1612

Merged
merged 3 commits into from
May 25, 2023
+42 −12
Merged

Grant write permissions only when a maintainer triggered a CI #1612

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
165b7c6
Abort if the person who triggered the CI is not a maintainer
hibariya Mar 11, 2023
adf3e05
Use the topic branch if its pull request exists
hibariya Mar 12, 2023
7723987
Update ci.yml
hibariya May 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 44 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,52 @@ name: CI
on:
push:
branches:
- '**'
- '!dependabot/**'
pull_request:
# NOTE: does not work for some reasons
# branches:
# - 'dependabot/**'
- 'main'
pull_request_target:

env:
STRIPE_PUBLISHABLE_KEY: ${{ secrets.TEST_STRIPE_PUBLISHABLE_KEY }}
STRIPE_SECRET_KEY: ${{ secrets.TEST_STRIPE_SECRET_KEY }}
COMPOSE_FILE: docker-compose.yml:docker-compose.playwright.yml
MAINTAINERS: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we automate getting this list?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I create the issue to take over it.
#1773

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e

cecilphillip-stripe
charliegerard-stripe
cjavilla-stripe
dependabot[bot]
erinkavanaugh-stripe
hideokamoto-stripe
kevinpeters-stripe
paulasjes-stripe
thorsten-stripe

concurrency:
group: ci-${{ github.ref }}
group: ci-${{ github.event.pull_request.head.ref || github.ref }}
cancel-in-progress: true

jobs:
require-permission:
runs-on: ubuntu-latest
steps:
- name: 'check if the triggering actor is one of the maintainers'
run: |
while read item; do
if [[ "$item" == "${{ github.triggering_actor }}" ]]; then
exit # safe to run tests with write permission
fi
done <<< "$MAINTAINERS"

echo 'CI have to be re-run by one of the $MAINTAINERS' >> $GITHUB_STEP_SUMMARY
exit 1

changed_files:
runs-on: ubuntu-latest
needs: require-permission
outputs:
files: ${{ steps.diff.outputs.files }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}
fetch-depth: 0

- name: 'Collect changed files'
Expand Down Expand Up @@ -89,13 +111,15 @@ jobs:
run: |
prefix="${{ matrix.target.sample }}/server/${{ matrix.runtime.server_type }}"

if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
[[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
then echo 'running=true' >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
Expand Down Expand Up @@ -170,13 +194,15 @@ jobs:
run: |
prefix="${{ matrix.target.sample }}/client/${{ matrix.implementation.client_type }}"

if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
[[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
then echo 'running=true' >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
Expand Down Expand Up @@ -247,13 +273,15 @@ jobs:
run: |
prefix="${{ matrix.target.sample }}/client/${{ matrix.implementation.client_type }}"

if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
[[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
then echo 'running=true' >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
Expand Down Expand Up @@ -310,13 +338,15 @@ jobs:
run: |
prefix="custom-payment-flow/client/android-kotlin"

if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
[[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
then echo 'running=true' >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}

- name: Build
if: ${{ steps.if_running.outputs.running }}
Expand All @@ -332,13 +362,15 @@ jobs:
run: |
prefix="custom-payment-flow/client/ios-swiftui"

if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
[[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
then echo 'running=true' >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v3
if: ${{ steps.if_running.outputs.running }}
with:
ref: ${{ github.event.after || github.event.pull_request.head.sha }}

- name: Build
if: ${{ steps.if_running.outputs.running }}
Expand Down