From 69447c82036c40649df9410531282b12c6c49079 Mon Sep 17 00:00:00 2001 From: Zwifi Date: Thu, 25 Mar 2021 15:43:12 +0100 Subject: [PATCH] Run dependabot CI without GitHub secrets (#1204) Due to https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/, Dependabot PRs don't have access to GH secrets. In particular, that means they can't run e2e tests, and can't deploy a preview app on NPM. So far, we have manually re-run the dependabot PRs to get access to the secrets. This commit makes it so that Dependabot PRs run without e2e tests or NPM preview, so that a human user does not need to be involved. To achieve that, any step of the workflow that requires a GH secret only gets executed if it isn't triggered by dependabot. --- .github/workflows/cd-preview.yml | 11 ++++++----- .github/workflows/cd-teardown.yml | 5 ++++- .github/workflows/ci.yml | 8 ++++++-- .github/workflows/e2e-browser.yml | 4 ++++ 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cd-preview.yml b/.github/workflows/cd-preview.yml index 16f2c40653..e99637ab1f 100644 --- a/.github/workflows/cd-preview.yml +++ b/.github/workflows/cd-preview.yml @@ -1,16 +1,17 @@ name: CD-preview -on: - push: - branches-ignore: - - dependabot/* +on: [push, workflow_dispatch] env: CI: true jobs: dev-release-npm: name: "NPM release under a dev tag" - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 + # Dependabot cannot access secrets, so it doesn't have a token to publish to NPM. + # Since all the other jobs of this workflow depend on this one, skipping it should + # skip the entire workflow. + if: ${{ github.actor != 'dependabot' }} outputs: version-nr: ${{ steps.determine-npm-version.outputs.version-nr }} steps: diff --git a/.github/workflows/cd-teardown.yml b/.github/workflows/cd-teardown.yml index 47a92fa7b0..3cc8beb992 100644 --- a/.github/workflows/cd-teardown.yml +++ b/.github/workflows/cd-teardown.yml @@ -7,7 +7,10 @@ env: jobs: unpublish-npm: runs-on: ubuntu-20.04 - if: github.event.ref_type == 'branch' + # Dependabot cannot access secrets, so it doesn't have a token to publish to NPM. + # Since all the other jobs of this workflow depend on this one, skipping it should + # skip the entire workflow. + if: ${{github.event.ref_type == 'branch' && github.actor != 'dependabot'}} steps: - name: Prepare for unpublication from npm uses: actions/setup-node@v2.1.5 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ccabe7412..e5841a7644 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,6 @@ name: CI -on: [push] +on: [push, workflow_dispatch] env: CI: true @@ -29,7 +29,11 @@ jobs: - run: npm run bootstrap -- --ci - run: npm run build - run: npm run test - - run: npm run e2e-test + - # Dependabot cannot access secrets, so it doesn't have a token to authenticate to ESS. + # Since all the other jobs of this workflow depend on this one, skipping it should + # skip the entire workflow. + if: ${{ github.actor != 'dependabot' }} + run: npm run e2e-test env: E2E_TEST_REFRESH_TOKEN: ${{ secrets.E2E_TEST_REFRESH_TOKEN }} E2E_TEST_CLIENT_ID: ${{ secrets.E2E_TEST_CLIENT_ID }} diff --git a/.github/workflows/e2e-browser.yml b/.github/workflows/e2e-browser.yml index 5dcb1fca9c..4b889ec0f1 100644 --- a/.github/workflows/e2e-browser.yml +++ b/.github/workflows/e2e-browser.yml @@ -20,6 +20,10 @@ jobs: path: e2e/browser/node_modules key: ${{ runner.os }}-node${{ runner.node-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} - name: Run tests + # Dependabot cannot access secrets, so it doesn't have a token to authenticate to ESS. + # Since all the other jobs of this workflow depend on this one, skipping it should + # skip the entire workflow. + if: ${{ github.actor != 'dependabot' }} run: | cd e2e/browser; npm ci;