From 427b6ffc27189fac6c20bc806f88e2b7fe53dd62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Tue, 3 Dec 2024 15:22:53 +0100 Subject: [PATCH] github: bring the gitlab configuration from osbuild/osbuild This commit brings the newer version of gitlab CI gating from osbuild /osbuild. Instead of relying on pull_request_target, we are relying on the fact that the pull_request trigger is not run for external contributors without an explicit approval. Thus, we don't anymore need to check the permission ourselves. --- .github/workflows/trigger-gitlab.yml | 78 ++++++++++++++-------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/trigger-gitlab.yml b/.github/workflows/trigger-gitlab.yml index 28ce8ad..7a650cd 100644 --- a/.github/workflows/trigger-gitlab.yml +++ b/.github/workflows/trigger-gitlab.yml @@ -1,51 +1,54 @@ -# inspired by rhinstaller/anaconda - name: Trigger GitLab CI + on: - pull_request_target: - push: - branches: - - main + workflow_run: + workflows: ["Tests"] + types: [completed] jobs: - pr-info: - runs-on: ubuntu-latest - steps: - - name: Query author repository permissions - uses: octokit/request-action@v2.x - id: user_permission - with: - route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # restrict running of tests to users with admin or write permission for the repository - # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user - # store output if user is allowed in allowed_user job output so it has to be checked in downstream job - - name: Check if user does have correct permissions - if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission) - id: check_user_perm - run: | - echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'" - echo "::set-output name=allowed_user::true" - - outputs: - allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }} - trigger-gitlab: - needs: pr-info - if: needs.pr-info.outputs.allowed_user == 'true' + if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest env: IMAGEBUILDER_BOT_GITLAB_SSH_KEY: ${{ secrets.IMAGEBUILDER_BOT_GITLAB_SSH_KEY }} steps: + - name: Report status + uses: haya14busa/action-workflow_run-status@v1 + + - name: Install Dependencies + run: | + sudo apt install -y jq + - name: Clone repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: - # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger) - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.workflow_run.head_sha }} fetch-depth: 0 + - uses: octokit/request-action@v2.x + id: fetch_pulls + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + route: GET /repos/${{ github.repository }}/pulls + + - name: Checkout branch + env: + BRANCH: ${{ github.event.workflow_run.head_branch }} + run: | + PR_DATA=$(mktemp) + # use uuid as a file terminator to avoid conflicts with data content + cat > "$PR_DATA" <<'a21b3e7f-d5eb-44a3-8be0-c2412851d2e6' + ${{ steps.fetch_pulls.outputs.data }} + a21b3e7f-d5eb-44a3-8be0-c2412851d2e6 + + PR=$(jq -rc '.[] | select(.head.sha | contains("${{ github.event.workflow_run.head_sha }}")) | select(.state | contains("open"))' "$PR_DATA" | jq -r .number) + if [ ! -z "$PR" ]; then + git checkout -b PR-$PR + else + git checkout "${BRANCH}" + fi + - name: Push to gitlab run: | mkdir -p ~/.ssh @@ -54,8 +57,5 @@ jobs: touch ~/.ssh/known_hosts ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts git remote add ci git@gitlab.com:redhat/services/products/image-builder/ci/koji-osbuild.git - if [ ${{ github.event.pull_request.number }} ]; then - git checkout -b PR-${{ github.event.pull_request.number }} - fi - git push -f ci + git push -f --tags ci