From 8a1025a0d4a7489bbf3e083b95282b4f44476eb3 Mon Sep 17 00:00:00 2001 From: Ben Hearsum Date: Wed, 14 Apr 2021 16:08:11 -0400 Subject: [PATCH] RFC: Trigger Tests Based on PR Comments --- README.md | 1 + ...0168-Trigger-Tests-Based-on-PR-Comments.md | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 rfcs/0168-Trigger-Tests-Based-on-PR-Comments.md diff --git a/README.md b/README.md index 2c439a6..55fe903 100644 --- a/README.md +++ b/README.md @@ -61,3 +61,4 @@ See [mechanics](mechanics.md) for more detail. | RFC#163 | [ProjectId](rfcs/0163-project-id.md) | | RFC#165 | [Anonymous scopes](rfcs/0165-Anonymous-scopes.md) | | RFC#166 | [Sign Public S3 URLs](rfcs/0166-Sign-public-S3-urls.md) | +| RFC#168 | [Allow comments to trigger tasks for non-collaborators](rfcs/0168-Run-Tests-on-PR-Comments.md) | diff --git a/rfcs/0168-Trigger-Tests-Based-on-PR-Comments.md b/rfcs/0168-Trigger-Tests-Based-on-PR-Comments.md new file mode 100644 index 0000000..2bb4d9f --- /dev/null +++ b/rfcs/0168-Trigger-Tests-Based-on-PR-Comments.md @@ -0,0 +1,31 @@ +# RFC 168 - Allow comments to trigger tasks for non-collaborators +* Comments: [#168](https://github.com/taskcluster/taskcluster-rfcs/pull/168) +* Proposed by: @bhearsum + +# Summary + +Allow collaborators to a Github repository to request that Tasks be run on Pull Requests that ran no tasks due to a restrictive `pullRequests` policy. + +## Motivation + +Increasingly, Taskcluster is being used for projects hosted on Github. In many of these projects, Tasks that are run during Pull Requests rely on secrets or other sensitive information. In these cases we usually use a `pullRequests` policy of `collaborators` to ensure that untrusted people cannot gain access to such things. Because of this, it means we have no reasonable way of verifying Pull Requests submitted by non-collaborators. Workarounds have been found (eg: a separate Github Actions flow for such PRs) but this is both burdensome and typically does not provide robust enough testing. + +# Details + +`.taskcluster.yml` will be modified to support a new `allowApprovals` policy, which will support `collaborators` as a value. When set, collaborators to the repository may add a comment containing the string "taskcluster go" to a Pull Request that hasn't run tests because of its `pullRequests` policy. When this is done, Taskcluster will run any Tasks that it would've ran when the Pull Request was opened, had the author been authorized to start Tasks. + +Taskcluster-Github will be modified to watch for [`issue_comment`](https://docs.github.com/en/developers/webhooks-and-events/webhook-events-and-payloads#issue_comment) events. When one is received, and the `allowApprovals` policy is set, it will check to see if "taskcluster go" is in the `comment`, and that the `sender` is a valid collaborator. If both of these conditions are true, Taskcluster-Github will create the appropriate Tasks. + +This has been previously discussed in https://github.com/taskcluster/taskcluster-rfcs/issues/95 and https://github.com/taskcluster/taskcluster/issues/40. + +# Implementation + + + +* +* <...> +* Implemented in Taskcluster version ...