From 1f56d5fe7ea77dff362eec3baf72ff42c43f1ec4 Mon Sep 17 00:00:00 2001 From: George Joseph Date: Thu, 13 Feb 2025 13:22:31 -0700 Subject: [PATCH] .github: Refactor to use pull_request_target trigger. After careful review, we believe we can now use the "pull_request_target" workflow trigger instead of "pull_request" which required a separate privliged workflow to add labels and comments to PRs when they are submitted or updated. This allows us to greatly streamline our workflows and remove unneeded ones. * The OnPRChanged workflow was... * Renamed to OnPRCheck * Changed to trigger on pull_request_target and the "recheckpr" label. * Changed to simply call reusable workflows in asterisk-ci-actions. * Changed to use better concurrency groups. * The OnPRCPCheck and OnPRMergeApproved workflows were also... * Changed to simply call reusable workflows in asterisk-ci-actions. * Changed to use better concurrency groups. * The NightlyTest and CreateDocs were also tweaked --- .github/workflows/CreateDocs.yml | 2 -- .github/workflows/NightlyTests.yml | 2 -- .github/workflows/OnPRCPCheck.yml | 14 +++++------ .github/workflows/OnPRChanged.yml | 31 ------------------------- .github/workflows/OnPRChangedPriv.yml | 27 --------------------- .github/workflows/OnPRCheck.yml | 14 +++++++++++ .github/workflows/OnPRMergeApproved.yml | 14 +++++------ .github/workflows/OnPRRecheck.yml | 16 ------------- .github/workflows/WeeklyTests.yml | 2 -- 9 files changed, 26 insertions(+), 96 deletions(-) delete mode 100644 .github/workflows/OnPRChanged.yml delete mode 100644 .github/workflows/OnPRChangedPriv.yml create mode 100644 .github/workflows/OnPRCheck.yml delete mode 100644 .github/workflows/OnPRRecheck.yml diff --git a/.github/workflows/CreateDocs.yml b/.github/workflows/CreateDocs.yml index af90b2a5d6..ab9b7a413e 100644 --- a/.github/workflows/CreateDocs.yml +++ b/.github/workflows/CreateDocs.yml @@ -21,6 +21,4 @@ jobs: with: asterisk_repo: ${{ github.repository }} base_branch: ${{ matrix.branch }} - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/NightlyTests.yml b/.github/workflows/NightlyTests.yml index f4cf32754c..78d9c2456a 100644 --- a/.github/workflows/NightlyTests.yml +++ b/.github/workflows/NightlyTests.yml @@ -23,5 +23,3 @@ jobs: branches: ${{ inputs.branches || vars.NIGHTLYTEST_BRANCHES }} group_list: ${{ inputs.group_list || vars.NIGHTLYTEST_LIST }} realtime: false - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/OnPRCPCheck.yml b/.github/workflows/OnPRCPCheck.yml index aeb43c1d46..8c8ad7273e 100644 --- a/.github/workflows/OnPRCPCheck.yml +++ b/.github/workflows/OnPRCPCheck.yml @@ -1,16 +1,14 @@ name: PRCPCheck -run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}" +run-name: "PR ${{ github.event.number }} CPCheck by ${{ github.actor }}" on: pull_request_target: types: [ labeled ] jobs: PRCPCheck: - if: ${{ github.event.label.name == vars.CHERRY_PICK_TEST_LABEL }} -# concurrency: -# group: cpcheck-${{ github.event.number }} -# cancel-in-progress: true name: "run-cpcheck" - uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCPCheck.yml@main - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: ${{ github.event.label.name == vars.CHERRY_PICK_TEST_LABEL }} + concurrency: + group: cpcheck-${{ github.base_ref }}-${{ github.ref_name }} + cancel-in-progress: true + uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCPCheck.yml@main-pr-target diff --git a/.github/workflows/OnPRChanged.yml b/.github/workflows/OnPRChanged.yml deleted file mode 100644 index b425427505..0000000000 --- a/.github/workflows/OnPRChanged.yml +++ /dev/null @@ -1,31 +0,0 @@ -# -# Workflows, like this one, that are triggered by PRs submitted -# from forked repositories are severly limited in what they can do -# for security reasons. For instance, they can't add or remove -# labels or comments even on the PR that triggered them. Since -# we need to both of those things, GitHub recommends creating a -# separate workflow that does those tasks that's triggered when -# this PR workflow starts or finishes. Since that workflow isn't -# being run in the context of a forked repo, it has all the -# privileges needed to add and remove labels and comments. The -# accompanying OnPRStateChangedPriv workflow does just that. - -name: PRChanged -# WARNING! The run name MUST start with "PR ". -# The accompanying privleged workflow parses this to find -# the PR number. It's the only reliable way it can get it. -run-name: "PR ${{ github.event.number }} Changed by ${{ github.actor }}" -on: - pull_request: - types: [opened, reopened, synchronize] - -concurrency: - group: check-${{ github.event.number }} - cancel-in-progress: true - -jobs: - PRChanged: - name: "run-check" - uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRChanged.yml@main - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/OnPRChangedPriv.yml b/.github/workflows/OnPRChangedPriv.yml deleted file mode 100644 index 318beada2c..0000000000 --- a/.github/workflows/OnPRChangedPriv.yml +++ /dev/null @@ -1,27 +0,0 @@ -# -# Workflows triggered by PRs submitted from forked repositories -# (all of ours) are severly limited in what they can do. -# For instance, they can't add or remove labels or comments even -# on the PR that triggered them. Since we need to both of those, -# GitHub recommends creating a separate workflow (this one) that -# does those tasks that's triggered when the PR submit workflow -# starts or finishes. Since this workflow isn't being run in the -# context of a forked repo, it has all the privileges needed to -# add and remove labels and comments. Hence the "Priv" at the end -# of this workflow name. -# -name: PRChangedPriv -run-name: "PRChangedPriv ${{ github.event.workflow_run.name }} ${{ github.event.action }}(${{ github.event.workflow_run.conclusion }})" -on: - workflow_run: - workflows: [PRChanged] - types: - - requested - - completed - -jobs: - PRChangedPriv: - name: "run-checkpriv" - uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRChangedPriv.yml@main - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/OnPRCheck.yml b/.github/workflows/OnPRCheck.yml new file mode 100644 index 0000000000..e4d30f9d7b --- /dev/null +++ b/.github/workflows/OnPRCheck.yml @@ -0,0 +1,14 @@ +name: PRCheck +run-name: "PR ${{ github.event.number }} Check(${{github.event.action}}) by ${{ github.actor }}" +on: + pull_request_target: + types: [ opened, reopened, synchronize, labeled ] + +jobs: + PRCheck: + name: "run-check" + if: ${{ (github.event.action != 'labeled') || (github.event.action == 'labeled' && github.event.label.name == vars.RECHECKPR_LABEL) }} + concurrency: + group: check-${{ github.base_ref }}-${{ github.ref_name }} + cancel-in-progress: true + uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCheck.yml@main-pr-target diff --git a/.github/workflows/OnPRMergeApproved.yml b/.github/workflows/OnPRMergeApproved.yml index 381effd690..a4b0a3a7e0 100644 --- a/.github/workflows/OnPRMergeApproved.yml +++ b/.github/workflows/OnPRMergeApproved.yml @@ -1,16 +1,14 @@ name: PRMerge -run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}" +run-name: "PR ${{ github.event.number }} Merge by ${{ github.actor }}" on: pull_request_target: - types: [labeled] + types: [ labeled ] jobs: PRMerge: - if: contains(fromJSON(vars.MERGE_APPROVED_LABELS), github.event.label.name) -# concurrency: -# group: merge-${{ github.event.number }} -# cancel-in-progress: true name: "run-merge" + if: contains(fromJSON(vars.MERGE_APPROVED_LABELS), github.event.label.name) + concurrency: + group: merge-${{ github.base_ref }}-${{ github.ref_name }} + cancel-in-progress: true uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRMerge.yml@main - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/OnPRRecheck.yml b/.github/workflows/OnPRRecheck.yml deleted file mode 100644 index d48ab59ee3..0000000000 --- a/.github/workflows/OnPRRecheck.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: PRReCheck -run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}" -on: - pull_request_target: - types: [ labeled ] - -jobs: - PRReCheck: - if: ${{ github.event.label.name == vars.RECHECKPR_LABEL }} -# concurrency: -# group: recheck-${{ github.event.number }} -# cancel-in-progress: true - name: "run-recheck" - uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRReCheck.yml@main - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/WeeklyTests.yml b/.github/workflows/WeeklyTests.yml index 85c4df633f..5abe8a7570 100644 --- a/.github/workflows/WeeklyTests.yml +++ b/.github/workflows/WeeklyTests.yml @@ -23,5 +23,3 @@ jobs: branches: ${{ inputs.branches || vars.NIGHTLYTEST_BRANCHES }} group_list: ${{ inputs.group_list || vars.NIGHTLYTEST_LIST }} realtime: true - secrets: - TOKEN: ${{ secrets.GITHUB_TOKEN }}