.github: Refactor to use pull_request_target trigger.

After careful review, we believe we can now use the "pull_request_target" workflow trigger instead of "pull_request" which required a separate privliged workflow to add labels and comments to PRs when they are submitted or updated. This allows us to greatly streamline our workflows and remove unneeded ones. * The OnPRChanged workflow was... * Renamed to OnPRCheck * Changed to trigger on pull_request_target and the "recheckpr" label. * Changed to simply call reusable workflows in asterisk-ci-actions. * Changed to use better concurrency groups. * The OnPRCPCheck and OnPRMergeApproved workflows were also... * Changed to simply call reusable workflows in asterisk-ci-actions. * Changed to use better concurrency groups. * The NightlyTest and CreateDocs were also tweaked
2 months ago · e65bf88bcf
parent 8f0613f010
commit e65bf88bcf
9 changed files with 26 additions and 96 deletions
--- a/.github/workflows/CreateDocs.yml
+++ b/.github/workflows/CreateDocs.yml
@ -21,6 +21,4 @@ jobs:
    with:
      asterisk_repo:     ${{ github.repository }}
      base_branch:       ${{ matrix.branch }}
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}

--- a/.github/workflows/NightlyTests.yml
+++ b/.github/workflows/NightlyTests.yml
@ -23,5 +23,3 @@ jobs:
      branches:   ${{ inputs.branches || vars.NIGHTLYTEST_BRANCHES }}
      group_list: ${{ inputs.group_list || vars.NIGHTLYTEST_LIST }}
      realtime:   false
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/OnPRCPCheck.yml
+++ b/.github/workflows/OnPRCPCheck.yml
@ -1,16 +1,14 @@
 name: PRCPCheck
-run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}"
+run-name: "PR ${{ github.event.number }} CPCheck by ${{ github.actor }}"
 on:
  pull_request_target:
    types: [ labeled ]

 jobs:
  PRCPCheck:
-    if: ${{ github.event.label.name == vars.CHERRY_PICK_TEST_LABEL }}
-#    concurrency:
-#      group: cpcheck-${{ github.event.number }}
-#      cancel-in-progress: true
    name: "run-cpcheck"
-    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCPCheck.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    if: ${{ github.event.label.name == vars.CHERRY_PICK_TEST_LABEL }}
+    concurrency:
+      group: cpcheck-${{ github.base_ref }}-${{ github.ref_name }}
+      cancel-in-progress: true
+    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCPCheck.yml@main-pr-target
--- a/.github/workflows/OnPRChanged.yml
+++ b/.github/workflows/OnPRChanged.yml
@ -1,31 +0,0 @@
-#
-# Workflows, like this one, that are triggered by PRs submitted
-# from forked repositories are severly limited in what they can do
-# for security reasons. For instance, they can't add or remove
-# labels or comments even on the PR that triggered them.  Since
-# we need to both of those things, GitHub recommends creating a
-# separate workflow that does those tasks that's triggered when
-# this PR workflow starts or finishes. Since that workflow isn't
-# being run in the context of a forked repo, it has all the
-# privileges needed to add and remove labels and comments.  The
-# accompanying OnPRStateChangedPriv workflow does just that.
-
-name: PRChanged
-# WARNING!  The run name MUST start with "PR <pr_number>".
-# The accompanying privleged workflow parses this to find
-# the PR number.  It's the only reliable way it can get it.
-run-name: "PR ${{ github.event.number }} Changed by ${{ github.actor }}"
-on:
-  pull_request:
-    types: [opened, reopened, synchronize]
-
-concurrency:
-  group: check-${{ github.event.number }}
-  cancel-in-progress: true
-
-jobs:
-  PRChanged:
-    name: "run-check"
-    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRChanged.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/OnPRChangedPriv.yml
+++ b/.github/workflows/OnPRChangedPriv.yml
@ -1,27 +0,0 @@
-#
-# Workflows triggered by PRs submitted from forked repositories
-# (all of ours) are severly limited in what they can do.
-# For instance, they can't add or remove labels or comments even
-# on the PR that triggered them.  Since we need to both of those,
-# GitHub recommends creating a separate workflow (this one) that
-# does those tasks that's triggered when the PR submit workflow
-# starts or finishes.  Since this workflow isn't being run in the
-# context of a forked repo, it has all the privileges needed to
-# add and remove labels and comments. Hence the "Priv" at the end
-# of this workflow name.
-#
-name: PRChangedPriv
-run-name: "PRChangedPriv ${{ github.event.workflow_run.name }} ${{ github.event.action }}(${{ github.event.workflow_run.conclusion }})"
-on:
-  workflow_run:
-    workflows: [PRChanged]
-    types:
-      - requested
-      - completed
-
-jobs:
-  PRChangedPriv:
-    name: "run-checkpriv"
-    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRChangedPriv.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/OnPRCheck.yml
+++ b/.github/workflows/OnPRCheck.yml
@ -0,0 +1,14 @@
+name: PRCheck
+run-name: "PR ${{ github.event.number }} Check(${{github.event.action}}) by ${{ github.actor }}"
+on:
+  pull_request_target:
+    types: [ opened, reopened, synchronize, labeled ]
+
+jobs:
+  PRCheck:
+    name: "run-check"
+    if: ${{ (github.event.action != 'labeled') || (github.event.action == 'labeled' && github.event.label.name == vars.RECHECKPR_LABEL) }}
+    concurrency:
+      group: check-${{ github.base_ref }}-${{ github.ref_name }}
+      cancel-in-progress: true
+    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRCheck.yml@main-pr-target
--- a/.github/workflows/OnPRMergeApproved.yml
+++ b/.github/workflows/OnPRMergeApproved.yml
@ -1,16 +1,14 @@
 name: PRMerge
-run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}"
+run-name: "PR ${{ github.event.number }} Merge by ${{ github.actor }}"
 on:
  pull_request_target:
-    types: [labeled]
+    types: [ labeled ]

 jobs:
  PRMerge:
-    if: contains(fromJSON(vars.MERGE_APPROVED_LABELS), github.event.label.name)
-#    concurrency:
-#      group: merge-${{ github.event.number }}
-#      cancel-in-progress: true
    name: "run-merge"
+    if: contains(fromJSON(vars.MERGE_APPROVED_LABELS), github.event.label.name)
+    concurrency:
+      group: merge-${{ github.base_ref }}-${{ github.ref_name }}
+      cancel-in-progress: true
    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRMerge.yml@main
-    secrets:
-      TOKEN:                   ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/OnPRRecheck.yml
+++ b/.github/workflows/OnPRRecheck.yml
@ -1,16 +0,0 @@
-name: PRReCheck
-run-name: "PR ${{ github.event.number }} ${{ github.workflow }} by ${{ github.actor }}"
-on:
-  pull_request_target:
-    types: [ labeled ]
-
-jobs:
-  PRReCheck:
-    if: ${{ github.event.label.name == vars.RECHECKPR_LABEL }}
-#    concurrency:
-#      group: recheck-${{ github.event.number }}
-#      cancel-in-progress: true
-    name: "run-recheck"
-    uses: asterisk/asterisk-ci-actions/.github/workflows/AsteriskPRReCheck.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/WeeklyTests.yml
+++ b/.github/workflows/WeeklyTests.yml
@ -23,5 +23,3 @@ jobs:
      branches:   ${{ inputs.branches || vars.NIGHTLYTEST_BRANCHES }}
      group_list: ${{ inputs.group_list || vars.NIGHTLYTEST_LIST }}
      realtime:   true
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}