-
Notifications
You must be signed in to change notification settings - Fork 16
147 lines (132 loc) · 6.72 KB
/
branch_dispatch_pull_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Branch Dispatch
on:
pull_request_target:
permissions:
actions: read
contents: read
pull-requests: read
jobs:
branch_dispatch:
runs-on: ubuntu-latest
steps:
# See token.md
- name: Generate a token
if: always()
id: generate_token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# !!!!!! CRITICAL: PLEASE READ !!!!!!
# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions- settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories
# "Note: Workflows triggered by pull_request_target events are run in the context of the base
# branch. Since the base branch is considered trusted, workflows triggered by these events will always run,
# REGARDLESS OF APPROVAL SETTINGS."
# Therefore, membership must be checked to authorize PRs to run workflows.
#
# Note: 1. To use this repository's private action, you must check out the repository
# 2. PRs from external accounts could alter behaviors of the custom actions and execute
# the altered actions if the head of PR is checked out to use custom actions. Therefore,
# always checkout the base branch of the PR to use trustful actions before the identity
# could be verified.
- name: Checkout commit sha (Pull Request only)
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.base.sha }} # Check out the base to use trustworthy actions
- name: Check Membership
uses: ./.github/my_actions/check_membership/ # Must start with ./
with:
account_name: ${{ github.event.pull_request.head.repo.owner.login }}
access_token: ${{ steps.generate_token.outputs.token }}
- name: Create environment variables
env:
COMMIT_MESSAGE: ''
run: |
echo "commit_message=$COMMIT_MESSAGE" >> $GITHUB_ENV
# Unbelievably, for pull requests only, there is apparently no way to get
# the commit message directly via the github API.
# See https://github.com/orgs/community/discussions/28474
- name: Checkout commit sha (Pull Request only)
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Get commit message (Pull Request only)
run: |
echo "commit_message=$(git show -s --format=%s)" >> $GITHUB_ENV
- name: Check existence of wic
uses: ./.github/my_actions/check_existence/ # Must start with ./
id: ce_wic
with:
repository: workflow-inference-compiler
sender_repo_owner: ${{ github.event.pull_request.head.repo.owner.login }}
sender_repo_ref: ${{ github.event.pull_request.head.ref }}
default_owner: PolusAI
default_branch: master
access_token: ${{ steps.generate_token.outputs.token }}
- name: Check existence of dispatch ref in wic
uses: ./.github/my_actions/check_existence/ # Must start with ./
id: ce_wic_dispatch
with:
repository: workflow-inference-compiler
sender_repo_owner: ${{ github.repository_owner }}
sender_repo_ref: ${{ github.event.pull_request.head.ref }}
default_owner: PolusAI
default_branch: master
access_token: ${{ steps.generate_token.outputs.token }}
- name: Check existence of mm-workflows
uses: ./.github/my_actions/check_existence/ # Must start with ./
id: ce_mm-workflows
with:
repository: mm-workflows
sender_repo_owner: ${{ github.event.pull_request.head.repo.owner.login }}
sender_repo_ref: ${{ github.event.pull_request.head.ref }}
default_owner: PolusAI
default_branch: main
access_token: ${{ steps.generate_token.outputs.token }}
# For other repositories, the entire step below should be copied and edited to make new steps.
- name: Check existence of image-workflows
uses: ./.github/my_actions/check_existence/ # Must start with ./
id: ce_image-workflows
with:
repository: image-workflows
sender_repo_owner: ${{ github.event.pull_request.head.repo.owner.login }}
sender_repo_ref: ${{ github.event.pull_request.head.ref }}
default_owner: PolusAI
default_branch: main
access_token: ${{ steps.generate_token.outputs.token }}
- name: Branch dispatch lint_and_test.yml
uses: ./.github/my_actions/branch_dispatch/ # Must start with ./
id: bd_lint_and_test
with:
repository: workflow-inference-compiler
workflow_yml: lint_and_test.yml
sender_repo: ${{ github.event.pull_request.head.repo.owner.login }}/${{ github.event.pull_request.head.repo.name }}
sender_repo_owner: ${{ github.event.pull_request.head.repo.owner.login }}
dispatch_ref: ${{ steps.ce_wic_dispatch.outputs.ref }}
wic_owner: ${{ steps.ce_wic.outputs.owner }}
wic_ref: ${{ steps.ce_wic.outputs.ref }}
event_type: ${{ github.event_name }}
commit_message: ${{ env.commit_message }}
mm_workflows_owner: ${{ steps.ce_mm-workflows.outputs.owner }}
mm_workflows_ref: ${{ steps.ce_mm-workflows.outputs.ref }}
image_workflows_owner: ${{ steps.ce_image-workflows.outputs.owner }}
image_workflows_ref: ${{ steps.ce_image-workflows.outputs.ref }}
access_token: ${{ steps.generate_token.outputs.token }}
- name: Branch dispatch run_workflows.yml
uses: ./.github/my_actions/branch_dispatch/ # Must start with ./
id: bd_run_workflows
with:
repository: workflow-inference-compiler
workflow_yml: run_workflows.yml
sender_repo: ${{ github.event.pull_request.head.repo.owner.login }}/${{ github.event.pull_request.head.repo.name }}
sender_repo_owner: ${{ github.event.pull_request.head.repo.owner.login }}
dispatch_ref: ${{ steps.ce_wic_dispatch.outputs.ref }}
wic_owner: ${{ steps.ce_wic.outputs.owner }}
wic_ref: ${{ steps.ce_wic.outputs.ref }}
event_type: ${{ github.event_name }}
commit_message: ${{ env.commit_message }}
mm_workflows_owner: ${{ steps.ce_mm-workflows.outputs.owner }}
mm_workflows_ref: ${{ steps.ce_mm-workflows.outputs.ref }}
image_workflows_owner: ${{ steps.ce_image-workflows.outputs.owner }}
image_workflows_ref: ${{ steps.ce_image-workflows.outputs.ref }}
access_token: ${{ steps.generate_token.outputs.token }}