CI for external forks (#131)

2023-10-02 15:32:01 +01:00 · 2023-10-02 15:32:01 +01:00 · 317fbe9f11
commit 317fbe9f11
parent 5996f85921
5 changed files with 52 additions and 7 deletions
--- a/.github/workflows/ensure-capi-images.yaml
+++ b/.github/workflows/ensure-capi-images.yaml
@ -1,6 +1,11 @@
 name: Ensure CAPI images
 on:
  workflow_call:
+    inputs:
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
+        required: true
    outputs:
      kube-1-26-image:
        value: ${{ jobs.produce_outputs.outputs.kube-1-26-image }}
@ -23,6 +28,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}

      - name: Fetch image details
        id: images
@ -50,6 +57,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}
        if: ${{ !matrix.skip }}

      - name: Write cloud credential
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@ -1,6 +1,11 @@
 name: Helm Lint
 on:
  workflow_call:
+    inputs:
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
+        required: true

 jobs:
  lint:
@ -9,6 +14,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v3
        with:
+          ref: ${{ inputs.ref-under-test }}
          fetch-depth: 0

      - name: Set up Helm
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@ -11,11 +11,15 @@ concurrency:
 jobs:
  lint:
    uses: ./.github/workflows/lint.yaml
+    with:
+      ref-under-test: ${{ github.sha }}

  ensure_capi_images:
    needs: [lint]
    uses: ./.github/workflows/ensure-capi-images.yaml
    secrets: inherit
+    with:
+      ref-under-test: ${{ github.sha }}

  test:
    needs: [ensure_capi_images]
@ -24,5 +28,7 @@ jobs:
    with:
      # Pass the images as JSON
      images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
+      # We want to test the current sha
+      ref-under-test: ${{ github.sha }}
      # Only run the sanity check on main
      tests-full: false
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@ -1,6 +1,6 @@
 name: test pr
 on:
-  pull_request:
+  pull_request_target:
    types:
      - opened
      - synchronize
@ -14,16 +14,31 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  # Run the lint on every PR, even from external repos
-  lint:
-    uses: ./.github/workflows/lint.yaml
+  # Reusable workflows cannot be used with environments
+  # https://docs.github.com/en/actions/using-workflows/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow
+  # So we must use a different mechanism for approvals
+  wait_for_approval:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Wait for approval
+        uses: stackhpc/github-actions/workflow-approve@master
+        with:
+          approvers: mkjpryor
+          # Explicit approval is only required for PRs from external forks
+          approval-required: ${{ github.event.pull_request.head.repo.full_name != 'stackhpc/capi-helm-charts' && 'yes' || 'no' }}
+
+  lint:
+    needs: [wait_for_approval]
+    uses: ./.github/workflows/lint.yaml
+    with:
+      ref-under-test: ${{ github.event.pull_request.head.sha }}

-  # Only run tests on the main repo
  ensure_capi_images:
    needs: [lint]
    uses: ./.github/workflows/ensure-capi-images.yaml
    secrets: inherit
-    if: github.repository == 'stackhpc/capi-helm-charts'
+    with:
+      ref-under-test: ${{ github.event.pull_request.head.sha }}

  test:
    needs: [ensure_capi_images]
@ -32,7 +47,8 @@ jobs:
    with:
      # Pass the images as JSON
      images: ${{ toJSON(needs.ensure_capi_images.outputs) }}
+      # We want to test the code in the PR
+      ref-under-test: ${{ github.event.pull_request.head.sha }}
      # If the PR is in draft, just run a sanity check
      # If the PR is in review, run the full test suite
      tests-full: ${{ !github.event.pull_request.draft }}
-    if: github.repository == 'stackhpc/capi-helm-charts'
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@ -5,6 +5,9 @@ on:
      images:
        type: string
        description: JSON-encoded dictionary of images and versions
+      ref-under-test:
+        type: string
+        description: The Git ref under test.
        required: true
      tests-full:
        type: boolean
@ -22,6 +25,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}

      - name: Create kind cluster
        uses: helm/kind-action@v1.8.0
@ -92,6 +97,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref-under-test }}

      - name: Create kind cluster
        uses: helm/kind-action@v1.8.0
@ -170,6 +177,7 @@ jobs:
      - name: Checkout current
        uses: actions/checkout@v3
        with:
+          ref: ${{ inputs.ref-under-test }}
          path: current

      - name: Get latest tag