From 680b18422dbb3c3a8f7bbb2a5a5868ecf13bc864 Mon Sep 17 00:00:00 2001 From: Nic Grayson <793886+nicgrayson@users.noreply.github.com> Date: Tue, 28 Jan 2025 11:15:34 -0600 Subject: [PATCH] [MAINTENANCE] Allow forked PRs to run CI (#10894) --- .github/workflows/ci.yml | 180 ++++++++++++++++++++++++++++++++------- 1 file changed, 150 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1930c3d9df70..dbf48b3665d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ env: on: merge_group: - pull_request: + pull_request_target: types: - opened - reopened @@ -38,27 +38,75 @@ concurrency: cancel-in-progress: true jobs: - ci-does-not-run-on-draft-pull-requests: + check-actor-permissions: + permissions: + pull-requests: write runs-on: ubuntu-latest - if: github.event.pull_request.draft == true steps: - - run: echo "CI jobs won't run because this is a draft pull request." + - name: Check User Permission + id: check-user-permission + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Notify on Lack of Permission + if: steps.check-user-permission.outputs.require-result == 'false' + id: slack-user-permission + uses: slackapi/slack-github-action@v1.27.0 + with: + payload: | + { + "MESSAGE": "${{github.actor}} opened a PR from a fork. Please carefully review the code and retry failed jobs.", + "GHA_LINK": "${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}" + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PERMISSION_CHECK_WEBHOOK_URL }} + + - name: Notify on Bot Commiting + if: steps.check-user-permission.outputs.check-result == 'false' + id: slack-bot-user + uses: slackapi/slack-github-action@v1.27.0 + with: + payload: | + { + "MESSAGE": "${{github.actor}} modified a branch but can't run CI. Please carefully review the code and retry failed jobs.", + "GHA_LINK": "${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}" + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_PERMISSION_CHECK_WEBHOOK_URL }} + + - name: Add comment to add helpful context for contributors + if: steps.check-user-permission.outputs.require-result == 'false' && steps.check-user-permission.outputs.check-result == 'false' + uses: thollander/actions-comment-pull-request@v2.5.0 + with: + comment_tag: execution + message: | + Thanks for the PR @${{github.actor}} :wave: + + Our GitHub actions pipelines require a user with write permissions to retry the failed jobs. We've sent a message to a maintainer to review your PR. Please be patient and we'll get back to you as soon as possible. + + - name: Fail if No Write Permission + if: steps.check-user-permission.outputs.require-result == 'false' && steps.check-user-permission.outputs.check-result == 'false' + run: exit 1 - ci-is-on-main-repo: + ci-does-not-run-on-draft-pull-requests: runs-on: ubuntu-latest - # job only runs on main repo where we have access to credentials, or as part of the release - if: | - github.event.pull_request.head.repo.full_name == github.repository || - (github.event_name == 'push' && contains(github.ref, 'refs/tags/')) || - github.event_name == 'merge_group' + if: github.event.pull_request.draft == true steps: - - run: echo "This CI step only runs on the main repo, where we have access to credentials." + - run: echo "CI jobs won't run because this is a draft pull request." static-analysis: + needs: [check-actor-permissions] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: @@ -82,7 +130,7 @@ jobs: run: ./scripts/check_linter_ignores.sh docs-snippets: - needs: [unit-tests, doc-checks, ci-is-on-main-repo] + needs: [unit-tests, doc-checks, check-actor-permissions] # run on non-draft PRs with docs changes if: | (github.event.pull_request.draft == false && github.base_ref == 'develop') || @@ -129,6 +177,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: @@ -137,6 +188,7 @@ jobs: run: | yarn install python ci/checks/validate_docs_snippets.py + - name: Authenticate with GCP uses: google-github-actions/auth@v2 with: @@ -170,6 +222,7 @@ jobs: cache: "pip" cache-dependency-path: | reqs/requirements-dev-test.txt + - name: Install dependencies run: | pip install $(grep -E '^(invoke)' reqs/requirements-dev-contrib.txt) @@ -201,6 +254,7 @@ jobs: flags: ${{ matrix.doc-step }} unit-tests: + needs: [check-actor-permissions] env: GX_PYTHON_EXPERIMENTAL: true # allow for python 3.13+ strategy: @@ -213,6 +267,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 @@ -246,7 +302,7 @@ jobs: flags: ${{ matrix.python-version }} doc-checks: - needs: [static-analysis] + needs: [static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false permissions: id-token: write @@ -255,6 +311,9 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: @@ -262,26 +321,32 @@ jobs: cache: "pip" cache-dependency-path: | reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install -r reqs/requirements-dev-test.txt - name: check_repo_root_size run: sh ./ci/checks/check_repo_root_size.sh + - name: Docstring linter run: invoke docstrings + - name: line_number_snippet_checker run: python ci/checks/check_no_line_number_snippets.py + - name: name_tag_snippet_checker run: python ci/checks/check_only_name_tag_snippets.py + - name: integration_test_gets_run_checker run: python ci/checks/check_integration_test_gets_run.py + - name: name_tag_snippet_referenced_checker run: python ci/checks/check_name_tag_snippets_referenced.py - name: public_api_report run: invoke public-api docs-build: - needs: [doc-checks] + needs: [doc-checks, check-actor-permissions] # run on non-draft PRs if: | (github.event.pull_request.draft == false && github.base_ref == 'develop') || @@ -291,14 +356,19 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.9" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install -r reqs/requirements-dev-test.txt + - name: Build docs env: NODE_OPTIONS: --max_old_space_size=4096 @@ -314,10 +384,14 @@ jobs: args: "--exclude='http.*' --include='^https://(.+\\.)?greatexpectations\\.io/' 'docs/docusaurus/build/**/*.html'" docs-tests: + needs: [check-actor-permissions] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run tests env: NODE_OPTIONS: --max_old_space_size=4096 @@ -325,7 +399,7 @@ jobs: run: cd docs/docusaurus && yarn install && yarn test cloud-tests: - needs: [unit-tests, static-analysis, ci-is-on-main-repo] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false permissions: id-token: write @@ -357,6 +431,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python uses: actions/setup-python@v5 @@ -412,7 +488,7 @@ jobs: flags: cloud integration-tests: - needs: [unit-tests, static-analysis, ci-is-on-main-repo] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false permissions: id-token: write @@ -425,6 +501,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python uses: actions/setup-python@v5 @@ -460,7 +538,7 @@ jobs: flags: integration marker-tests: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false env: GX_PYTHON_EXPERIMENTAL: true # allow for python 3.13+ @@ -523,6 +601,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 @@ -575,115 +655,147 @@ jobs: flags: "${{ matrix.python-version }} ${{ matrix.markers }}" py39-min-versions: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.9" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/py39-min-install.txt -r reqs/requirements-dev-test.txt + - name: Run the tests run: invoke ci-tests -m unit --xdist --slowest=10 --timeout=2.0 py310-min-versions: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.10" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/py310-min-install.txt -r reqs/requirements-dev-test.txt + - name: Run the tests run: invoke ci-tests -m unit --xdist --slowest=10 --timeout=2.0 py311-min-versions: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.11" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/py311-min-install.txt -r reqs/requirements-dev-test.txt + - name: Run the tests run: invoke ci-tests -m unit --xdist --slowest=10 --timeout=2.0 py312-min-versions: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] + env: + GX_PYTHON_EXPERIMENTAL: true # allow for python 3.12+ if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: "3.12" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/py312-min-install.txt -r reqs/requirements-dev-test.txt + - name: Run the tests run: invoke ci-tests -m unit --xdist --slowest=10 --timeout=2.0 pydantic-v1: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.9" cache: "pip" cache-dependency-path: reqs/requirements-dev-test.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/pydantic-v1-install.txt -r reqs/requirements-dev-test.txt + - name: Run the tests run: invoke ci-tests -m unit --xdist --slowest=10 --timeout=2.0 airflow-min-versions: - needs: [unit-tests, static-analysis] + needs: [unit-tests, static-analysis, check-actor-permissions] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.9" cache: "pip" cache-dependency-path: requirements.txt + - name: Install dependencies run: pip install . -c ci/constraints-test/airflow-min-install.txt + - name: Run the test # ensure the great_expectations can be imported and a context created run: sh ci/checks/check_min_airflow_dependency_compatibility.sh import_gx: - needs: [static-analysis] + needs: [static-analysis, check-actor-permissions] if: github.event.pull_request.draft == false runs-on: ubuntu-latest env: @@ -697,21 +809,26 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} cache: "pip" cache-dependency-path: requirements.txt + - name: Install Great Expectations with core deps only run: pip install . + - name: Import Great Expectations run: python -c "import great_expectations as gx; print('Successfully imported GX Version:', gx.__version__)" build-n-publish: needs: [ - ci-is-on-main-repo, + check-actor-permissions, doc-checks, static-analysis, docs-snippets, @@ -736,22 +853,25 @@ jobs: permissions: id-token: write steps: - - uses: actions/checkout@master + - uses: actions/checkout@v4 - name: Set up Python 3.9 uses: actions/setup-python@v5 with: python-version: "3.9" - name: Update pip run: python -m pip install --upgrade pip + - name: Install Twine and Wheel, and prepare packaging run: | pip install twine wheel git config --global user.email "team@greatexpectations.io" git config --global user.name "Great Expectations" + - name: Build distribution run: | python setup.py sdist python setup.py bdist_wheel + - name: Publish distribution to PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: @@ -760,7 +880,7 @@ jobs: notify_on_failure: needs: [ - ci-is-on-main-repo, + check-actor-permissions, doc-checks, static-analysis, docs-snippets, @@ -793,7 +913,7 @@ jobs: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CI_WEBHOOK_URL }} notify_on_release: - needs: [build-n-publish] + needs: [build-n-publish, check-actor-permissions] runs-on: ubuntu-latest steps: - name: Announce Release