Documentation push trigger #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Trigger hosting of the doc on circle-ci | |
# We get the url for the artifacts for circle-ci from https://nightly.link/ | |
# | |
# This must be run in a separate workflow because for security reasons | |
# the secrets for login to circle-ci cannot be accessed by PRs opened from a fork. | |
# | |
# So this workflow waits for the doc building workflow to finish successfully | |
# before grabbing its output and pushing it to circle-CI. | |
# | |
# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
# | |
# the CIRCLE_CI_TOKEN must be a personal token and not a project token | |
# https://support.circleci.com/hc/en-us/articles/360060360811-CircleCI-API-v2-Returns-404-Not-Found | |
# | |
name: Documentation push trigger | |
on: | |
workflow_run: | |
# Run the workflow after the separate "DocumentationBuilder" workflow completes | |
workflows: [DocumentationBuilder] | |
types: | |
- completed | |
jobs: | |
push: | |
runs-on: ubuntu-latest | |
# Run the job only if the "DocumentationBuilder" workflow succeeded | |
# Prevents this workflow from running on a fork. | |
# To test this workflow on a fork remove the `github.repository == nilearn/nilearn` condition | |
if: > | |
github.event.workflow_run.conclusion == 'success' && | |
github.event.workflow_run.event == 'pull_request' && | |
github.repository == 'nilearn/nilearn' | |
steps: | |
- name: Trigger hosting job on circle ci | |
run: |4 | |
COMMIT_SHA=${{ github.event.workflow_run.head_sha }} | |
REPO_NAME=${{ github.event.workflow_run.head_repository.full_name }} | |
PULL_REQUEST_NUMBER=$(curl \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
https://api.github.com/repos/$REPO_NAME/commits/$COMMIT_SHA/pulls 2>/dev/null \ | |
| jq '.[0].number') | |
if [[ "$PULL_REQUEST_NUMBER" == "null" ]]; then | |
# The pull request is on the main (default) branch of the fork. | |
# The above API call is unable to get the PR number associated with the commit: | |
# https://docs.github.com/en/rest/commits/commits#list-pull-requests-associated-with-a-commit | |
# We fallback to the search API here. | |
# The search API is not used every time because it has a lower rate limit. | |
PULL_REQUEST_NUMBER=$(curl \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
"https://api.github.com/search/issues?q=$COMMIT_SHA+repo:${{ github.repository }}" 2>/dev/null \ | |
| jq '.items[0].number') | |
fi | |
BRANCH=pull/$PULL_REQUEST_NUMBER/head | |
GITHUB_RUN_URL="https://nightly.link/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}" | |
curl --request POST \ | |
--url https://circleci.com/api/v2/project/gh/${{ github.repository }}/pipeline \ | |
--header "Circle-Token: ${{ secrets.CIRCLE_CI_TOKEN }}" \ | |
--header "content-type: application/json" \ | |
--header "x-attribution-actor-id: github_actions" \ | |
--header "x-attribution-login: github_actions" \ | |
--data \{\"branch\":\"$BRANCH\",\"parameters\":\{\"GITHUB_RUN_URL\":\"$GITHUB_RUN_URL\"\}\} |