Skip to content

Documentation push trigger #7

Documentation push trigger

Documentation push trigger #7

---
# Trigger hosting of the doc on circle-ci
# We get the url for the artifacts for circle-ci from https://nightly.link/
#
# This must be run in a separate workflow because for security reasons
# the secrets for login to circle-ci cannot be accessed by PRs opened from a fork.
#
# So this workflow waits for the doc building workflow to finish successfully
# before grabbing its output and pushing it to circle-CI.
#
# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
# the CIRCLE_CI_TOKEN must be a personal token and not a project token
# https://support.circleci.com/hc/en-us/articles/360060360811-CircleCI-API-v2-Returns-404-Not-Found
#
name: Documentation push trigger
on:
workflow_run:
# Run the workflow after the separate "DocumentationBuilder" workflow completes
workflows: [DocumentationBuilder]
types:
- completed
jobs:
push:
runs-on: ubuntu-latest
# Run the job only if the "DocumentationBuilder" workflow succeeded
# Prevents this workflow from running on a fork.
# To test this workflow on a fork remove the `github.repository == nilearn/nilearn` condition
if: >
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'pull_request' &&
github.repository == 'nilearn/nilearn'
steps:
- name: Trigger hosting job on circle ci
run: |4
COMMIT_SHA=${{ github.event.workflow_run.head_sha }}
REPO_NAME=${{ github.event.workflow_run.head_repository.full_name }}
PULL_REQUEST_NUMBER=$(curl \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/repos/$REPO_NAME/commits/$COMMIT_SHA/pulls 2>/dev/null \
| jq '.[0].number')
if [[ "$PULL_REQUEST_NUMBER" == "null" ]]; then
# The pull request is on the main (default) branch of the fork.
# The above API call is unable to get the PR number associated with the commit:
# https://docs.github.com/en/rest/commits/commits#list-pull-requests-associated-with-a-commit
# We fallback to the search API here.
# The search API is not used every time because it has a lower rate limit.
PULL_REQUEST_NUMBER=$(curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
"https://api.github.com/search/issues?q=$COMMIT_SHA+repo:${{ github.repository }}" 2>/dev/null \
| jq '.items[0].number')
fi
BRANCH=pull/$PULL_REQUEST_NUMBER/head
GITHUB_RUN_URL="https://nightly.link/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}"
curl --request POST \
--url https://circleci.com/api/v2/project/gh/${{ github.repository }}/pipeline \
--header "Circle-Token: ${{ secrets.CIRCLE_CI_TOKEN }}" \
--header "content-type: application/json" \
--header "x-attribution-actor-id: github_actions" \
--header "x-attribution-login: github_actions" \
--data \{\"branch\":\"$BRANCH\",\"parameters\":\{\"GITHUB_RUN_URL\":\"$GITHUB_RUN_URL\"\}\}