Skip to content

Commit

Permalink
Split the workflow into two workflows
Browse files Browse the repository at this point in the history 
With this, the Fuzzy CI workflow does not do anything that requires
permissions. Permissions are not granted when the workflow is triggered
by a PR from a fork.
  • Loading branch information
@pitag-ha
pitag-ha committed Dec 19, 2023
1 parent 1de66af commit b0efcf9
Showing 1 changed file with 64 additions and 24 deletions.
88 changes: 64 additions & 24 deletions .github/workflows/fuzzy-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,7 @@ jobs:
echo "hash='$hash'" | tee -a $GITHUB_OUTPUT
- name: Return
id: return
env:
github_api_labels_url: ${{ github.event.pull_request.base.repo.url }}/issues/${{ github.event.pull_request.number }}/labels
run: |
Expand All @@ -344,7 +345,7 @@ jobs:
There's a head of the new diffs printed above. The whole diffs can be downloaded from $CURRENT_ACTION_URL.\n\
Previous sha256: ${{ steps.approved_diff_info.outputs.hash }}\n\
Current sha256: $current_diff_hash"
status=$(curl -sL -w "%{http_code}" -o output.txt -X DELETE -H "Authorization: Bearer $TOKEN" "$GH_API_LABELS/$LABEL_NAME")
echo "delete_label=true" >> $GITHUB_OUTPUT
fi
else
if $current_diff_exists; then
Expand All @@ -357,6 +358,24 @@ jobs:
fi
fi
- name: Write instruction to delete PR label
# When this workflow is triggered by a PR from a fork, it doesn't have
# the permissions to delete PR labels. Instead, we forward the
# instruction to delete the label to fuzzy-ci-privileged.yml.
if: ${{ steps.return.outputs.delete_label == 'true' }}
run: |
mkdir -p ./forward
jq -n \
--arg instruction "delete_label" \
--arg endpoint "$GH_API_LABELS" \
'{instruction: $instruction, endpoint: $endpoint}' > ./forward/instruction.json
- name: Upload instruction to delete label
if: ${{ steps.return.outputs.delete_label == 'true' }}
uses: actions/upload-artifact@v3
with:
name: forwarded_instructions
path: forward/


approve:
Expand All @@ -378,20 +397,37 @@ jobs:
echo "id=$id" | tee -a $GITHUB_OUTPUT
workflow_run=$(echo "$diff_artifact" | jq ".workflow_run | .id")
echo "workflow_run=$workflow_run" | tee -a $GITHUB_OUTPUT
- name: Check if diff exists
env:
id: ${{ steps.diff_metadata.outputs.id }}
run: |
# FIXME (?)
if [ -z $id ]; then
printf "You seem to have tried to approve a diff that doesn't exist yet.\nWait for the diff to have been generated and then try again."
status=$(curl -sL -w "%{http_code}" -o output.txt -X DELETE -H "Authorization: Bearer $TOKEN" "$GH_API_LABELS/$LABEL_NAME")
exit 1
echo "exists=false" | tee -a $GITHUB_OUTPUT
else
echo "Diff has been approved."
echo "exists=true" | tee -a $GITHUB_OUTPUT
fi
- name: Write instruction to delete PR label
# When this workflow is triggered by a PR from a fork, it doesn't have
# the permissions to delete PR labels. Instead, we forward the
# instruction to delete the label to fuzzy-ci-privileged.yml.
if: ${{ steps.diff_metadata.outputs.exists == 'false' }}
run: |
mkdir -p ./forward
jq -n \
--arg instruction "delete_label" \
--arg endpoint "$GH_API_LABELS" \
'{instruction: $instruction, endpoint: $endpoint}' > ./forward/instruction.json
- name: Upload instruction to delete label
if: ${{ steps.diff_metadata.outputs.exists == 'false' }}
uses: actions/upload-artifact@v3
with:
name: forwarded_instructions
path: forward/

- name: Fail due to diff not existing yet
if: ${{ steps.diff_metadata.outputs.exists == 'false' }}
run: |
printf "You seem to have tried to approve a diff that doesn't exist yet.\nWait for the diff to have been generated and then try again."
exit 1
- name: Download diff
env:
id: ${{ steps.diff_metadata.outputs.id }}
Expand All @@ -409,20 +445,24 @@ jobs:
hash=$(sha256sum "$FULL_DIFF_FILE" | awk '{print $1}')
echo "hash=$hash" | tee -a $GITHUB_OUTPUT
- name: Write HTTP body to file
- name: Write instruction to comment on PR
# When this workflow is triggered by a PR from a fork, it doesn't have
# the permissions to comment on PRs. Instead, we forward the
# instruction to comment on the PR to fuzzy-ci-privileged.yml.
env:
approved_diffs_workflow_run: ${{ steps.diff_metadata.outputs.workflow_run }}
approved_diffs_hash: ${{ steps.diff_hash.outputs.hash }}
run: |
msg=$( cat <<EOF
This PR changes the response of some of the `ocamlmerlin` queries, that were run and analyzed by the [Merlin Fuzzy CI](https://github.com/ocaml/merlin/wiki/Merlin-Fuzzy-CI). The change is not considered a regression, the analyzis of this PR has been approved in its following state:
- URL to download the generated data sets and their diffs between PR base branch and merge branch (at the moment of approval): $ACTIONS_RUNS_ENDPOINT/$approved_diffs_workflow_run
- 256-sha of full reponses diff: $approved_diffs_hash
EOF
)
jq -n --arg msg "$msg" '{ body: $msg }' | tee -a body.json
- name: Write comment on PR
run: |
curl -LsX POST -H "Authorization: Bearer $TOKEN" -d @body.json "$GH_API_COMMENTS"
echo $?
mkdir -p ./forward
jq -n \
--arg instruction "comment" \
--arg endpoint "$GH_API_COMMENTS" \
--arg artifacts_url "$ACTIONS_RUNS_ENDPOINT/$approved_diffs_workflow_run" \
--arg hash "$approved_diffs_hash" \
'{instruction: $instruction, endpoint: $endpoint, artifacts_url: $artifacts_url, hash: $hash}' > ./forward/instruction.json
- name: Upload instruction to comment on PR
uses: actions/upload-artifact@v3
with:
name: forwarded_instructions
path: forward/

0 comments on commit b0efcf9

Please sign in to comment.