Conversation
XhmikosR
force-pushed
the
main-xmr-ci
branch
from
2d83fc4 to
f70800a
Compare
|
|
||
| on: | ||
| push: | ||
| branches: |
There was a problem hiding this comment.
We need to fix this to run on PRs if we are on our repo and the actor has push rights/is a member of the team, otherwise we should revert the BrowserStack change for now
There was a problem hiding this comment.
If anyone has any ideas how to achieve this please let me know :)
There was a problem hiding this comment.
Pinging @julien-deramond in case you have any suggestions about the above. Basically, because the secrets are not available on forks, we need to allow PR runs only for people with push rights. Or only for the main repositories branches.
I never managed to solve this so any help is greatly appreciated :)
There was a problem hiding this comment.
you may want to put v4-dev , too
There was a problem hiding this comment.
Pinging @julien-deramond in case you have any suggestions about the above.
Sent you a DM to have more details because I'm not sure to catch exactly the need.
But it seems that if: github.repository == 'twbs/bootstrap' already does the job.
When using a fork (people who doesn't have the push rights):
- if the target is for example julien-deramond/bootstrap:main, Browserstack job is skipped in my forked Bootstrap repo
- if the target is twbs/bootstrap:main, I don't see the Browserstack job run in my PRs on Bootstrap repo
Note: it would be possible to bypass that by modifying the workflow in a PR, but it is not common and still the secrets are not available.
Maybe something like that would fit the need:
on:
push:
branches:
- main # runs only when code is pushed on the main branch
- v4-dev # runs only when code is pushed on the v4-dev branch
pull-request:
branches:
- main # run it when a PR has the main branch as a target (a PR with main-xmr-pa11y-ci as a target won't trigger it)
- v4-dev # run it when a PR has the v4-dev branch as a direct target (a PR with main-xmr-pa11y-ci as a target won't trigger it)
workflow_dispatch: # run it manually
jobs:
browserstack:
if: github.repository == 'twbs/bootstrap' # the jobs are skipped when try to run it from a forkIf we want to be sure about all of that we could create a fake repo with some main and v4-dev branches and do some tests.
There was a problem hiding this comment.
Thanks for the info! Indeed, I forgot I had the repo check.
So, I think the only thing left is to specify the pull_request branches, right?
There was a problem hiding this comment.
Yes I think. And target v4-dev as well if you find it relevant.
There was a problem hiding this comment.
I think v4-dev is enough if it's present in the v4-dev branch. We only need v4-dev for the CodeQL workflow's schedule event, I think (and it might be redundant there too).
There was a problem hiding this comment.
Maybe https://github.com/actions-cool/check-user-permission could help on this now ?
XhmikosR
force-pushed
the
main-xmr-ci
branch
from
f70800a to
94fd48d
Compare
|
Is this good to go @XhmikosR? |
|
I'm not sure I love this change hence why I'm hesitant. I removed this from 5.2.0 and we might find a better solution with using https://github.com/fkirc/skip-duplicate-actions |
GeoSot
force-pushed
the
main-xmr-ci
branch
3 times, most recently
from
a948ee3 to
681aba3
Compare
I did a try on cspell, but I think we will agree, it is not the optimal result |
Since now we have workflow_dispatch, we can trigger a workflow manually in case we don't have an open PR. Also, remove the custom `ci skip` code; it's supported natively for some time now: https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/
louismaximepiton
left a comment
louismaximepiton
left a comment
There was a problem hiding this comment.
Hi, I don't know the actual priority of this PR, but here are my concerns + IMO, the merge of this PR would resolve the duped ci side effect when Bootstrap core team push on the repo (and might avoid the same issue on forked repo)
|
|
||
| on: | ||
| push: | ||
| branches: |
There was a problem hiding this comment.
Maybe https://github.com/actions-cool/check-user-permission could help on this now ?
| on: | ||
| push: | ||
| branches-ignore: | ||
| - "dependabot/**" |
There was a problem hiding this comment.
We tried something to remove dependabot from the CI (still actionnable by adding a tag on a dependabot branch). Added if: "!(github.actor == 'dependabot[bot]')" at each job level. Could be an alternative here if you don't want the action mentionned above. (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions)
|
Let's give this a go and see how everyone feels about it in practice. My main concern is that I'd have to manually trigger actions for branches I don't have open PRs, but we'll see how it goes. |
|
OK, so this is causing BrowserStack to fire also on 3rd-party people PRs... I'm going to revert the whole PR for now, and we tweak it later. |
XhmikosR
added
the
skip-changelog
5 participants
Since now we have
workflow_dispatch, we can trigger a workflow manually in case we don't have an open PR.TODO: