-
Notifications
You must be signed in to change notification settings - Fork 393
100 lines (95 loc) · 3.75 KB
/
Copy pathpr.yaml
File metadata and controls
100 lines (95 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Pull Request
on:
# Pull_request_target is required to grant secrets/write-permission to fork PRs.
# Mitigated by per-job Member Check (see "Check Write Permission" + "Validate Write Permission" steps).
# Reference: team Github Actions Tribal Knowledge doc.
pull_request_target: # zizmor: ignore[dangerous-triggers]
branches: [dev, master]
paths-ignore:
- '**/*.md'
- 'LICENSE'
- '.gitignore'
- 'CODEOWNERS'
permissions:
contents: read
jobs:
test-orchestrator:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/.github/DangerFiles/Gemfile
outputs:
libs: ${{ steps.test-orchestrator.outputs.libs }}
steps:
- name: Check Write Permission
uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
id: check_permissions
with:
route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Debug Permission Response
env:
PERMISSION_DATA: ${{ steps.check_permissions.outputs.data }}
run: |
echo "Permission raw response: ${PERMISSION_DATA}"
- name: Validate Write Permission
env:
PERMISSION: ${{ fromJson(steps.check_permissions.outputs.data).permission }}
TRIGGERING_ACTOR: ${{ github.triggering_actor }}
run: |
echo "User ${TRIGGERING_ACTOR} has permission: ${PERMISSION}"
if [ "${PERMISSION}" != "write" ] && [ "${PERMISSION}" != "admin" ]; then
echo "User ${TRIGGERING_ACTOR} does not have sufficient permission (write or admin) to proceed. Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
exit 1
fi
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
# We need a sufficient depth or Danger will occasionally run into issues checking which files were modified.
fetch-depth: 100
# This is dangerous without the member check
ref: ${{ github.event.pull_request.head.sha }}
- uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
with:
ruby-version: '3.2'
bundler-cache: true
- name: Determine Tests to Run
id: test-orchestrator
env:
DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: bundle exec danger --dangerfile=.github/DangerFiles/TestOrchestrator.rb --danger_id="TestOrchestrator"
unit-tests-pr:
permissions:
contents: read
pull-requests: write
needs: [test-orchestrator]
strategy:
fail-fast: false
matrix:
lib: ${{ fromJson(needs.test-orchestrator.outputs.libs) }}
uses: ./.github/workflows/reusable-lib-workflow.yaml
with:
lib: ${{ matrix.lib }}
is_pr: true
secrets:
TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
ui-tests-pr:
permissions:
contents: read
pull-requests: write
needs: [test-orchestrator]
uses: ./.github/workflows/reusable-ui-workflow.yaml
with:
is_pr: true
secrets:
MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL }}
MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY }}
UI_TEST_CONFIG: ${{ secrets.UI_TEST_CONFIG }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}