From 8924220af016a0ff377f5c9d15bbde176c6cc152 Mon Sep 17 00:00:00 2001 From: Jacob Heider Date: Thu, 5 Jan 2023 18:31:35 -0500 Subject: [PATCH] better ci/cd for 3rd-party contributions --- .github/workflows/build.yml | 3 ++- .github/workflows/cd.yml | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2bf4f04e..1182191f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -155,7 +155,8 @@ jobs: stage: needs: [test] - if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') + # this only works for PRs from our team to our repo (security! :( ) + if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && secrets.AWS_S3_CACHE != '' runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 5b6851a7..871819f2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -15,7 +15,21 @@ jobs: jq -sc . | curl https://app.tea.xyz/api/receiveWatcherProjects --fail -X PUT \ -H "content-type: application/json" -H "authorization: bearer ${{ secrets.TEA_API_TOKEN }}" -d @- - bottle: - #FIXME: will fail (harmlessly) on non-merge/non-new-version runs + bottle-pr: + #FIXME: will fail (harmlessly) on non-merge/non-new-version runs, and won't work on 3rd-party PRs + if: secrets.AWS_S3_CACHE != '' uses: ./.github/workflows/bottle.yml secrets: inherit + bottle-standalone: + runs-on: ubuntu-latest + if: secrets.AWS_S3_CACHE == '' + steps: + - uses: actions/checkout@v3 + - uses: technote-space/get-diff-action@v6 + id: diff + with: + PATTERNS: projects/**/package.yml + - run: gh workflow run new-version.yml -R teaxyz/pantry.core -f "projects=$PROJECTS" + env: + GITHUB_TOKEN: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} + PROJECTS: ${{ steps.diff.outputs.diff | 'zlib.net' }}