ea2ee10268
The `workflow_run` event is triggered either when a workflow was
requested or complete (see `types`). We can use this event as a
trigger for the gitlab ci conditioning on a successful workflow
run of the main tests ("Tests" workflow). This will ensure that,
with outside contributor protection turned o, no secrets are
leaked via PRs from non-contributors, but also that gitlab ci is
run for those PRs once they were manually allowed to run.
The only downside is that now the gitlab ci will only run after
the main workflow ("Tests) has completed and thus serializing
both CI runs. OTOH gitlab CI is quite intense so maybe this is
not so bad after all. If in the future we want to parallelize
both CI runs we could have a third "precheck" condition with
maybe the spell checker and the pylint tests that the main tests
as well as the gitlab ci run depend on.
35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
# inspired by rhinstaller/anaconda
|
|
|
|
name: Trigger GitLab CI
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["Tests"]
|
|
types: [completed]
|
|
|
|
jobs:
|
|
trigger-gitlab:
|
|
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
|
|
steps:
|
|
- name: Clone repository
|
|
uses: actions/checkout@v2
|
|
with:
|
|
# otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
fetch-depth: 0
|
|
|
|
- name: Push to gitlab
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${SCHUTZBOT_SSH_KEY}" > ~/.ssh/id_rsa
|
|
chmod 400 ~/.ssh/id_rsa
|
|
touch ~/.ssh/known_hosts
|
|
ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
|
|
git remote add ci git@gitlab.com:osbuild/ci/osbuild.git
|
|
if [ ${{ github.event.pull_request.number }} ]; then
|
|
git checkout -b PR-${{ github.event.pull_request.number }}
|
|
fi
|
|
git push -f ci
|