diff --git a/.github/workflows/engine-nightly.yml b/.github/workflows/engine-nightly.yml index 492c7e144c5e..95875f589b76 100644 --- a/.github/workflows/engine-nightly.yml +++ b/.github/workflows/engine-nightly.yml @@ -270,7 +270,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -327,7 +327,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -382,7 +382,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -438,7 +438,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -494,7 +494,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -553,7 +553,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -613,7 +613,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -671,7 +671,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -730,7 +730,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -789,7 +789,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: diff --git a/.github/workflows/scala-new.yml b/.github/workflows/scala-new.yml index d60342bbd122..b929ba63186b 100644 --- a/.github/workflows/scala-new.yml +++ b/.github/workflows/scala-new.yml @@ -193,7 +193,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -248,7 +248,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -304,7 +304,7 @@ jobs: - run: ./run backend test jvm env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Engine Test Reporter uses: dorny/test-reporter@v1 with: @@ -363,7 +363,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -421,7 +421,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: @@ -480,7 +480,7 @@ jobs: ENSO_LIB_S3_AWS_REGION: ${{ secrets.ENSO_LIB_S3_AWS_REGION }} ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY: ${{ secrets.ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - if: success() || failure() + - if: (success() || failure()) && github.event.pull_request.head.repo.full_name == github.repository name: Standard Library Test Reporter uses: dorny/test-reporter@v1 with: diff --git a/build/build/src/ci_gen.rs b/build/build/src/ci_gen.rs index cd5cf4740083..e9ded280417f 100644 --- a/build/build/src/ci_gen.rs +++ b/build/build/src/ci_gen.rs @@ -146,6 +146,13 @@ pub fn not_default_branch() -> String { format!("github.ref != 'refs/heads/{DEFAULT_BRANCH_NAME}'") } +/// Expression piece that evaluates to `true` if we are **not** building a fork. +/// +/// As fork builds are run with different permissions, sometimes we need to skip some steps. +pub fn not_a_fork() -> String { + "github.event.pull_request.head.repo.full_name == github.repository".into() +} + pub fn release_concurrency() -> Concurrency { Concurrency::new(RELEASE_CONCURRENCY_GROUP) } diff --git a/build/build/src/ci_gen/step.rs b/build/build/src/ci_gen/step.rs index c81aa60d36d3..c79a51e75f8b 100644 --- a/build/build/src/ci_gen/step.rs +++ b/build/build/src/ci_gen/step.rs @@ -1,5 +1,6 @@ use crate::prelude::*; +use crate::ci_gen::not_a_fork; use crate::paths; use ide_ci::actions::workflow::definition::env_expression; @@ -17,7 +18,8 @@ pub fn test_reporter( Step { name: Some(step_name.into()), uses: Some("dorny/test-reporter@v1".into()), - r#if: Some("success() || failure()".into()), + // The action does not support running on forks. + r#if: Some(format!("(success() || failure()) && {}", not_a_fork())), ..default() } .with_custom_argument("reporter", "java-junit") diff --git a/build/build/src/ide/web.rs b/build/build/src/ide/web.rs index 8f496bc83a59..97c219c96b50 100644 --- a/build/build/src/ide/web.rs +++ b/build/build/src/ide/web.rs @@ -10,6 +10,7 @@ use crate::version::ENSO_VERSION; use anyhow::Context; use ide_ci::env::known::electron_builder::WindowsSigningCredentials; use ide_ci::program::command::FallibleManipulator; +use ide_ci::program::command::Manipulator; use ide_ci::programs::node::NpmCommand; use ide_ci::programs::Npm; use sha2::Digest; @@ -153,6 +154,23 @@ pub fn path_to_executable_in_pm_bundle( .context("Failed to generate in-bundle path to Project Manager executable.") } +/// When secrets are not available in CI builds (e.g. when building a PR from a fork), the variables +/// are set to empty strings. This manipulator removes such variables from the environment. +#[derive(Clone, Copy, Debug)] +pub struct RemoveEmptyCscEnvVars; + +impl Manipulator for RemoveEmptyCscEnvVars { + fn apply(&self, command: &mut C) { + for var in ide_ci::env::known::electron_builder::CI_CSC_SECRETS { + if let Ok(value) = std::env::var(var) + && value.is_empty() + { + command.env_remove(var); + } + } + } +} + #[derive(Clone, Copy, Debug)] pub enum Workspaces { Icons, @@ -310,6 +328,7 @@ impl IdeDesktop { self.npm()? .try_applying(&icons)? + .apply(&RemoveEmptyCscEnvVars) // .env("DEBUG", "electron-builder") .set_env(env::ENSO_BUILD_GUI, gui.as_ref())? .set_env(env::ENSO_BUILD_IDE, output_path)? diff --git a/build/ci_utils/src/env/known/electron_builder.rs b/build/ci_utils/src/env/known/electron_builder.rs index 322cc112240c..169fbf6f8ed6 100644 --- a/build/ci_utils/src/env/known/electron_builder.rs +++ b/build/ci_utils/src/env/known/electron_builder.rs @@ -46,7 +46,18 @@ define_env_var! { CSC_FOR_PULL_REQUEST, bool; } - +/// Environment variables set from CI-provided secrets that allow code signing. +/// +/// These variables might be set to empty strings if the secrets are not available in the CI. +pub const CI_CSC_SECRETS: &[&str] = &[ + WIN_CSC_LINK.name, + WIN_CSC_KEY_PASSWORD.name, + CSC_LINK.name, + CSC_KEY_PASSWORD.name, + APPLEID.name, + APPLEIDPASS.name, + APPLETEAMID.name, +]; /// CSC (Code Signing Certificate) link. /// @@ -86,6 +97,8 @@ impl CscLink { /// Create a new certificate file from the environment variable. pub fn new_from_env() -> Result { let csc_link = WIN_CSC_LINK.get().or_else(|_| CSC_LINK.get())?; + // When secret is not available, we might get a variable with an empty value. + ensure!(!csc_link.is_empty(), "CSC link is empty."); Self::from_str(&csc_link) } } diff --git a/test/AWS_Tests/src/S3_Spec.enso b/test/AWS_Tests/src/S3_Spec.enso index 03f62b0a97c4..4443a3fa7477 100644 --- a/test/AWS_Tests/src/S3_Spec.enso +++ b/test/AWS_Tests/src/S3_Spec.enso @@ -22,12 +22,11 @@ import enso_dev.Base_Tests.Network.Enso_Cloud.Cloud_Tests_Setup.Cloud_Tests_Setu import enso_dev.Base_Tests.System.File_Spec as Local_File_Spec test_credentials -> AWS_Credential ! Illegal_State = - access_key_id = Environment.get "ENSO_LIB_S3_AWS_ACCESS_KEY_ID" - secret_access_key = Environment.get "ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY" - credentials = access_key_id.if_not_nothing <| - secret_access_key.if_not_nothing <| - AWS_Credential.Key access_key_id secret_access_key - credentials.if_nothing (Error.throw (Illegal_State.Error "No AWS credentials found in the environment.")) + access_key_id = Environment.get "ENSO_LIB_S3_AWS_ACCESS_KEY_ID" "" + secret_access_key = Environment.get "ENSO_LIB_S3_AWS_SECRET_ACCESS_KEY" "" + credentials_set = access_key_id.not_empty && secret_access_key.not_empty + if credentials_set then AWS_Credential.Key access_key_id secret_access_key else + Error.throw (Illegal_State.Error "No AWS credentials found in the environment.") ## Runs the action, overriding `AWS_Credential.Default` to point to `test_credentials`. with_default_credentials ~action =