refactor(ci): split ci in privileged and unprivileged

hCaptcha · Apr 19, 2023 · 392b18d · 392b18d
1 parent d90ef66
commit 392b18d
Show file tree

Hide file tree

Showing 2 changed files with 142 additions and 50 deletions.
diff --git a/.github/workflows/ci-privileged.yml b/.github/workflows/ci-privileged.yml
@@ -0,0 +1,105 @@
+# IMPORTANT
+# This pipeline has access to secrets since the trigger is "workflow_run".
+# It is required for it to operate only on artifacts and never build or execute source code.
+# The sole purpose of it is to comment with diffuse reports on PRs.
+# See more about security concerns here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: 'ci-privileged'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths-ignore:
+      - '**.md'
+#  workflow_run:
+#    workflows: [ ci ]
+#    types:
+#      - completed
+
+jobs:
+  comment-on-pr:
+    name: 'Comment on PR'
+#    if: ${{ github.ref != 'refs/heads/main' && github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: adopt
+      - uses: gradle/gradle-build-action@v2
+        with:
+          cache-read-only: false
+      - name: 'Build'
+        run: |
+          ./gradlew clean build --stacktrace
+          cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
+      - name: 'Build main'
+        run: |
+          git checkout origin/main
+          ./gradlew clean build --stacktrace
+          cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
+      - uses: usefulness/diffuse-action@v1
+        if: github.ref != 'refs/heads/main'
+        id: diffuse
+        with:
+          old-file-path: sdk-main.aar
+          new-file-path: sdk-pr.aar
+      - name: 'Create diffuse artifact'
+        if: ${{ steps.diffuse.outputs.diff-raw != null }}
+        run: |
+          mkdir -p ./diffuse
+          echo ${{ github.event.number }} > ./diffuse/issue-nr
+          echo '${{ steps.diffuse.outputs.diff-gh-comment }}' > ./diffuse/diffuse-report
+      # Upload diffuse artifact such that `ci-privileged.yml` can use to add PR Comment
+      - name: 'Upload diffuse artifact'
+        uses: actions/upload-artifact@v3
+        if: ${{ steps.diffuse.outputs.diff-raw != null }}
+        with:
+          name: diffuse
+          path: diffuse/
+      - name: 'Download artifact'
+        if: false
+        uses: actions/github-script@v6
+        with:
+          script: |
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: '${{github.event.workflow_run.id }}'
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "diffuse"
+            })[0];
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip'
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/diffuse.zip', Buffer.from(download.data));
+      - run: unzip diffuse.zip
+        if: false
+      - name: 'Comment on PR'
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            var fs = require('fs');
+            var issueNr = Number(fs.readFileSync('./diffuse/issue-nr'));
+            var diffuseReport = fs.readFileSync('./diffuse/diffuse-report');
+            await github.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issueNr,
+              body: `
+                Diffuse report:
+                
+                ${diffuseReport}`
+            });
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,8 +17,11 @@ jobs:
   test:
     name: 'Test Unit'
     runs-on: ubuntu-latest
+    if: false
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - uses: actions/setup-java@v3
         with:
           java-version: '11'
@@ -27,18 +30,46 @@ jobs:
         with:
           cache-read-only: false
       - name: 'Build'
-        run: ./gradlew build --stacktrace
+        run: |
+          ./gradlew clean build --stacktrace
+          cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
       - name: 'HTML ES5 test'
         run: |
           npm install -g jshint
           java -cp sdk/build/intermediates/javac/release/classes com.hcaptcha.sdk.HCaptchaHtml > sdk/build/hcaptcha-form.html
           jshint --extract=always sdk/build/hcaptcha-form.html
       - name: 'JitPack Test'
         run: ./gradlew publishReleasePublicationToMavenLocal
+      - name: 'Build main'
+        run: |
+          git checkout origin/main
+          ./gradlew clean build --stacktrace
+          cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
+      - uses: usefulness/diffuse-action@v1
+        if: github.ref != 'refs/heads/main'
+        id: diffuse
+        with:
+          old-file-path: sdk-main.aar
+          new-file-path: sdk-pr.aar
+      - name: 'Create diffuse artifact'
+        if: ${{ steps.diffuse.outputs.diff-raw != null }}
+        run: |
+          mkdir -p ./diffuse
+          echo ${{ github.event.number }} > ./diffuse/issue-nr
+          echo '${{ steps.diffuse.outputs.diff-gh-comment }}' > ./diffuse/diffuse-report
+      # Upload diffuse artifact such that `ci-privileged.yml` can use to add PR Comment
+      - name: 'Upload diffuse artifact'
+        uses: actions/upload-artifact@v2
+        if: ${{ steps.diffuse.outputs.diff-raw != null }}
+        with:
+          name: diffuse
+          path: diffuse/
 
   build-matrix:
     name: 'Build (target:${{ matrix.target }} compile:${{ matrix.compile }} appcompat: ${{ matrix.appcompat }})'
     needs: [ test ]
+    if: false
+    timeout-minutes: 15
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -73,6 +104,7 @@ jobs:
 
   test-ui:
     name: 'Test UI'
+    if: false
     runs-on: macos-latest
     strategy:
       fail-fast: false
@@ -131,6 +163,7 @@ jobs:
 
   test-benchmark:
     name: 'Test Benchmark'
+    if: false
     runs-on: macos-latest
     strategy:
       fail-fast: false
@@ -201,54 +234,8 @@ jobs:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
-      - env:
+      - run: ./gradlew sonarqube --info
+        if: ${{ env.SONAR_TOKEN != '' }}
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: ./gradlew sonarqube --info
-
-  size-report:
-    name: 'Diffuse report'
-    needs: [ test ]
-    if: github.ref != 'refs/heads/main'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - uses: actions/setup-java@v3
-      with:
-        java-version: '11'
-        distribution: adopt
-    - uses: gradle/gradle-build-action@v2
-      with:
-        cache-read-only: false
-    - name: 'Build'
-      run: |
-        ./gradlew clean build --stacktrace
-        cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar
-    - name: 'Build main'
-      run: |
-        git checkout origin/main
-        ./gradlew clean build --stacktrace
-        cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar
-    - id: diffuse
-      uses: usefulness/diffuse-action@v1
-      with:
-        old-file-path: sdk-main.aar
-        new-file-path: sdk-pr.aar
-    - uses: peter-evans/find-comment@v2
-      id: find_comment
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        body-includes: Diffuse report
-    - uses: peter-evans/create-or-update-comment@v2
-      if: ${{ steps.diffuse.outputs.diff-raw != null || steps.find_comment.outputs.comment-id != null }}
-      with:
-        body: |
-          Diffuse report:
-
-          ${{ steps.diffuse.outputs.diff-gh-comment }}
-        edit-mode: replace
-        comment-id: ${{ steps.find_comment.outputs.comment-id }}
-        issue-number: ${{ github.event.pull_request.number }}
-        token: ${{ secrets.GITHUB_TOKEN }}