From e10d9942f3b80c9b0c9a7f40f700bf310676c41d Mon Sep 17 00:00:00 2001 From: Sergiu Danalachi Date: Wed, 19 Apr 2023 12:02:29 +0300 Subject: [PATCH] refactor(ci): split ci in privileged and unprivileged --- .github/workflows/ci-privileged.yml | 62 ++++++++++++++++++++++ .github/workflows/ci.yml | 82 +++++++++++------------------ 2 files changed, 94 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/ci-privileged.yml diff --git a/.github/workflows/ci-privileged.yml b/.github/workflows/ci-privileged.yml new file mode 100644 index 00000000..db4df74b --- /dev/null +++ b/.github/workflows/ci-privileged.yml @@ -0,0 +1,62 @@ +# IMPORTANT +# This pipeline has access to secrets since the trigger is "workflow_run". +# It is required for it to operate only on artifacts and never build or execute source code. +# The sole purpose of it is to comment with diffuse reports on PRs. +# See more about security concerns here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +name: 'ci-privileged' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: + workflow_run: + workflows: [ 'ci' ] + types: + - completed + +jobs: + comment-on-pr: + name: 'Comment on PR' + if: github.ref != 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "diffuse" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/diffuse.zip', Buffer.from(download.data)); + - run: unzip diffuse.zip + - name: 'Comment on PR' + uses: actions/github-script@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + var issueNr = Number(fs.readFileSync('./issue-nr')); + var diffuseReport = Number(fs.readFileSync('./diffuse-report')); + await github.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: issueNr, + body: ` + Diffuse report: + + ${diffuseReport}` + }); diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdde3c48..934d2d60 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,6 +19,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + fetch-depth: 0 - uses: actions/setup-java@v3 with: java-version: '11' @@ -27,7 +29,14 @@ jobs: with: cache-read-only: false - name: 'Build' - run: ./gradlew build --stacktrace + run: | + ./gradlew clean build --stacktrace + cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar + - name: 'Build main' + run: | + git checkout origin/main + ./gradlew clean build --stacktrace + cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar - name: 'HTML ES5 test' run: | npm install -g jshint @@ -35,6 +44,25 @@ jobs: jshint --extract=always sdk/build/hcaptcha-form.html - name: 'JitPack Test' run: ./gradlew publishReleasePublicationToMavenLocal + - uses: usefulness/diffuse-action@v1 + if: github.ref != 'refs/heads/main' + id: diffuse + with: + old-file-path: sdk-main.aar + new-file-path: sdk-pr.aar + - name: 'Create diffuse artifact' + if: ${{ steps.diffuse.outputs.diff-raw != null }} + run: | + mkdir -p ./diffuse + echo ${{ github.event.number }} > ./diffuse/issue-nr + echo "${{ steps.diffuse.outputs.diff-gh-comment }}" > ./diffuse/diffuse-report + # Upload diffuse artifact such that `ci-privileged.yml` can use to add PR Comment + - name: 'Upload diffuse artifact' + uses: actions/upload-artifact@v2 + if: ${{ steps.diffuse.outputs.diff-raw != null }} + with: + name: pr + path: pr/ build-matrix: name: 'Build (target:${{ matrix.target }} compile:${{ matrix.compile }} appcompat: ${{ matrix.appcompat }})' @@ -201,54 +229,8 @@ jobs: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - - env: + - run: ./gradlew sonarqube --info + if: ${{ env.SONAR_TOKEN != '' }} + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: ./gradlew sonarqube --info - - size-report: - name: 'Diffuse report' - needs: [ test ] - if: github.ref != 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - uses: actions/setup-java@v3 - with: - java-version: '11' - distribution: adopt - - uses: gradle/gradle-build-action@v2 - with: - cache-read-only: false - - name: 'Build' - run: | - ./gradlew clean build --stacktrace - cp sdk/build/outputs/aar/sdk-release.aar sdk-pr.aar - - name: 'Build main' - run: | - git checkout origin/main - ./gradlew clean build --stacktrace - cp sdk/build/outputs/aar/sdk-release.aar sdk-main.aar - - id: diffuse - uses: usefulness/diffuse-action@v1 - with: - old-file-path: sdk-main.aar - new-file-path: sdk-pr.aar - - uses: peter-evans/find-comment@v2 - id: find_comment - with: - issue-number: ${{ github.event.pull_request.number }} - body-includes: Diffuse report - - uses: peter-evans/create-or-update-comment@v2 - if: ${{ steps.diffuse.outputs.diff-raw != null || steps.find_comment.outputs.comment-id != null }} - with: - body: | - Diffuse report: - - ${{ steps.diffuse.outputs.diff-gh-comment }} - edit-mode: replace - comment-id: ${{ steps.find_comment.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - token: ${{ secrets.GITHUB_TOKEN }}