Gitspiegel polkadot staging (paritytech#2695)

* Adding gitspiegel-trigger workflow (paritytech#2661) Using a workflow to trigger mirroring instead of a webhook allows us to reuse "Approving workflow runs from public forks" GitHub feature to somewhat protect us from malicious PRs * Fixing gitspiegel trigger workflow (paritytech#2679) The first attept to use a workflow to protect GitLab CI from untrusted contributors failed, because GitHub doesn't pass secrets to workflows for PRs that originate from forks. This uses a different approach: instead of triggerring gitspiegel API directly from the workflow, we're just spawning an empty workflow with a specific path, and gitspiegel listens for `workflow_run` event to start mirroring. The idea is the same: for the first-time contributors, running workflows would require manual aciton and that would block mirroring. But this time, we don't need any secrets to make it work. --------- Co-authored-by: Yuri Volkov <0@mcornholio.ru>
serban300 · Nov 14, 2023 · 03aaab2 · 03aaab2
1 parent 702a4c1
commit 03aaab2
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/workflows/gitspiegel-trigger.yml b/.github/workflows/gitspiegel-trigger.yml
@@ -0,0 +1,22 @@
+name: gitspiegel sync
+
+# This workflow doesn't do anything, it's only use is to trigger "workflow_run"
+# webhook, that'll be consumed by gitspiegel
+# This way, gitspiegel won't do mirroring, unless this workflow runs,
+# and running the workflow is protected by GitHub
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - unlocked
+      - ready_for_review
+      - reopened
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Do nothing
+        run: echo "let's go"