diff --git a/.github/workflows/jenkins-trigger.yml b/.github/workflows/jenkins-trigger.yml new file mode 100644 index 0000000..cc1914d --- /dev/null +++ b/.github/workflows/jenkins-trigger.yml @@ -0,0 +1,15 @@ +name: Jenkins Trigger - Security Scan + +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] + +jobs: + jenkins-security-check: + uses: thoughtspot/workflows/.github/workflows/jenkins-trigger.yml@main + secrets: + JENKINS_USER: ${{ secrets.JENKINS_USER }} + JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }} diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml new file mode 100644 index 0000000..9ec7a0d --- /dev/null +++ b/.github/workflows/sonar-scan.yml @@ -0,0 +1,17 @@ +name: Sonar Analysis + +on: + push: + branches: + - '**' + - '*' + pull_request: + types: [opened, synchronize, reopened] + +jobs: + sonar: + uses: thoughtspot/workflows/.github/workflows/sonar-scan.yml@main + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_PROJECTKEY: ${{ secrets.SONAR_PROJECTKEY }} diff --git a/.github/workflows/sync-to-public-mirror.yml b/.github/workflows/sync-to-public-mirror.yml new file mode 100644 index 0000000..af3427b --- /dev/null +++ b/.github/workflows/sync-to-public-mirror.yml @@ -0,0 +1,52 @@ +name: Sync Repository to Public Mirror + +on: + pull_request: + types: [closed] + branches: + - main + workflow_dispatch: + inputs: + force_sync: + description: 'Force sync all branches (WARNING: This will sync all branches)' + required: false + default: false # CRITICAL FIX: Changed from 'true' to false + type: boolean + public_repo_name: + description: 'Public repository name (leave empty to auto-derive by removing "-private")' + required: false + type: string + target_branches: + description: 'Comma-separated list of specific branches to sync (leave empty to sync merged branch only)' + required: false + type: string + +# Branch-level concurrency control - allows parallel syncs for different branches +concurrency: + group: sync-public-mirror-${{ github.repository }}-${{ github.event.pull_request.base.ref || github.event.client_payload.branch || github.event.inputs.target_branches || 'default' }} + cancel-in-progress: false # Queue per branch to ensure all changes are synced + +jobs: + call-sync-workflow: + # Only run this job when the PR was merged, not just closed, OR when manually triggered, OR via repository_dispatch + if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'repository_dispatch' + uses: thoughtspot/workflows/.github/workflows/sync-to-public-mirror.yml@main + with: + # CRITICAL FIX: Only force sync when explicitly requested, not on every PR + force_sync: ${{ github.event.inputs.force_sync == true || (github.event_name == 'repository_dispatch' && github.event.client_payload.force_sync == true) }} + + public_repo_name: ${{ github.event.inputs.public_repo_name || github.event.client_payload.public_repo_name || '' }} + + # Optimization: Pass specific target branches instead of syncing all + target_branches: ${{ github.event.inputs.target_branches || github.event.client_payload.target_branches || (github.event_name == 'pull_request' && github.event.pull_request.base.ref) || '' }} + + # Enhanced context for better logging and traceability + trigger_type: ${{ github.event_name }} + pr_number: ${{ github.event.pull_request.number || github.event.client_payload.pr_number || '' }} + + # CRITICAL FIX: Use base.ref (target branch) instead of head.ref (source branch) + merged_branch: ${{ github.event.pull_request.base.ref || github.event.client_payload.branch || '' }} + + merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha || github.event.client_payload.commit_sha || github.sha }} + secrets: + SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}