fix(ci): Fix GitHub workflow behavior for forks (#23117)

apache · Apr 14, 2023 · 47fd732 · 47fd732
1 parent da5f715
commit 47fd732
Show file tree

Hide file tree

Showing 30 changed files with 280 additions and 55 deletions.
diff --git a/.github/workflows/cancel_duplicates.yml b/.github/workflows/cancel_duplicates.yml
@@ -10,11 +10,14 @@ jobs:
   cancel-duplicate-runs:
     name: Cancel duplicate workflow runs
     runs-on: ubuntu-20.04
+    permissions:
+      actions: write
+      contents: read
     steps:
       - name: Check number of queued tasks
         id: check_queued
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITHUB_REPO: ${{ github.repository }}
         run: |
           get_count() {
@@ -28,12 +31,12 @@ jobs:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cancel duplicate workflow runs
         if: steps.check_queued.outputs.count >= 20
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           pip install click requests typing_extensions python-dateutil

diff --git a/.github/workflows/check_db_migration_confict.yml b/.github/workflows/check_db_migration_confict.yml
@@ -8,13 +8,16 @@ jobs:
   check_db_migration_conflict:
     name: Check DB migration conflict
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Check and notify
         uses: actions/github-script@v3
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             // API reference: https://octokit.github.io/rest.js
             const currentBranch = context.ref.replace('refs/heads/', '');

diff --git a/.github/workflows/chromatic-master.yml b/.github/workflows/chromatic-master.yml
@@ -32,12 +32,27 @@ on:
 
 # List of jobs
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.CHROMATIC_PROJECT_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   chromatic-deployment:
+    needs: config
+    if: needs.config.outputs.has-secrets
     # Operating System
     runs-on: ubuntu-latest
     # Job steps
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
       - name: Install dependencies
         run: npm ci
         working-directory: superset-frontend

diff --git a/.github/workflows/docker-ephemeral-env.yml b/.github/workflows/docker-ephemeral-env.yml
@@ -7,9 +7,29 @@ on:
       - completed
 
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' &&
+                        secrets.AWS_ACCESS_KEY_ID != '' &&
+                        secrets.AWS_SECRET_ACCESS_KEY != '' &&
+                        secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   docker_ephemeral_env:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: Push ephemeral env Docker image to ECR
-    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
 
     steps:

diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -4,12 +4,28 @@ on:
   release:
     types: [published]
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    if: github.event.pull_request.draft == false
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   docker-release:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: docker-release
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           persist-credentials: false
           submodules: recursive

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -8,13 +8,28 @@ on:
     types: [synchronize, opened, reopened, ready_for_review]
 
 jobs:
-  docker-build:
+  config:
+    runs-on: "ubuntu-latest"
     if: github.event.pull_request.draft == false
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  docker-build:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: docker-build
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/embedded-sdk-release.yml b/.github/workflows/embedded-sdk-release.yml
@@ -6,13 +6,28 @@ on:
       - 'master'
 
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.NPM_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   build:
+    needs: config
+    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-20.04
     defaults:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: actions/setup-node@v2
         with:
           node-version: "16"

diff --git a/.github/workflows/embedded-sdk-test.yml b/.github/workflows/embedded-sdk-test.yml
@@ -14,7 +14,7 @@ jobs:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: actions/setup-node@v2
         with:
           node-version: "16"

diff --git a/.github/workflows/ephemeral-env-pr-close.yml b/.github/workflows/ephemeral-env-pr-close.yml
@@ -5,9 +5,26 @@ on:
     types: [closed]
 
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   ephemeral-env-cleanup:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: Cleanup ephemeral envs
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
@@ -48,7 +65,7 @@ jobs:
         if: steps.describe-services.outputs.active == 'true'
         uses: actions/github-script@v3
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          github-token: ${{github.token}}
           script: |
             github.issues.createComment({
               issue_number: ${{ github.event.number }},

diff --git a/.github/workflows/ephemeral-env.yml b/.github/workflows/ephemeral-env.yml
@@ -5,10 +5,27 @@ on:
     types: [created]
 
 jobs:
-  ephemeral_env_comment:
+  config:
+    runs-on: "ubuntu-latest"
     if: github.event.issue.pull_request
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  ephemeral_env_comment:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: Evaluate ephemeral env comment trigger (/testenv)
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     outputs:
       slash-command: ${{ steps.eval-body.outputs.result }}
       feature-flags: ${{ steps.eval-feature-flags.outputs.result }}
@@ -51,7 +68,7 @@ jobs:
         github.event.comment.author_association != 'OWNER'
       uses: actions/github-script@v3
       with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
+        github-token: ${{github.token}}
         script: |
           const errMsg = '@${{ github.event.comment.user.login }} Ephemeral environment creation is currently limited to committers.'
           github.issues.createComment({
@@ -67,9 +84,12 @@ jobs:
     if: needs.ephemeral_env_comment.outputs.slash-command == 'up'
     name: Spin up an ephemeral environment
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         persist-credentials: false
 
@@ -97,7 +117,7 @@ jobs:
       if: steps.check-image.outcome == 'failure'
       uses: actions/github-script@v3
       with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
+        github-token: ${{github.token}}
         script: |
           const errMsg = '@${{ github.event.comment.user.login }} Container image not yet published for this PR. Please try again when build is complete.'
           github.issues.createComment({
@@ -171,7 +191,7 @@ jobs:
       if: ${{ success() }}
       uses: actions/github-script@v3
       with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
+        github-token: ${{github.token}}
         script: |
           github.issues.createComment({
             issue_number: ${{ github.event.issue.number }},
@@ -184,7 +204,7 @@ jobs:
       if: ${{ failure() }}
       uses: actions/github-script@v3
       with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
+        github-token: ${{github.token}}
         script: |
           github.issues.createComment({
             issue_number: ${{ github.event.issue.number }},

diff --git a/.github/workflows/latest-release-tag.yml b/.github/workflows/latest-release-tag.yml
@@ -7,10 +7,12 @@ jobs:
   latest-release:
     name: Add/update tag to new release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
     - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         persist-credentials: false
         submodules: recursive
@@ -27,4 +29,4 @@ jobs:
         description: Superset latest release
         tag-name: latest
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -7,12 +7,27 @@ on:
   pull_request:
 
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.FOSSA_API_KEY != '' ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   license_check:
+    needs: config
+    if: needs.config.outputs.has-secrets
     name: License Check
     runs-on: ubuntu-20.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           persist-credentials: false
           submodules: recursive

diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
@@ -11,9 +11,12 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           persist-credentials: false
           submodules: recursive
@@ -25,4 +28,4 @@ jobs:
           on-failed-regex-create-review: false
           on-failed-regex-comment:
             "Please format your PR title to match: `%regex%`!"
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          repo-token: "${{ github.token }}"