You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2021/07/25 14:22:31 UTC
[incubator-doris] branch master updated: [Community] Fix PR
labeling github action workflow (#6279)
This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-doris.git
The following commit(s) were added to refs/heads/master by this push:
new 8d1c1ef [Community] Fix PR labeling github action workflow (#6279)
8d1c1ef is described below
commit 8d1c1ef1e6b223d1e335f16999823aa4199a16b7
Author: Tobiasz Kędzierski <to...@gmail.com>
AuthorDate: Sun Jul 25 16:22:09 2021 +0200
[Community] Fix PR labeling github action workflow (#6279)
My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](https://github.com/apache/incubator-doris/pull/6239)).
It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 )
Corresponding Apache Airflow workflows on which I based this PR:
- https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml
- https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml
Problems which were solved in this PR:
- **Permissions**.
@morningman opened a related bug: [[Help] Error: Resource not accessible by integration](https://github.com/TobKed/label-when-approved-action/issues/7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article: [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-p [...]
TL;DR: On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on: workflow_run: workflows: ["Label when reviewed"]`).
- **Safe use of 3rd-party Github Actions by using submodules pattern.** It is decribed in:
https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status
> NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern.
This pattern is successfully used by projects like:
- [Apache Airflow](https://github.com/apache/airflow) ([PR](https://github.com/apache/airflow/pull/13514#))
- [Apache Beam](https://github.com/apache/beam) ([PR](https://github.com/apache/beam/pull/13736))
- [Apache Superset](https://github.com/apache/superset) ([PR](https://github.com/apache/superset/pull/12709))
---
.github/actions/get-workflow-origin | 1 +
.github/actions/label-when-approved-action | 1 +
.github/workflows/approve-label-trigger.yml | 28 +++++++++++++++++
.github/workflows/approve-label.yml | 48 ++++++++++++++++++++++++++---
.gitmodules | 6 ++++
5 files changed, 79 insertions(+), 5 deletions(-)
diff --git a/.github/actions/get-workflow-origin b/.github/actions/get-workflow-origin
new file mode 160000
index 0000000..588cc14
--- /dev/null
+++ b/.github/actions/get-workflow-origin
@@ -0,0 +1 @@
+Subproject commit 588cc14f9f1cdf1b8be3db816855e96422204fec
diff --git a/.github/actions/label-when-approved-action b/.github/actions/label-when-approved-action
new file mode 160000
index 0000000..0058d00
--- /dev/null
+++ b/.github/actions/label-when-approved-action
@@ -0,0 +1 @@
+Subproject commit 0058d0094da27e116fad6e0da516ebe1107f26de
diff --git a/.github/workflows/approve-label-trigger.yml b/.github/workflows/approve-label-trigger.yml
new file mode 100644
index 0000000..1a9cb84
--- /dev/null
+++ b/.github/workflows/approve-label-trigger.yml
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: Label when reviewed
+on: pull_request_review
+jobs:
+
+ label-when-reviewed:
+ name: "Label PRs when reviewed"
+ runs-on: ubuntu-latest
+ steps:
+ - name: "Do nothing. Only trigger corresponding workflow_run event"
+ run: echo
diff --git a/.github/workflows/approve-label.yml b/.github/workflows/approve-label.yml
index dfde7db..f022578 100644
--- a/.github/workflows/approve-label.yml
+++ b/.github/workflows/approve-label.yml
@@ -1,5 +1,31 @@
-name: Label when approved
-on: pull_request_review
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+---
+name: Label when approved workflow run
+on:
+ workflow_run:
+ workflows: ["Label when reviewed"]
+ types: ['requested']
+permissions:
+ # All other permissions are set to none
+ checks: write
+ contents: read
+ pull-requests: write
jobs:
@@ -10,20 +36,32 @@ jobs:
isApprovedByCommiters: ${{ steps.label-when-approved-by-commiters.outputs.isApproved }}
isApprovedByAnyone: ${{ steps.label-when-approved-by-anyone.outputs.isApproved }}
steps:
+ - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+ uses: actions/checkout@v2
+ with:
+ persist-credentials: false
+ submodules: recursive
+ - name: "Get information about the original trigger of the run"
+ uses: ./.github/actions/get-workflow-origin
+ id: source-run-info
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ sourceRunId: ${{ github.event.workflow_run.id }}
- name: Label when approved by commiters
- uses: TobKed/label-when-approved-action@v1.3
+ uses: ./.github/actions/label-when-approved-action
id: label-when-approved-by-commiters
with:
token: ${{ secrets.GITHUB_TOKEN }}
label: 'approved'
require_committers_approval: 'true'
remove_label_when_approval_missing: 'true'
+ pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
comment: 'PR approved by at least one committer and no changes requested.'
- name: Label when approved by anyone
- uses: TobKed/label-when-approved-action@v1.3
+ uses: ./.github/actions/label-when-approved-action
id: label-when-approved-by-anyone
with:
token: ${{ secrets.GITHUB_TOKEN }}
label: 'reviewed'
+ pullRequestNumber: ${{ steps.source-run-info.outputs.pullRequestNumber }}
comment: 'PR approved by anyone and no changes requested.'
-
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..0d295cb
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,6 @@
+[submodule ".github/actions/label-when-approved-action"]
+ path = .github/actions/label-when-approved-action
+ url = https://github.com/TobKed/label-when-approved-action
+[submodule ".github/actions/get-workflow-origin"]
+ path = .github/actions/get-workflow-origin
+ url = https://github.com/potiuk/get-workflow-origin.git
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org