workerd/.github/workflows/internal-build.yml at 7730e9e553e7d9956c00c47e24751bcd9595fbb1 · cloudflare/workerd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: Run internal build

on:
  pull_request_target:

# Read-only permissions are enough
permissions: read-all

concurrency:
  # Cancel existing builds for the same PR.
  # Otherwise, all other builds will be allowed to run through.
  group: internal-build-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

jobs:
  internal-build:
    runs-on: ubuntu-latest
    steps:
      # Check if this is a fork and if the author is a Cloudflare org member
      - name: Check fork status and org membership
        if: github.event.pull_request.head.repo.fork
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AUTHOR: ${{ github.event.pull_request.user.login }}
        run: |
          echo "Fork detected. Checking if $AUTHOR is a Cloudflare org member..."

          if gh api orgs/cloudflare/members/$AUTHOR --silent 2>/dev/null; then
            echo "✓ Cloudflare org member confirmed"
          else
            echo "✗ Not a Cloudflare org public member"
            echo ""
            echo "This workflow only runs for forks from Cloudflare organization public members."
            echo "If you're an external contributor, please ask the auto-assigned reviewers"
            echo "to run the internal build workflow on your behalf."
            exit 1
          fi

      # Try to checkout the merge commit - will fail if PR isn't mergeable
      - uses: actions/checkout@v4
        id: checkout_merge
        continue-on-error: true
        with:
          ref: refs/pull/${{ github.event.pull_request.number }}/merge
          show-progress: false

      # Fail the workflow if checkout failed (PR isn't mergeable)
      - name: Fail if PR isn't mergeable
        if: steps.checkout_merge.outcome != 'success'
        run: |
          echo "The pull request is not mergeable. Please rebase and resolve any conflicts."
          exit 1

      - name: Get merge commit SHA
        id: get_sha
        run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
      - name: Run internal build
        env:
          CI_URL: ${{ secrets.CI_URL }}
          CI_CLIENT_ID: ${{ secrets.CI_CF_ACCESS_CLIENT_ID }}
          CI_CLIENT_SECRET: ${{ secrets.CI_CF_ACCESS_CLIENT_SECRET }}
          HEAD_REF: ${{ github.event.pull_request.head.ref }}
          USER_LOGIN: ${{ github.event.pull_request.user.login }}
        run: |
          # Format ref based on whether this is a fork
          if [ "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then
            REF="$USER_LOGIN/$HEAD_REF"
          else
            REF="$HEAD_REF"
          fi

          python3 -u ./tools/cross/internal_build.py \
            ${{github.event.pull_request.number}} \
            ${{steps.get_sha.outputs.sha}} \
            ${{github.event.pull_request.head.sha}} \
            ${{github.run_attempt}} \
            "$REF" \
            $CI_URL \
            $CI_CLIENT_ID \
            $CI_CLIENT_SECRET