-
Notifications
You must be signed in to change notification settings - Fork 0
187 lines (163 loc) · 7.7 KB
/
internal_vs_external.yml
File metadata and controls
187 lines (163 loc) · 7.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Runs various checks on pull requests coming from external contributors
name: External PR Ruleset
on:
pull_request_target:
merge_group: # merge group is always needed for a required workflows to prevent them from getting stuck, but we then skip it below
permissions:
contents: read
pull-requests: write
jobs:
revoke-approvals:
name: Check Revoke Approvals
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
steps:
- name: Dismiss Pull Request Reviews
if: ${{ ! github.event.pull_request_target.draft }}
run: |
set -euo pipefail
# get existing reviews
reviews=$(curl -s -H "Authorization: token ${GH_TOKEN}" \
"https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews")
# If no reviews were given, then exit script
if [ -z "$reviews" ] || [ "$reviews" == "[]" ]; then
echo "No reviews to dismiss"
exit 0
fi
# dismiss PR reviews
for review_id in $(echo "${reviews}" | jq -r '.[] | select(.state == "APPROVED") | .id'); do
response=$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H "Authorization: token ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
-d '{"message": "Review dismissed by automation script."}' \
"https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews/${review_id}/dismissals")
if [ "$response" -eq 200 ]; then
echo "Dismissed review ${review_id}"
else
echo "Failed to dismiss review ${review_id}, HTTP status code: $response"
exit 1
fi
done
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # actor is github actions with above permissions
GH_ORG: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
PULL_NUMBER: ${{ github.event.pull_request.number }}
check-external-file-changes:
name: Check Unallowed File Changes
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
steps:
- name: Checkout EXTERNAL_CONTRIB_BLACKLIST from ${{ github.repository }}
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
path: repo
# actions/checkout will checkout the target repo and default branch by default
# when triggered by pull_request_target. However for security reasons we want to
# be explicit here.
repository: ${{ github.repository }}
ref: ${{ github.event.repository.default_branch }}
sparse-checkout: .github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST
- name: Checkout check_external_changes.py from dfinity/public-workflows
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
repository: dfinity/public-workflows
path: public-workflows
sparse-checkout: reusable_workflows/repo_policies/check_external_changes.py
- name: Get changed files
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
with:
use_rest_api: true
json: true
write_output_files: true
- name: Check External Changes
if: ${{ hashFiles('repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST') != '' }}
id: check_external_changes
run: public-workflows/reusable_workflows/repo_policies/check_external_changes.py
env:
# populated by the action
# https://github.com/tj-actions/changed-files/blob/d03a93c0dbfac6d6dd6a0d8a5e7daff992b07449/README.md?plain=1#L569-L572
CHANGED_FILES_JSON_PATH: ".github/outputs/all_changed_and_modified_files.json"
EXTERNAL_CONTRIB_BLACKLIST_PATH: "repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST"
- name: Close PR
uses: actions/github-script@v7
if: ${{ !cancelled() && steps.check_external_changes.conclusion == 'failure' }}
with:
script: |
github.rest.pulls.update({
pull_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
state: 'closed'
})
let message = "Closed Pull Request since changes were made to [unallowed files](${{ github.server_url }}/${{ github.repository }}/blob/${{ github.event.repository.default_branch }}/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST).\n\n"
message += 'Please see details here: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n'
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: message
})
check-cla:
name: Check CLA
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository
steps:
- name: Create GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.CLA_BOT_APP_ID }}
private-key: ${{ secrets.CLA_BOT_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@v4
with:
repository: 'dfinity/public-workflows'
- name: Python Setup
uses: ./.github/workflows/python-setup
- name: Check if can contribute
id: can_contribute
run: |
export PYTHONPATH="$PWD/reusable_workflows/"
python reusable_workflows/check_cla/check_can_contribute.py
shell: bash
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
REPO: ${{ github.event.repository.name }}
USER: ${{ github.event.pull_request.user.login }}
- name: Close Pull Request
id: close_pr
if: ${{ steps.can_contribute.outputs.can_contribute != 'true' }}
uses: superbrothers/close-pull-request@9c18513d320d7b2c7185fb93396d0c664d5d8448 #v3
with:
comment: |
Thank you for contributing! Unfortunately this repository does not accept external contributions yet.
We are working on enabling this by aligning our internal processes and our CI setup to handle external contributions. However this will take some time to set up so in the meantime we unfortunately have to close this Pull Request.
We hope you understand and will come back once we accept external PRs.
— The DFINITY Foundation
- name: Add Label
uses: actions/github-script@v6
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
github.rest.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["external-contributor"]
})
- name: Check CLA
id: check-cla
run: |
export PYTHONPATH="$PWD/reusable_workflows/"
python reusable_workflows/check_cla/check_cla_pr.py
shell: bash
if: ${{ steps.can_contribute.outputs.can_contribute == 'true' }}
env:
GH_ORG: ${{ github.repository_owner }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
REPO: ${{ github.event.repository.name }}
PR_ID: ${{ github.event.number }}
check-repo-policies:
uses: dfinity/public-workflows/.github/workflows/repo_policies.yml@main
secrets: inherit