Merge pull request #63 from input-output-hk/3rd-party-gha

johnalotoski · web-flow · commit 8d3d858193d4 · 2025-04-09T22:10:23.000-05:00
Adds ci compatible with fork prs
diff --git a/.github/actions/checkout-merge/action.yml b/.github/actions/checkout-merge/action.yml
@@ -0,0 +1,82 @@
+name: Checkout and merge PR
+
+description: >
+  Checkout base and PR branch, create local merge commit with smart shallow
+  fetch. Works in manual dispatch, PR, push and schedule contexts. Compatible
+  with fork PRs.
+
+inputs:
+  base_ref:
+    description: 'Base branch ref (typically github.event.pull_request.base.ref)'
+    required: true
+
+  head_ref:
+    description: 'The head branch ref of the PR (typically github.head_ref || github.ref_name)'
+    required: true
+
+  pr_number:
+    description: 'PR number (typically github.event.pull_request.number)'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - if: inputs.pr_number != ''
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        git config --local user.name "GitHub Actions"
+        git config --local user.email "actions@github.com"
+        git fetch --no-tags --depth=10 origin ${{ inputs.base_ref }}
+        git fetch --no-tags --depth=10 origin pull/${{ inputs.pr_number }}/head:pr
+
+        # Check if this is a fork PR
+        if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+
+          echo "Detected forked PR -- adding fork remote."
+          PR_REMOTE=$(gh pr view ${{ inputs.pr_number }} --json headRepositoryOwner,headRepository \
+            --jq '"\(.headRepositoryOwner.login)/\(.headRepository.name)"')
+
+          if [ -n "$PR_REMOTE" ]; then
+            git remote add fork "https://github.com/$PR_REMOTE"
+            git fetch fork "${{ inputs.head_ref }}"
+            UPSTREAM="fork"
+          else
+            UPSTREAM="origin"
+          fi
+        else
+          echo "Detected same-repo PR."
+          UPSTREAM="origin"
+        fi
+
+        git fetch --no-tags --depth=10 "$UPSTREAM" "refs/heads/${{ inputs.head_ref }}:refs/remotes/$UPSTREAM/${{ inputs.head_ref }}"
+
+        git checkout -b ${{ inputs.head_ref }} FETCH_HEAD
+        if git merge --no-ff --no-edit pr; then
+          echo "Merge succeeded."
+        else
+          echo "Merge failed, possibly due to shallow history. Retrying with deeper fetch..."
+          git fetch --unshallow || git fetch --depth=50
+
+          if git merge --no-ff --no-edit pr; then
+            echo "Merge succeeded after deeper fetch."
+          else
+            echo "Merge conflict detected."
+            exit 1
+          fi
+        fi
+
+        echo "Merged commit HEAD is:"
+        git rev-parse HEAD
+        git log -1 --oneline
+
+        echo "Setting upstream branch to: $UPSTREAM/${{ inputs.head_ref }}"
+        git branch --set-upstream-to="$UPSTREAM/${{ inputs.head_ref }}" HEAD
+
+        echo "Confirmation of upstream:"
+        git status -sb
+      shell: bash
+
+    - if: inputs.pr_number == ''
+      run: echo "Not a PR event -- no merge required"
+      shell: bash
diff --git a/.github/actions/detect-pr/action.yml b/.github/actions/detect-pr/action.yml
@@ -0,0 +1,80 @@
+name: Detect PR context
+
+description: >
+  Detects pull request context, outputs PR number, refs, and trust level.
+  Compatible with fork PRs.
+
+outputs:
+  base_ref:
+    description: Base branch ref
+    value: ${{ steps.internal-detect-pr.outputs.base_ref }}
+
+  event_name:
+    description: GitHub event name
+    value: ${{ steps.internal-detect-pr.outputs.event_name }}
+
+  head_ref:
+    description: Head branch ref
+    value: ${{ steps.internal-detect-pr.outputs.head_ref }}
+
+  is_trusted:
+    description: Trusted status
+    value: ${{ steps.internal-detect-pr.outputs.is_trusted }}
+
+  pr_number:
+    description: Pull request number, if applicable
+    value: ${{ steps.internal-detect-pr.outputs.pr_number }}
+
+runs:
+  using: composite
+  steps:
+    - name: Detect context
+      env:
+        GH_TOKEN: ${{ github.token }}
+      id: internal-detect-pr
+      run: |
+        HEAD_REPO="${{ github.event.pull_request.head.repo.full_name }}"
+        REPO="${{ github.repository }}"
+
+        if [ "${{ github.event_name }}" = "pull_request" ]; then
+          echo "PR context detected."
+          echo "pr_number=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          echo "head_ref=${{ github.event.pull_request.head.ref }}" >> "$GITHUB_OUTPUT"
+          echo "base_ref=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_OUTPUT"
+
+          if [ "$HEAD_REPO" = "$REPO" ]; then
+            echo "is_trusted=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_trusted=false" >> "$GITHUB_OUTPUT"
+          fi
+
+        elif [ -n "${{ github.event.inputs.pr_number }}" ]; then
+          echo "Manual dispatch detected."
+
+          PR_DATA=$(gh pr view ${{ github.event.inputs.pr_number }} --repo "$REPO" \
+            --json headRefName,baseRefName -q '{ "head_ref": .headRefName, "base_ref": .baseRefName }')
+
+          HEAD_REF=$(jq -r .head_ref <<< "$PR_DATA")
+          BASE_REF=$(jq -r .base_ref <<< "$PR_DATA")
+
+          echo "pr_number=${{ github.event.inputs.pr_number }}" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
+          echo "base_ref=$BASE_REF" >> "$GITHUB_OUTPUT"
+          echo "is_trusted=true" >> "$GITHUB_OUTPUT"
+
+        else
+          echo "No PR context detected. Using default branch."
+          echo "head_ref=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+          echo "base_ref=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+          echo "is_trusted=true" >> "$GITHUB_OUTPUT"
+        fi
+      shell: bash
+
+    - name: Print detected context
+      run: |
+        echo "Event: ${{ github.event_name }}"
+        echo "PR number: ${{ steps.internal-detect-pr.outputs.pr_number }}"
+        echo "Head ref: ${{ steps.internal-detect-pr.outputs.head_ref }}"
+        echo "Base ref: ${{ steps.internal-detect-pr.outputs.base_ref }}"
+        echo "Trusted run: ${{ steps.internal-detect-pr.outputs.is_trusted }}"
+      shell: bash
diff --git a/.github/workflows/nix-jobs-test.yaml b/.github/workflows/nix-jobs-test.yaml
@@ -1,15 +1,42 @@
 on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Optional PR number, for maintainer use
+        required: false
+
+  push:
+    branches:
+      - main
+
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   nix-jobs-test:
     name: "Test nix jobs"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
+      # This step allows for maintainer workflow dispatch of forked PRs with a
+      # declared PR input number.
+      - name: Detect PR context
+        id: detect-pr
+        uses: ./.github/actions/detect-pr
+
+      # For PRs, checkout a merge base, including for forked PRs.
+      - name: Checkout and merge PR
+        uses: ./.github/actions/checkout-merge
         with:
-         ref: "${{github.head_ref || github.ref_name}}"
+          base_ref: ${{ steps.detect-pr.outputs.base_ref }}
+          head_ref: ${{ steps.detect-pr.outputs.head_ref }}
+          pr_number: ${{ steps.detect-pr.outputs.pr_number }}
+
       - name: Install Nix
         uses: cachix/install-nix-action@v27
         with:
@@ -18,6 +45,7 @@ jobs:
             experimental-features = fetch-closure flakes nix-command
             substituters = https://cache.iog.io https://cache.nixos.org/
             trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+
       - name: Test
         run: |
           nix --version
