diff --git a/.github/actions/check-control/action.yml b/.github/actions/check-control/action.yml
index b3d06706..550e25d5 100644
--- a/.github/actions/check-control/action.yml
+++ b/.github/actions/check-control/action.yml
@@ -107,9 +107,75 @@ runs:
using: composite
steps:
- id: output_sha
- if: ${{ !cancelled() }}
+ if: ${{ (github.repository == 'reactive-firewall-org/multicast') && !cancelled() }}
+ env:
+ CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
shell: bash
- run: printf "sha=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_OUTPUT"
+ run: |
+ set -euo pipefail
+
+ raw_input="${CI_INPUT_TARGET_SHA}"
+
+ # Reject NUL or newline immediately
+ if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then
+ printf "::error title='Invalid':: %s\n" "Error: input contains disallowed control characters" >&2
+ exit 1
+ fi
+
+ # Strip one level of surrounding quotes and trim whitespace
+ normalize() {
+ local s="$1"
+ s="${s#"${s%%[![:space:]]*}"}"
+ s="${s%"${s##*[![:space:]]}"}"
+ if [[ (${s:0:1} == "'" && ${s: -1} == "'") || (${s:0:1} == '"' && ${s: -1} == '"') ]]; then
+ s="${s:1:-1}"
+ fi
+ printf '%s' "$s"
+ }
+ input="$(normalize "$raw_input")"
+
+ # Reject inputs starting with '-' (options)
+ if [[ "${input:0:1}" == "-" ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: input may not start with '-'" >&2
+ exit 1
+ fi
+
+ # If it's a 40-char SHA, accept directly
+ if [[ "$input" =~ ^[0-9a-f]{40}$ ]]; then
+ resolved_sha="$input"
+ else
+ # Try explicit namespaces in order: full refs, refs/heads/, refs/tags/, then bare branch/tag
+ resolved_sha=""
+ # 1) If input is a full ref path starting with refs/, resolve only that
+ if [[ "$input" == refs/* ]]; then
+ if git rev-parse --verify "$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: ref not found: $input" >&2
+ exit 1
+ fi
+ else
+ # 2) Try refs/heads/
+ if git rev-parse --verify "refs/heads/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/heads/$input")"
+ # 3) Try refs/tags/
+ elif git rev-parse --verify "refs/tags/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/tags/$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: no matching branch or tag found for: $input" >&2
+ exit 1
+ fi
+ fi
+ fi
+
+ # Ensure final resolved value is a full 40-char commit SHA
+ if [[ ! "$resolved_sha" =~ ^[0-9a-f]{40}$ ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: resolved value is not a full commit SHA" >&2
+ exit 1
+ fi
+
+ printf "sha=%s\n" "$resolved_sha" >> "$GITHUB_OUTPUT"
+
- id: output_uuid
if: ${{ !cancelled() && (inputs.check-id == '') }}
shell: bash
@@ -128,7 +194,7 @@ runs:
if: ${{ !cancelled() && (github.repository == 'reactive-firewall-org/multicast') }}
shell: bash
run: |
- if [[ "${{ inputs.details-url }}" != "" ]] ; then
+ if [[ "${{ inputs.details-url }}" != "DEFAULT" ]] ; then
printf "details_url=%s\n" '${{ inputs.details-url }}' >> "$GITHUB_OUTPUT"
printf "::debug:: %s\n" "Check detail url was provided: ${{ inputs.details-url }}" ;
else
@@ -151,17 +217,28 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ inputs.token }}
+ CHECK_NAME_INPUT: '${{ inputs.name }}'
+ CHECK_TITLE_INPUT: '${{ inputs.title || inputs.name }}'
run: |
+ printf "%s\n" "::group::validate-name"
+ name_input=${CHECK_NAME_INPUT}
+ printf "::debug:: %s\n" "Will use name $name_input" ;
+ printf "%s\n" "::endgroup::"
+ printf "%s\n" "::group::validate-title"
+ title_input=${CHECK_TITLE_INPUT}
+ printf "::debug:: %s\n" "Will use name $title_input" ;
+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
+ printf "%s\n" "::endgroup::"
printf "%s\n" "::group::create-new-check"
# GitHub CLI api
# https://cli.github.com/manual/gh_api
CHECK_ID=$(gh api --method POST -H "Accept: application/vnd.github+json" \
/repos/reactive-firewall-org/multicast/check-runs \
- -f "name=${{ inputs.name }}" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
- -f "status=${{ inputs.status }}" -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
+ -f "name=$name_input" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
+ -f 'status=${{ inputs.status }}' -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
-f "started_at=${{ steps.output_date.outputs.check_date }}Z" \
-f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
- -f 'output[title]=${{ inputs.title }}' \
+ -f "$sanitized_input_title_field" \
-f 'output[summary]=' -f 'output[text]=' --jq '.id');
printf "check_id=%s\n" "${CHECK_ID}" >> "$GITHUB_OUTPUT"
printf "%s\n" "::endgroup::"
@@ -171,17 +248,28 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ inputs.token }}
+ CHECK_NAME_INPUT: '${{ inputs.name }}'
+ CHECK_TITLE_INPUT: '${{ inputs.title || inputs.name }}'
run: |
+ printf "%s\n" "::group::validate-name"
+ name_input=${CHECK_NAME_INPUT}
+ printf "::debug:: %s\n" "Will use name $name_input" ;
+ printf "%s\n" "::endgroup::"
+ printf "%s\n" "::group::validate-title"
+ title_input=${CHECK_TITLE_INPUT}
+ printf "::debug:: %s\n" "Will use name $title_input" ;
+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
+ printf "%s\n" "::endgroup::"
printf "%s\n" "::group::update-new-check"
# GitHub CLI api
# https://cli.github.com/manual/gh_api
CHECK_ID=$(gh api --method POST -H "Accept: application/vnd.github+json" \
/repos/reactive-firewall-org/multicast/check-runs \
- -f "name=${{ inputs.name }}" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
+ -f "name=$name_input" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
-f "status=in_progress" -f "external_id=${{ steps.output_uuid.outputs.uuid }}" \
-f "started_at=${{ steps.output_date.outputs.check_date }}Z" \
-f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
- -f 'output[title]=${{ inputs.title }}' \
+ -f "$sanitized_input_title_field" \
-f 'output[summary]=Check is in progress.' -f 'output[text]=' --jq '.id');
printf "check_id=%s\n" "${CHECK_ID}" >> "$GITHUB_OUTPUT"
printf "%s\n" "::endgroup::"
@@ -215,16 +303,27 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ inputs.token }}
+ CHECK_NAME_INPUT: '${{ inputs.name }}'
+ CHECK_TITLE_INPUT: '${{ inputs.title || inputs.name }}'
run: |
+ printf "%s\n" "::group::validate-name"
+ name_input=${CHECK_NAME_INPUT}
+ printf "::debug:: %s\n" "Will use name $name_input" ;
+ printf "%s\n" "::endgroup::"
+ printf "%s\n" "::group::validate-title"
+ title_input=${CHECK_TITLE_INPUT}
+ printf "::debug:: %s\n" "Will use name $title_input" ;
+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
+ printf "%s\n" "::endgroup::"
printf "%s\n" "::group::update-check"
# GitHub CLI api
# https://cli.github.com/manual/gh_api
gh api --method PATCH -H "Accept: application/vnd.github+json" \
/repos/reactive-firewall-org/multicast/check-runs/${{ steps.output_check_id.outputs.check_id }} \
- -f "name=${{ inputs.name }}" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
+ -f "name=$name_input" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
-f "status=${{ inputs.status }}" \
-f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
- -f 'output[title]=${{ inputs.title }}' \
+ -f "$sanitized_input_title_field" \
-f 'output[summary]=${{ inputs.summary }}' -f 'output[text]=${{ inputs.text }}'
printf "%s\n" "::endgroup::"
- name: "Update Check"
@@ -233,17 +332,28 @@ runs:
shell: bash
env:
GH_TOKEN: ${{ inputs.token }}
+ CHECK_NAME_INPUT: '${{ inputs.name }}'
+ CHECK_TITLE_INPUT: '${{ inputs.title || inputs.name }}'
run: |
+ printf "%s\n" "::group::validate-name"
+ name_input=${CHECK_NAME_INPUT}
+ printf "::debug:: %s\n" "Will use name $name_input" ;
+ printf "%s\n" "::endgroup::"
+ printf "%s\n" "::group::validate-title"
+ title_input=${CHECK_TITLE_INPUT}
+ printf "::debug:: %s\n" "Will use name $title_input" ;
+ sanitized_input_title_field=$(printf "%s%s" 'output[title]=' "$title_input" ;)
+ printf "%s\n" "::endgroup::"
printf "%s\n" "::group::complete-check"
# GitHub CLI api
# https://cli.github.com/manual/gh_api
gh api --method PATCH -H "Accept: application/vnd.github+json" \
/repos/reactive-firewall-org/multicast/check-runs/${{ steps.output_check_id.outputs.check_id }} \
- -f "name=${{ inputs.name }}" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
+ -f "name=$name_input" -f "head_sha=${{ steps.output_sha.outputs.sha }}" \
-f "status=completed" -f "conclusion=${{ inputs.conclusion }}" \
-f "completed_at=${{ steps.output_date.outputs.check_date }}Z" \
-f "details_url=${{ steps.output_check_details_url.outputs.details_url }}" \
- -f 'output[title]=${{ inputs.title }}' \
+ -f "$sanitized_input_title_field" \
-f 'output[summary]=${{ inputs.summary }}' -f 'output[text]=${{ inputs.text }}'
printf "%s\n" "::endgroup::"
- name: "Report outcome of checks API"
diff --git a/.github/actions/checkout-and-rebuild/action.yml b/.github/actions/checkout-and-rebuild/action.yml
index a305f35f..d448dcc9 100644
--- a/.github/actions/checkout-and-rebuild/action.yml
+++ b/.github/actions/checkout-and-rebuild/action.yml
@@ -72,9 +72,11 @@ runs:
token: ${{ inputs.token }}
- name: "Checkout Target Commit by SHA"
shell: bash
+ env:
+ CI_INPUT_TARGET_SHA: ${{ inputs.sha }}
run: |
printf "%s\n" "::group::target-commit"
- git checkout --force --detach ${{ inputs.sha }} --
+ git checkout --force --detach "${CI_INPUT_TARGET_SHA}" --
printf "%s\n" "::endgroup::"
if: ${{ (github.sha != inputs.sha) && success() }}
- id: output_branch_name
diff --git a/.github/actions/run-minimal-acceptance-tests/action.yml b/.github/actions/run-minimal-acceptance-tests/action.yml
index ed07b1e9..711270df 100644
--- a/.github/actions/run-minimal-acceptance-tests/action.yml
+++ b/.github/actions/run-minimal-acceptance-tests/action.yml
@@ -80,10 +80,75 @@ runs:
steps:
- name: "Calculate Commit SHA"
id: output_sha
+ if: ${{ !cancelled() }}
+ env:
+ CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
shell: bash
run: |
- printf "sha=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_OUTPUT"
- printf "BUILD_SHA=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_ENV"
+ set -euo pipefail
+
+ raw_input="${CI_INPUT_TARGET_SHA}"
+
+ # Reject NUL or newline immediately
+ if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then
+ printf "::error title='Invalid':: %s\n" "Error: input contains disallowed control characters" >&2
+ exit 1
+ fi
+
+ # Strip one level of surrounding quotes and trim whitespace
+ normalize() {
+ local s="$1"
+ s="${s#"${s%%[![:space:]]*}"}"
+ s="${s%"${s##*[![:space:]]}"}"
+ if [[ (${s:0:1} == "'" && ${s: -1} == "'") || (${s:0:1} == '"' && ${s: -1} == '"') ]]; then
+ s="${s:1:-1}"
+ fi
+ printf '%s' "$s"
+ }
+ input="$(normalize "$raw_input")"
+
+ # Reject inputs starting with '-' (options)
+ if [[ "${input:0:1}" == "-" ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: input may not start with '-'" >&2
+ exit 1
+ fi
+
+ # If it's a 40-char SHA, accept directly
+ if [[ "$input" =~ ^[0-9a-f]{40}$ ]]; then
+ resolved_sha="$input"
+ else
+ # Try explicit namespaces in order: full refs, refs/heads/, refs/tags/, then bare branch/tag
+ resolved_sha=""
+ # 1) If input is a full ref path starting with refs/, resolve only that
+ if [[ "$input" == refs/* ]]; then
+ if git rev-parse --verify "$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: ref not found: $input" >&2
+ exit 1
+ fi
+ else
+ # 2) Try refs/heads/
+ if git rev-parse --verify "refs/heads/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/heads/$input")"
+ # 3) Try refs/tags/
+ elif git rev-parse --verify "refs/tags/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/tags/$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: no matching branch or tag found for: $input" >&2
+ exit 1
+ fi
+ fi
+ fi
+
+ # Ensure final resolved value is a full 40-char commit SHA
+ if [[ ! "$resolved_sha" =~ ^[0-9a-f]{40}$ ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: resolved value is not a full commit SHA" >&2
+ exit 1
+ fi
+
+ printf "sha=%s\n" "$resolved_sha" >> "$GITHUB_OUTPUT"
+ printf "BUILD_SHA=%s\n" "$resolved_sha" >> "$GITHUB_ENV" ;
- name: "Setup Python"
id: output_python
if: ${{ !cancelled() }}
diff --git a/.github/actions/setup-py-reqs/action.yml b/.github/actions/setup-py-reqs/action.yml
index d4818c1e..a9709c38 100644
--- a/.github/actions/setup-py-reqs/action.yml
+++ b/.github/actions/setup-py-reqs/action.yml
@@ -65,10 +65,75 @@ runs:
steps:
- name: "Calculate Commit SHA"
id: output_sha
+ if: ${{ !cancelled() }}
+ env:
+ CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
shell: bash
run: |
- printf "sha=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_OUTPUT"
- printf "BUILD_SHA=%s\n" $(git rev-parse --verify '${{ inputs.sha }}') >> "$GITHUB_ENV"
+ set -euo pipefail
+
+ raw_input="${CI_INPUT_TARGET_SHA}"
+
+ # Reject NUL or newline immediately
+ if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then
+ printf "::error title='Invalid':: %s\n" "Error: input contains disallowed control characters" >&2
+ exit 1
+ fi
+
+ # Strip one level of surrounding quotes and trim whitespace
+ normalize() {
+ local s="$1"
+ s="${s#"${s%%[![:space:]]*}"}"
+ s="${s%"${s##*[![:space:]]}"}"
+ if [[ (${s:0:1} == "'" && ${s: -1} == "'") || (${s:0:1} == '"' && ${s: -1} == '"') ]]; then
+ s="${s:1:-1}"
+ fi
+ printf '%s' "$s"
+ }
+ input="$(normalize "$raw_input")"
+
+ # Reject inputs starting with '-' (options)
+ if [[ "${input:0:1}" == "-" ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: input may not start with '-'" >&2
+ exit 1
+ fi
+
+ # If it's a 40-char SHA, accept directly
+ if [[ "$input" =~ ^[0-9a-f]{40}$ ]]; then
+ resolved_sha="$input"
+ else
+ # Try explicit namespaces in order: full refs, refs/heads/, refs/tags/, then bare branch/tag
+ resolved_sha=""
+ # 1) If input is a full ref path starting with refs/, resolve only that
+ if [[ "$input" == refs/* ]]; then
+ if git rev-parse --verify "$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: ref not found: $input" >&2
+ exit 1
+ fi
+ else
+ # 2) Try refs/heads/
+ if git rev-parse --verify "refs/heads/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/heads/$input")"
+ # 3) Try refs/tags/
+ elif git rev-parse --verify "refs/tags/$input" >/dev/null 2>&1; then
+ resolved_sha="$(git rev-parse --verify "refs/tags/$input")"
+ else
+ printf "::error title='Invalid':: %s\n" "Error: no matching branch or tag found for: $input" >&2
+ exit 1
+ fi
+ fi
+ fi
+
+ # Ensure final resolved value is a full 40-char commit SHA
+ if [[ ! "$resolved_sha" =~ ^[0-9a-f]{40}$ ]]; then
+ printf "::error title='Invalid':: %s\n" "Error: resolved value is not a full commit SHA" >&2
+ exit 1
+ fi
+
+ printf "sha=%s\n" "$resolved_sha" >> "$GITHUB_OUTPUT"
+ printf "BUILD_SHA=%s\n" "$resolved_sha" >> "$GITHUB_ENV" ;
- name: "Setup Python"
id: output_python
if: ${{ !cancelled() }}
diff --git a/.github/actions/test-reporter-upload/action.yml b/.github/actions/test-reporter-upload/action.yml
index f99900a6..e5a3512b 100644
--- a/.github/actions/test-reporter-upload/action.yml
+++ b/.github/actions/test-reporter-upload/action.yml
@@ -345,11 +345,13 @@ runs:
env:
COVERALLS_REPO_TOKEN: ${{ github.server_url == 'https://github.com' && inputs.coveralls-token || '' }}
COVERALLS_TOOL: ${{ steps.output_upload_tools.outputs.coveralls_executable }}
+ COVERALLS_SERVICE_JOB_ID: ${{ github.run_id }}
+ COVERALLS_SERVICE_JOB_NUMBER: ${{ inputs.job_code }}
run: |
if [[ "${{ inputs.tests-outcome }}" == "success" ]] ; then
- ${COVERALLS_TOOL} report ${COV_CORE_DATAFILE:-./coverage.xml} --base-path="${{ github.workspace }}" --service-job-id=${{ github.run_id }} --parallel --job-flag='${{ steps.output_os.outputs.os }}-${{ steps.output_python.outputs.python-version }}' --build-number=${{ inputs.job_code }} || exit 1 ;
+ ${COVERALLS_TOOL} report ${COV_CORE_DATAFILE:-./coverage.xml} --base-path="${{ github.workspace }}" --service-job-id=${COVERALLS_SERVICE_JOB_ID} --parallel --job-flag='${{ steps.output_os.outputs.os }}-${{ steps.output_python.outputs.python-version }}' --build-number=${COVERALLS_SERVICE_JOB_NUMBER} || exit 1 ;
else
- ${COVERALLS_TOOL} report ${COV_CORE_DATAFILE:-./coverage.xml} --base-path="${{ github.workspace }}" --allow-empty --service-job-id=${{ github.run_id }} --parallel --job-flag='${{ steps.output_os.outputs.os }}-${{ steps.output_python.outputs.python-version }}' --build-number=${{ inputs.job_code }} || exit 1 ;
+ ${COVERALLS_TOOL} report ${COV_CORE_DATAFILE:-./coverage.xml} --base-path="${{ github.workspace }}" --allow-empty --service-job-id=${COVERALLS_SERVICE_JOB_ID} --parallel --job-flag='${{ steps.output_os.outputs.os }}-${{ steps.output_python.outputs.python-version }}' --build-number=${COVERALLS_SERVICE_JOB_NUMBER} || exit 1 ;
fi
- name: "Evaluate Coverage Report Task"
id: coverage_outcome
diff --git a/.github/workflows/CI-CHGLOG.yml b/.github/workflows/CI-CHGLOG.yml
index 8e6ea701..b37b9935 100644
--- a/.github/workflows/CI-CHGLOG.yml
+++ b/.github/workflows/CI-CHGLOG.yml
@@ -61,6 +61,7 @@ jobs:
echo "should_run=true" >> "$GITHUB_OUTPUT"
else
echo "should_run=false" >> "$GITHUB_OUTPUT"
+ exit 1 ;
fi
- id: get_trigger_id
if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
diff --git a/.github/workflows/CI-DOCS.yml b/.github/workflows/CI-DOCS.yml
index e567ffe6..b6917e01 100644
--- a/.github/workflows/CI-DOCS.yml
+++ b/.github/workflows/CI-DOCS.yml
@@ -58,6 +58,7 @@ jobs:
echo "should_run=true" >> "$GITHUB_OUTPUT"
else
echo "should_run=false" >> "$GITHUB_OUTPUT"
+ exit 1 ;
fi
- id: get_trigger_id
if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
diff --git a/.github/workflows/CI-MATs.yml b/.github/workflows/CI-MATs.yml
index 6f35f26b..fe8edc0c 100644
--- a/.github/workflows/CI-MATs.yml
+++ b/.github/workflows/CI-MATs.yml
@@ -65,9 +65,10 @@ jobs:
echo "should_run=true" >> "$GITHUB_OUTPUT"
else
echo "should_run=false" >> "$GITHUB_OUTPUT"
+ exit 1 ;
fi
- id: get_trigger_id
- if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+ if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
run: |
ID_VALUE=$(gh api "${{ github.event.workflow_run.url }}" --jq '.id')
if [[ -n "$ID_VALUE" ]]; then
@@ -106,6 +107,8 @@ jobs:
persist-credentials: false
ref: ${{ steps.load_build_info.outputs.build_sha }}
fetch-depth: 0
+ repository: reactive-firewall-org/multicast
+ token: ${{ env.GH_TOKEN }}
- name: "Queue MATs GitHub Check"
id: output_mats_check_id
uses: ./.github/actions/check-control
@@ -118,10 +121,10 @@ jobs:
workflow-run-id: ${{ steps.output_run_id.outputs.mats_id }}
details-url: ${{ steps.output_run_id.outputs.mats_url }}
- name: Checkout target commit
- if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+ if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
run: git checkout ${{ steps.load_build_info.outputs.build_sha }}
- id: get_env
- if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+ if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
run: |
echo "branch=$(git name-rev --name-only $(git log -1 --format=%H) | cut -d~ -f1-1)" >> "$GITHUB_OUTPUT"
echo "parent_sha=$(git merge-base $(git log -1 --format=%H) refs/remotes/origin/stable)" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml
index 0212a895..68260abb 100644
--- a/.github/workflows/Tests.yml
+++ b/.github/workflows/Tests.yml
@@ -82,6 +82,7 @@ jobs:
echo "should_run=true" >> "$GITHUB_OUTPUT"
else
echo "should_run=false" >> "$GITHUB_OUTPUT"
+ exit 1 ;
fi
- id: get_trigger_id
if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
@@ -123,6 +124,8 @@ jobs:
persist-credentials: false
ref: ${{ steps.load_build_info.outputs.build_sha }}
sparse-checkout: '.github/actions/check-control'
+ repository: reactive-firewall-org/multicast
+ github-token: ${{ env.GH_TOKEN }}
- name: "Queue Tests GitHub Check"
id: output_tests_check_id
uses: ./.github/actions/check-control