aztec-packages/.github/workflows/ci3-external.yml at 0c1fdf8a24bdd278cdca125ed44a1d5b0f3cb2ba · AztecProtocol/aztec-packages · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# CI for external Aztec contributors. Like ci3.yml, but more locked down.
#
# CAREFUL! We use "exec" a lot to ensure signal propagation to the child process, to allow proper ec2 cleanup.
name: CI3 (External)

on:
  # This check is skipped in merge queue, but we need it to run (even skipped) for status checks.
  merge_group:
  # Run with pull_request_target for external devs. This forces them to use this workflow as-is.
  pull_request_target:
    types: [opened, synchronize, reopened, ready_for_review, labeled]

concurrency:
  # Only allow one run per <forked-repo>/<branch> and full concurrency on merge queue.
  group: |
    ci3-external-${{ github.event_name == 'pull_request' && format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.head_ref)
                                                         || github.run_id }}
  cancel-in-progress: true

jobs:
  ci-external:
    runs-on: ubuntu-latest
    # exclusive with ci3.yml, only run on forks.
    if: github.event.pull_request.head.repo.fork
    steps:
      #############
      # Prepare Env
      #############
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          # The commit to checkout.  We want our actual commit, and not the result of merging the PR to the target.
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          persist-credentials: false

      # NOTE: in ci3.yml we just rely on draft mode not being mergable.
      # Here we are a little more careful than just skipping the worklfow, in case of an edge case allowing merge.
      - name: Fail If Draft
        if: github.event.pull_request.draft
        run: echo "CI is not run on drafts." && exit 1

      - name: External Contributor Checks
        # Run only if a pull request event type and we have a forked repository origin.
        run: |
          set -o pipefail
          git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 &>/dev/null
          forbidden_changes=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD -- ci3 .github ci.sh scripts)
          if echo "$forbidden_changes" | grep -q .; then
            echo "Error: External PRs can't contain CI changes (forbidden files: $forbidden_changes)."
            exit 1
          fi
          if [[ "${{ github.event.pull_request.base.ref }}" != "master" && \
                "${{ github.event.pull_request.base.ref }}" != "staging" && \
                "${{ github.event.pull_request.base.ref }}" != "next" && \
                "${{ github.event.pull_request.base.ref }}" != merge-train/* ]]; then
            echo "Error: External PRs can only target master, staging, next or merge-train/* branches. Targeted: ${{ github.event.pull_request.base.ref }}."
            exit 1
          fi
          labeled="${{contains(github.event.pull_request.labels.*.name, 'ci-external') || github.event.label.name == 'ci-external-once'}}"
          if [ "$labeled" = false ]; then
            echo "External PRs need the 'ci-external' or 'ci-external-once' labels to run."
            exit 1
          fi
          # Remove any ci-external-once labels.
          GITHUB_TOKEN=${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} gh pr edit ${{ github.event.pull_request.number }} --remove-label "ci-external-once"

      - name: CI Merge Queue Override (grind on PR)
        if: contains(github.event.pull_request.labels.*.name, 'ci-merge-queue')
        run: echo "CI_MERGE_QUEUE=1" >> $GITHUB_ENV

      - name: CI Full Override
        if: contains(github.event.pull_request.labels.*.name, 'ci-full')
        run: echo "CI_FULL=1" >> $GITHUB_ENV

      - name: Cache Override
        if: contains(github.event.pull_request.labels.*.name, 'ci-no-cache')
        run: echo "NO_CACHE=1" >> $GITHUB_ENV

      - name: Fail Fast Override
        if: contains(github.event.pull_request.labels.*.name, 'ci-no-fail-fast')
        run: echo "NO_FAIL_FAST=1" >> $GITHUB_ENV

      - name: Setup
        run: |
          # Ensure we can SSH into the spot instances we request.
          mkdir -p ~/.ssh
          echo ${{ secrets.BUILD_INSTANCE_SSH_KEY }} | base64 --decode > ~/.ssh/build_instance_key
          chmod 600 ~/.ssh/build_instance_key

      - name: Get Tree Hash
        run: echo "TREE_HASH=$(git rev-parse HEAD^{tree})" >> $GITHUB_ENV

      - name: Check CI Cache
        id: ci_cache
        uses: actions/cache@v3
        with:
          path: ci-success.txt
          key: ci-external-${{ env.TREE_HASH }}

      #############
      # Run
      #############
      - name: Run
        if: steps.ci_cache.outputs.cache-hit != 'true'
        env:
          # We need to pass these creds to start the AWS ec2 instance.
          # They are not injected into that instance. Instead, it has minimal
          # creds for being able to upload to cache.
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          REF_NAME: repo-fork/${{ github.repository }}/${{ github.head_ref }}
          # We only test on amd64.
          ARCH: amd64
          RUN_ID: ${{ github.run_id }}
        run: |
          if [ "${CI_MERGE_QUEUE:-0}" -eq 1 ]; then
            exec ./ci.sh merge-queue
          elif [ "${CI_FULL:-0}" -eq 1 ]; then
            exec ./ci.sh full
          else
            exec ./ci.sh fast
          fi

      - name: Save CI Success
        if: steps.ci_cache.outputs.cache-hit != 'true'
        run: echo "success" > ci-success.txt

      # If we have passed CI and labelled with ci-squash-and-merge, squash the PR.
      # This will rerun CI on the squash commit - but is intended to be a no-op due to caching.
      - name: CI Squash and Merge
        if: contains(github.event.pull_request.labels.*.name, 'ci-squash-and-merge')
        env:
          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
        run: |
          # Reauth the git repo with our GITHUB_TOKEN
          git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}
          # Get the base commit (merge-base) for the PR
          ./scripts/merge-train/squash-pr.sh \
            "${{ github.event.pull_request.number }}" \
            "${{ github.event.pull_request.head.ref }}" \
            "${{ github.event.pull_request.base.ref }}" \
            "${{ github.event.pull_request.base.sha }}"
          gh pr edit "${{ github.event.pull_request.number }}" --remove-label "ci-squash-and-merge"
          gh pr merge "${{ github.event.pull_request.number }}" --auto -m || true