forked from TimefoldAI/timefold-solver
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpull_request_secure_downstream.yml
More file actions
101 lines (95 loc) · 3.71 KB
/
Copy pathpull_request_secure_downstream.yml
File metadata and controls
101 lines (95 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Jobs in this workflow deal with secrets.
# Since they may be executed from forks by untrusted users,
# we need to ensure that the user is a member of the organization
# or that there is explicit approval for their jobs to run.
name: Secured Downstream Workflow
env:
NODE_OPTIONS: "--max_old_space_size=4096"
on:
push:
branches: [ main ]
# There are two differences to "pull_request" here:
# - The workflow will receive secrets, even in PRs from forks.
# - The workflow will be executed automatically, without requiring a manual approval.
# Therefore the workflow needs to be explicitly secured; see "known_user" and "approval_required" jobs below.
pull_request_target:
branches: [ main ] # Benchmarks aren't branched, so they will only ever work against current main.
types:
- opened
- reopened
- synchronize
paths-ignore:
- 'LICENSE*'
- '.gitignore'
- '**.md'
- '*.txt'
- 'docs/**'
jobs:
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- id: auth_check
env:
GH_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
shell: bash
run: |
# -g to allow actors such as dependabot[bot]
ORG_MEMBERSHIP=`curl -g -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/orgs/TimefoldAI/memberships/${{ github.actor }}" | jq -r '.state == "active"'`
echo "authorized=$ORG_MEMBERSHIP" >> "$GITHUB_OUTPUT"
- id: validation
shell: bash
run: |
echo "Authorized user: ${{ steps.auth_check.outputs.authorized }}"
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
(needs.known_user.outputs.is_member_of_org != 'true' || github.actor == 'dependabot[bot]') &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- run: true
timefold-field-service-routing:
needs: approval_required
uses: ./.github/workflows/downstream_build.yml
with:
repository: timefold-field-service-routing
name: Field Service Routing
head_ref: ${{ github.head_ref }}
head_sha: ${{ github.event.pull_request.head.sha }}
secrets:
JRELEASER_GITHUB_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
TIMEFOLD_SOLVER_CI_PROD_LICENSE: ${{ secrets.TIMEFOLD_SOLVER_CI_PROD_LICENSE }}
timefold-employee-scheduling:
needs: approval_required
uses: ./.github/workflows/downstream_build.yml
with:
repository: timefold-employee-scheduling
name: Employee Scheduling
head_ref: ${{ github.head_ref }}
head_sha: ${{ github.event.pull_request.head.sha }}
secrets:
JRELEASER_GITHUB_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
TIMEFOLD_SOLVER_CI_PROD_LICENSE: ${{ secrets.TIMEFOLD_SOLVER_CI_PROD_LICENSE }}
timefold-pickup-delivery-routing:
needs: approval_required
uses: ./.github/workflows/downstream_build.yml
with:
repository: timefold-pickup-delivery-routing
name: Pickup and Delivery Routing
head_ref: ${{ github.head_ref }}
head_sha: ${{ github.event.pull_request.head.sha }}
secrets:
JRELEASER_GITHUB_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
TIMEFOLD_SOLVER_CI_PROD_LICENSE: ${{ secrets.TIMEFOLD_SOLVER_CI_PROD_LICENSE }}