Skip to content

ci: add maintainer-only /retest workflow for fork PRs [skip size]#4948

Draft
andresmr wants to merge 4 commits into
developfrom
claude/kind-pare-21705f
Draft

ci: add maintainer-only /retest workflow for fork PRs [skip size]#4948
andresmr wants to merge 4 commits into
developfrom
claude/kind-pare-21705f

Conversation

@andresmr

Copy link
Copy Markdown
Collaborator

What

Adds .github/workflows/retest-fork-pr.yml — a maintainer-only /retest PR-comment workflow that can re-run the secret-dependent required checks on fork PRs and report them green.

Why

PRs from forks (e.g. #4912) fail three required checks because GitHub deliberately withholds repository secrets from pull_request runs triggered by forks:

Required check Workflow Secret(s) Symptom
deployment_job continuous-delivery.yml DEBUG_KEYSTORE_BASE64 (+ signing/OpenID/Sentry) encodedString value is not set
run-form-tests ci.yml BROWSERSTACK_USERNAME / _PASSWORD empty BrowserStack creds
code-quality ci.yml SONAR_TOKEN Not authorized … SONAR_TOKEN

These are required by repository rulesets, so they can't be skipped, and a plain "re-run" keeps the original fork pull_request event → secrets stay withheld.

How it works

Commenting /retest on a PR triggers this workflow, which runs in the base repo context (secrets available):

  1. authorize — only on PR comments whose body is exactly /retest; verifies the commenter has write/admin via getCollaboratorPermissionLevel; resolves the PR head SHA/ref; posts 👀.
  2. retest — creates in-progress check runs named code-quality / run-form-tests / deployment_job on the PR head SHA, checks out the PR head, runs the three tasks (Sonar, signed APK build, BrowserStack form tests), then concludes each check run success/failure and posts 👍/👎.

Because the check runs use the exact required names on the PR head SHA (created by the GitHub Actions app), they satisfy the ruleset and the PR can go green.

Existing ci.yml / continuous-delivery.yml are unchanged — fork PRs still fail by default; /retest produces the passing checks on demand.

⚠️ Reviewer notes

  • Confirm the check names match the ruleset exactly. I used code-quality, run-form-tests, deployment_job (inferred from the failing checks). If the ruleset stores them differently (e.g. workflow-name prefixed), update the CHECK_* env values at the top of the retest job — they must match byte-for-byte or the required checks won't clear.
  • Takes effect only once merged to the base branch (a workflow must exist on a PR's base branch to act on that PR).
  • Security trade-off: /retest executes the fork's code (Gradle scripts, the APK on BrowserStack) with secrets present. The write/admin gate blocks outsiders, but a maintainer must review the diff before commenting /retest. This is the same "pwn request" exposure inherent to running fork code with secrets.
  • Run commands are duplicated from ci.yml / continuous-delivery.yml. Optional follow-up: extract them into workflow_call reusable workflows to avoid drift (deferred to keep the green pipeline untouched).

🤖 Generated with Claude Code

Fork pull_request runs do not receive repository secrets, so the
secret-dependent required checks (code-quality, run-form-tests,
deployment_job) fail and a plain re-run cannot fix them.

Add a /retest PR-comment workflow that runs in the base repo context
(secrets available), checks out the PR head, runs those tasks, and
reports check runs with the exact required names against the PR head
SHA so the required checks can turn green. Triggering is restricted to
users with write/admin permission.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@andresmr andresmr changed the base branch from main to develop June 30, 2026 08:43
Deduplicate the signed-APK build and the BrowserStack form-test run that
were duplicated between the retest workflow and ci.yml /
continuous-delivery.yml.

- Add .github/actions/build-signed-apk (decode keystore + assembleDhis2Debug
  with signing/OpenID/Sentry inputs), used by deployment_job and retest.
- Add .github/actions/run-form-tests (locate form APK + browserstack run),
  used by run-form-tests and retest.

Job names are unchanged, so required-check names are unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@andresmr andresmr changed the title ci: add maintainer-only /retest workflow for fork PRs ci: add maintainer-only /retest workflow for fork PRs [skip size] Jun 30, 2026
@andresmr andresmr closed this Jun 30, 2026
@andresmr andresmr reopened this Jun 30, 2026
andresmr and others added 2 commits June 30, 2026 13:18
Add the `edited` activity type to the pull_request trigger so changes to
the PR title or body (e.g. adding [skip size] / [skip ci] markers) take
effect without needing a new push or a close/reopen.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the write permissions (checks, issues) from workflow level to each
job so they follow least privilege (resolves SonarCloud warnings):

- authorize: issues:write (reaction) + pull-requests:read (read PR head)
- retest: checks:write + contents:read + issues:write

The authorize job no longer inherits checks:write, which it never used.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@andresmr

Copy link
Copy Markdown
Collaborator Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant