ci: add maintainer-only /retest workflow for fork PRs [skip size]#4948
Draft
andresmr wants to merge 4 commits into
Draft
ci: add maintainer-only /retest workflow for fork PRs [skip size]#4948andresmr wants to merge 4 commits into
andresmr wants to merge 4 commits into
Conversation
Fork pull_request runs do not receive repository secrets, so the secret-dependent required checks (code-quality, run-form-tests, deployment_job) fail and a plain re-run cannot fix them. Add a /retest PR-comment workflow that runs in the base repo context (secrets available), checks out the PR head, runs those tasks, and reports check runs with the exact required names against the PR head SHA so the required checks can turn green. Triggering is restricted to users with write/admin permission. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deduplicate the signed-APK build and the BrowserStack form-test run that were duplicated between the retest workflow and ci.yml / continuous-delivery.yml. - Add .github/actions/build-signed-apk (decode keystore + assembleDhis2Debug with signing/OpenID/Sentry inputs), used by deployment_job and retest. - Add .github/actions/run-form-tests (locate form APK + browserstack run), used by run-form-tests and retest. Job names are unchanged, so required-check names are unaffected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add the `edited` activity type to the pull_request trigger so changes to the PR title or body (e.g. adding [skip size] / [skip ci] markers) take effect without needing a new push or a close/reopen. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the write permissions (checks, issues) from workflow level to each job so they follow least privilege (resolves SonarCloud warnings): - authorize: issues:write (reaction) + pull-requests:read (read PR head) - retest: checks:write + contents:read + issues:write The authorize job no longer inherits checks:write, which it never used. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Collaborator
Author
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
Adds
.github/workflows/retest-fork-pr.yml— a maintainer-only/retestPR-comment workflow that can re-run the secret-dependent required checks on fork PRs and report them green.Why
PRs from forks (e.g. #4912) fail three required checks because GitHub deliberately withholds repository secrets from
pull_requestruns triggered by forks:deployment_jobcontinuous-delivery.ymlDEBUG_KEYSTORE_BASE64(+ signing/OpenID/Sentry)encodedString value is not setrun-form-testsci.ymlBROWSERSTACK_USERNAME/_PASSWORDcode-qualityci.ymlSONAR_TOKENNot authorized … SONAR_TOKENThese are required by repository rulesets, so they can't be skipped, and a plain "re-run" keeps the original fork
pull_requestevent → secrets stay withheld.How it works
Commenting
/reteston a PR triggers this workflow, which runs in the base repo context (secrets available):authorize— only on PR comments whose body is exactly/retest; verifies the commenter haswrite/adminviagetCollaboratorPermissionLevel; resolves the PR head SHA/ref; posts 👀.retest— creates in-progress check runs namedcode-quality/run-form-tests/deployment_jobon the PR head SHA, checks out the PR head, runs the three tasks (Sonar, signed APK build, BrowserStack form tests), then concludes each check runsuccess/failureand posts 👍/👎.Because the check runs use the exact required names on the PR head SHA (created by the GitHub Actions app), they satisfy the ruleset and the PR can go green.
Existing
ci.yml/continuous-delivery.ymlare unchanged — fork PRs still fail by default;/retestproduces the passing checks on demand.code-quality,run-form-tests,deployment_job(inferred from the failing checks). If the ruleset stores them differently (e.g. workflow-name prefixed), update theCHECK_*env values at the top of theretestjob — they must match byte-for-byte or the required checks won't clear./retestexecutes the fork's code (Gradle scripts, the APK on BrowserStack) with secrets present. The write/admin gate blocks outsiders, but a maintainer must review the diff before commenting/retest. This is the same "pwn request" exposure inherent to running fork code with secrets.ci.yml/continuous-delivery.yml. Optional follow-up: extract them intoworkflow_callreusable workflows to avoid drift (deferred to keep the green pipeline untouched).🤖 Generated with Claude Code