Skip to content

Commit 714817e

Browse files
Improve fork safety: consolidate approval and add pull_request trigger (#2097)
* Improve fork safety: consolidate approval and add pull_request trigger - Add pull_request trigger for internal PRs (non-forks) to test workflow changes immediately - Keep pull_request_target for fork PRs that need access to secrets - Move approval step to test-all-warehouses.yml (runs once instead of per-platform) - Remove per-platform approval from test-warehouse.yml to reduce spam Fixes ELE-5221 Co-Authored-By: Itamar Hartstein <haritamar@gmail.com> * Fix: use !cancelled() and check fork-status result before running tests Co-Authored-By: Itamar Hartstein <haritamar@gmail.com> * Remove redundant comment on test job condition Co-Authored-By: Itamar Hartstein <haritamar@gmail.com> * Refactor: move should_skip logic inside PR event check block Co-Authored-By: Itamar Hartstein <haritamar@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Itamar Hartstein <haritamar@gmail.com>
1 parent 26f5879 commit 714817e

2 files changed

Lines changed: 54 additions & 18 deletions

File tree

.github/workflows/test-all-warehouses.yml

Lines changed: 54 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
name: Test all warehouse platforms
22
on:
3+
# For internal PRs (non-forks) - no approval needed, can test workflow changes immediately
4+
pull_request:
5+
branches: ["master"]
6+
paths:
7+
- elementary/**
8+
- .github/**
9+
- pyproject.toml
10+
# For fork PRs - requires approval before running (has access to secrets)
311
pull_request_target:
412
branches: ["master"]
513
paths:
@@ -27,7 +35,52 @@ on:
2735
description: Whether to generate new data
2836

2937
jobs:
38+
# Determine if this is a fork PR and skip if wrong trigger is used
39+
check-fork-status:
40+
runs-on: ubuntu-latest
41+
outputs:
42+
is_fork: ${{ steps.check.outputs.is_fork }}
43+
should_skip: ${{ steps.check.outputs.should_skip }}
44+
steps:
45+
- name: Check if PR is from fork
46+
id: check
47+
run: |
48+
IS_FORK="false"
49+
SHOULD_SKIP="false"
50+
51+
if [[ "${{ github.event_name }}" == "pull_request" || "${{ github.event_name }}" == "pull_request_target" ]]; then
52+
if [[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
53+
IS_FORK="true"
54+
fi
55+
56+
# Skip if: pull_request from fork (should use pull_request_target) OR pull_request_target from non-fork (should use pull_request)
57+
if [[ "${{ github.event_name }}" == "pull_request" && "$IS_FORK" == "true" ]]; then
58+
SHOULD_SKIP="true"
59+
elif [[ "${{ github.event_name }}" == "pull_request_target" && "$IS_FORK" == "false" ]]; then
60+
SHOULD_SKIP="true"
61+
fi
62+
fi
63+
64+
echo "is_fork=$IS_FORK" >> $GITHUB_OUTPUT
65+
echo "should_skip=$SHOULD_SKIP" >> $GITHUB_OUTPUT
66+
67+
# Approval gate for fork PRs (only runs once for all platforms)
68+
approve-fork:
69+
runs-on: ubuntu-latest
70+
needs: [check-fork-status]
71+
if: needs.check-fork-status.outputs.should_skip != 'true' && needs.check-fork-status.outputs.is_fork == 'true'
72+
environment: elementary_test_env
73+
steps:
74+
- name: Approved
75+
run: echo "Fork PR approved for testing"
76+
3077
test:
78+
needs: [check-fork-status, approve-fork]
79+
if: |
80+
! cancelled() &&
81+
needs.check-fork-status.result == 'success' &&
82+
needs.check-fork-status.outputs.should_skip != 'true' &&
83+
(needs.check-fork-status.outputs.is_fork != 'true' || needs.approve-fork.result == 'success')
3184
strategy:
3285
fail-fast: false
3386
matrix:
@@ -45,7 +98,7 @@ jobs:
4598
uses: ./.github/workflows/test-warehouse.yml
4699
with:
47100
warehouse-type: ${{ matrix.warehouse-type }}
48-
elementary-ref: ${{ inputs.elementary-ref || (github.event_name == 'pull_request_target' && github.event.pull_request.head.sha) || '' }}
101+
elementary-ref: ${{ inputs.elementary-ref || ((github.event_name == 'pull_request_target' || github.event_name == 'pull_request') && github.event.pull_request.head.sha) || '' }}
49102
dbt-data-reliability-ref: ${{ inputs.dbt-data-reliability-ref }}
50103
dbt-version: ${{ matrix.dbt-version }}
51104
generate-data: ${{ inputs.generate-data || false }}

.github/workflows/test-warehouse.yml

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -59,25 +59,8 @@ env:
5959
E2E_DBT_PROJECT_DIR: ${{ github.workspace }}/elementary/tests/e2e_dbt_project
6060

6161
jobs:
62-
# PRs from forks require approval, specifically with the "pull_request_target" event as it contains repo secrets.
63-
check-if-requires-approval:
64-
runs-on: ubuntu-latest
65-
outputs:
66-
requires_approval: ${{ steps.set-output.outputs.requires_approval }}
67-
steps:
68-
- name: Set requires approval output
69-
id: set-output
70-
run: |
71-
if [[ "${{ github.event_name }}" =~ ^pull_request && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
72-
echo "requires_approval=true" >> $GITHUB_OUTPUT
73-
else
74-
echo "requires_approval=false" >> $GITHUB_OUTPUT
75-
fi
76-
7762
test:
7863
runs-on: ubuntu-latest
79-
needs: [check-if-requires-approval]
80-
environment: ${{ (needs.check-if-requires-approval.outputs.requires_approval == 'true' && 'elementary_test_env') || '' }}
8164
defaults:
8265
run:
8366
working-directory: elementary

0 commit comments

Comments
 (0)