Skip to content

feat: add contributor CI workflow for fork-friendly testing #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abtreece wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: add contributor CI workflow for fork-friendly testing #192

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c5c0ec4
feat: add contributor CI workflow for fork-friendly testing
abtreece Apr 25, 2026
1aaef3c
refactor(ci): extract build_distribution_entries helper
abtreece May 22, 2026
67b807c
fix(ci): make latest_ruby_package_version independent of YAML order
abtreece May 22, 2026
f2897ce
fix(ci): skip contributor workflow for same-repo PRs
abtreece May 22, 2026
8a02f8b
fix(ci): add timeout-minutes to contributor lint and build_images jobs
abtreece May 22, 2026
00efae4
refactor(ci): parallelize contributor builds via matrix jobs
abtreece May 22, 2026
f6d6050
chore(ci): pin action SHAs in contributor and label-guard workflows
abtreece May 22, 2026
69f5211
fix(ci): gate check_workflow_uptodate with ok-to-test and check out P…
abtreece May 22, 2026
ddc3670
docs(ci): document pull_request/pull_request_target invariant in work…
abtreece May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
391 changes: 391 additions & 0 deletions .github/workflows/ci-cd-contributor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,391 @@
# WARNING: DO NOT EDIT THIS FILE!!!
#
# This file is autogenerated from .github/workflows/ci-cd-contributor.yml.erb
# by ./internal-scripts/generate-ci-cd-yaml.rb.
# Please edit the .erb file instead, then regenerate YAML
# by running that script.
#
# TIP: run this on your development machine to ensure generate-ci-cd-yaml.rb
# is run automatically as a Git pre-commit hook:
#
# git config core.hooksPath .githooks

# Security invariant: the contributor pipeline is split across three workflows.
#
# ci-cd-main - Privileged (secrets, OIDC, write tokens). Runs on
# push to upstream branches, and on pull_request_target
# when a maintainer applies the ok-to-test label.
# Checks out PR head only when label-gated.
# ci-cd-contributor - Unprivileged. Runs on pull_request for fork PRs and
# on push in forks. No secrets. Safe on arbitrary
# contributor commits.
# ci-cd-label-guard - Strips ok-to-test on every push to a labeled PR
# (pull_request_target: synchronize), forcing
# maintainer re-review before the privileged
# pipeline re-runs.
#
# Changing triggers, if-guards, or the label name in any of these files
# without considering the others can break the security model.

name: 'CI/CD: contributor'

on:
push:
paths-ignore:
- '**.md'
- 'dev-handbook/**'
pull_request:
paths-ignore:
- '**.md'
- 'dev-handbook/**'
workflow_dispatch:

jobs:
lint:
name: Check whether workflow is up-to-date
runs-on: ubuntu-24.04
if: >
github.repository != 'fullstaq-ruby/server-edition'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository)
timeout-minutes: 10
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
with:
ruby-version: '3.3'
- name: Check
run: ./internal-scripts/ci-cd/check-workflow-uptodate/check.sh


build_images:
name: 'Build Docker image [${{ matrix.distro }}]'
needs: lint
runs-on: ubuntu-24.04
if: >
github.repository != 'fullstaq-ruby/server-edition'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository)
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- distro: 'ubuntu-24.04'
image_name: 'ghcr.io/fullstaq-ruby/server-edition-ci-images'
image_tag: 'ubuntu-24.04-v2'
source_dir: 'environments/ubuntu-24.04'
artifact_name: 'docker-image-ubuntu-24.04'
- distro: 'el-9'
image_name: 'ghcr.io/fullstaq-ruby/server-edition-ci-images'
image_tag: 'el-9-v2'
source_dir: 'environments/el-9'
artifact_name: 'docker-image-el-9'
- distro: 'utility'
image_name: 'ghcr.io/fullstaq-ruby/server-edition-ci-images'
image_tag: 'utility-v3'
source_dir: 'environments/utility'
artifact_name: 'docker-image-utility'
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Build Docker image
run: ./internal-scripts/ci-cd/build-docker-images/build.sh
env:
IMAGE_NAME: '${{ matrix.image_name }}'
IMAGE_TAG: '${{ matrix.image_tag }}'
SOURCE_DIR: '${{ matrix.source_dir }}'
- name: Dump Docker image
run: ./internal-scripts/ci-cd/build-docker-images/dump-image.sh
env:
IMAGE_NAME: '${{ matrix.image_name }}'
IMAGE_TAG: '${{ matrix.image_tag }}'
- name: Upload Docker image artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: '${{ matrix.artifact_name }}'
path: output
retention-days: 1


build_packages:
name: 'Build packages [${{ matrix.distro }}]'
needs: build_images
runs-on: ubuntu-24.04
if: >
github.repository != 'fullstaq-ruby/server-edition'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository)
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
include:
- distro: 'ubuntu-24.04'
package_format: 'DEB'
image_artifact_name: 'docker-image-ubuntu-24.04'
- distro: 'el-9'
package_format: 'RPM'
image_artifact_name: 'docker-image-el-9'
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

### Download and load Docker images ###

- name: Download distro Docker image
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: '${{ matrix.image_artifact_name }}'
path: docker-image-distro
- name: Load distro Docker image
run: ./internal-scripts/ci-cd/load-docker-image.sh
env:
TARBALL: docker-image-distro/image.tar.zst
- name: Download utility Docker image
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: 'docker-image-utility'
path: docker-image-utility
- name: Load utility Docker image
run: ./internal-scripts/ci-cd/load-docker-image.sh
env:
TARBALL: docker-image-utility/image.tar.zst

### Download sources ###

- name: Download Ruby source
run: curl -fsSL -o ruby-src.tar.gz 'https://cache.ruby-lang.org/pub/ruby/4.0/ruby-4.0.3.tar.gz'
- name: Download Jemalloc source
run: curl -fsSL -o jemalloc-src.tar.bz2 'https://github.com/jemalloc/jemalloc/releases/download/3.6.0/jemalloc-3.6.0.tar.bz2'

### Build Jemalloc ###

- name: Build Jemalloc
run: |
./build-jemalloc \
-n '${{ matrix.distro }}' \
-s "$(pwd)/jemalloc-src.tar.bz2" \
-o "$(pwd)/jemalloc-bin.tar.gz" \
-j 2

### Build Ruby binaries ###

- name: 'Build Ruby binaries [${{ matrix.distro }}/normal]'
run: |
./build-ruby \
-n '${{ matrix.distro }}' \
-s "$(pwd)/ruby-src.tar.gz" \
-v '4.0' \
-o "$(pwd)/ruby-bin-normal.tar.gz" \
-j 2

- name: 'Build Ruby binaries [${{ matrix.distro }}/jemalloc]'
run: |
./build-ruby \
-n '${{ matrix.distro }}' \
-s "$(pwd)/ruby-src.tar.gz" \
-v '4.0' \
-o "$(pwd)/ruby-bin-jemalloc.tar.gz" \
-m "$(pwd)/jemalloc-bin.tar.gz" \
-j 2

- name: Create packages directory
run: mkdir -p packages

### Build Ruby packages ###

- name: 'Build Ruby DEB [${{ matrix.distro }}/normal]'
if: matrix.package_format == 'DEB'
run: |
./build-ruby-deb \
-b "$(pwd)/ruby-bin-normal.tar.gz" \
-o "$(pwd)/packages/fullstaq-ruby-4.0_2-${{ matrix.distro }}_amd64.deb" \
-r '2'
- name: 'Build Ruby RPM [${{ matrix.distro }}/normal]'
if: matrix.package_format == 'RPM'
run: |
SANITIZED_DISTRO=$(echo '${{ matrix.distro }}' | tr -d '-')
./build-ruby-rpm \
-b "$(pwd)/ruby-bin-normal.tar.gz" \
-o "$(pwd)/packages/fullstaq-ruby-4.0-rev2-${SANITIZED_DISTRO}.x86_64.rpm" \
-r '2'

- name: 'Build Ruby DEB [${{ matrix.distro }}/jemalloc]'
if: matrix.package_format == 'DEB'
run: |
./build-ruby-deb \
-b "$(pwd)/ruby-bin-jemalloc.tar.gz" \
-o "$(pwd)/packages/fullstaq-ruby-4.0-jemalloc_2-${{ matrix.distro }}_amd64.deb" \
-r '2'
- name: 'Build Ruby RPM [${{ matrix.distro }}/jemalloc]'
if: matrix.package_format == 'RPM'
run: |
SANITIZED_DISTRO=$(echo '${{ matrix.distro }}' | tr -d '-')
./build-ruby-rpm \
-b "$(pwd)/ruby-bin-jemalloc.tar.gz" \
-o "$(pwd)/packages/fullstaq-ruby-4.0-jemalloc-rev2-${SANITIZED_DISTRO}.x86_64.rpm" \
-r '2'

### Upload packages ###

- name: Upload packages
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: 'contributor-packages-${{ matrix.distro }}'
path: packages
retention-days: 1


build_common_packages:
name: Build common and rbenv packages
needs: build_images
runs-on: ubuntu-24.04
if: >
github.repository != 'fullstaq-ruby/server-edition'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository)
timeout-minutes: 30
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Download utility Docker image
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: 'docker-image-utility'
path: docker-image-utility
- name: Load utility Docker image
run: ./internal-scripts/ci-cd/load-docker-image.sh
env:
TARBALL: docker-image-utility/image.tar.zst

- name: Clone Rbenv source
run: |
git clone 'https://github.com/fullstaq-ruby/rbenv.git' rbenv-src
cd rbenv-src
git checkout 'fbaa15993171bf'

- name: Create packages directory
run: mkdir -p packages

- name: Build Rbenv DEB
run: |
./build-rbenv-deb \
-s "$(pwd)/rbenv-src" \
-o "$(pwd)/packages/fullstaq-rbenv_1.1.2-16-1_all.deb" \
-n '1.1.2-16' \
-r '1'
- name: Build Rbenv RPM
run: |
./build-rbenv-rpm \
-s "$(pwd)/rbenv-src" \
-o "$(pwd)/packages/fullstaq-rbenv-1.1.2_16-1.noarch.rpm" \
-n '1.1.2-16' \
-r '1'
- name: Build common DEB
run: |
./build-common-deb \
-o "$(pwd)/packages/fullstaq-ruby-common_1.0-1_all.deb"
- name: Build common RPM
run: |
./build-common-rpm \
-o "$(pwd)/packages/fullstaq-ruby-common-1.0-1.noarch.rpm"

- name: Upload packages
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: contributor-packages-common
path: packages
retention-days: 1


test_packages:
name: 'Test [${{ matrix.distro }}/${{ matrix.variant }}]'
needs:
- build_packages
- build_common_packages
runs-on: ubuntu-24.04
if: >
github.repository != 'fullstaq-ruby/server-edition'
|| (github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository)
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- distro: 'ubuntu-24.04'
variant: 'normal'
test_image: 'ubuntu:24.04'
package_format: 'DEB'
- distro: 'ubuntu-24.04'
variant: 'jemalloc'
test_image: 'ubuntu:24.04'
package_format: 'DEB'
- distro: 'el-9'
variant: 'normal'
test_image: 'rockylinux:9'
package_format: 'RPM'
- distro: 'el-9'
variant: 'jemalloc'
test_image: 'rockylinux:9'
package_format: 'RPM'
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Download distro packages
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: 'contributor-packages-${{ matrix.distro }}'
path: packages
- name: Download common packages
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: contributor-packages-common
path: packages

- name: Download utility Docker image
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: 'docker-image-utility'
path: docker-image-utility
- name: Load utility Docker image
run: ./internal-scripts/ci-cd/load-docker-image.sh
env:
TARBALL: docker-image-utility/image.tar.zst

- name: Determine Ruby package filename
id: ruby_pkg
run: |
VARIANT="${{ matrix.variant }}"
DISTRO="${{ matrix.distro }}"
FORMAT="${{ matrix.package_format }}"
if [ "$VARIANT" = "normal" ]; then
VARIANT_SUFFIX=""
else
VARIANT_SUFFIX="-${VARIANT}"
fi
if [ "$FORMAT" = "DEB" ]; then
FILENAME="fullstaq-ruby-4.0${VARIANT_SUFFIX}_2-${DISTRO}_amd64.deb"
else
SANITIZED_DISTRO=$(echo "$DISTRO" | tr -d '-')
FILENAME="fullstaq-ruby-4.0${VARIANT_SUFFIX}-rev2-${SANITIZED_DISTRO}.x86_64.rpm"
fi
echo "filename=${FILENAME}" >> "$GITHUB_OUTPUT"

- name: Test DEBs
if: matrix.package_format == 'DEB'
run: |
./test-debs \
-i '${{ matrix.test_image }}' \
-v '${{ matrix.variant }}' \
-r "$(pwd)/packages/${{ steps.ruby_pkg.outputs.filename }}" \
-b "$(pwd)/packages/fullstaq-rbenv_1.1.2-16-1_all.deb" \
-c "$(pwd)/packages/fullstaq-ruby-common_1.0-1_all.deb"
- name: Test RPMs
if: matrix.package_format == 'RPM'
run: |
./test-rpms \
-i '${{ matrix.test_image }}' \
-v '${{ matrix.variant }}' \
-r "$(pwd)/packages/${{ steps.ruby_pkg.outputs.filename }}" \
-b "$(pwd)/packages/fullstaq-rbenv-1.1.2_16-1.noarch.rpm" \
-c "$(pwd)/packages/fullstaq-ruby-common-1.0-1.noarch.rpm"
Loading