Require alerting on push and issue workflows (#45345)

heiskr · web-flow · commit feb04f5b6f19 · 2023-10-30T18:57:54.000Z
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,9 +5,6 @@ name: CodeQL analysis
 # **Who does it impact**: Docs engineering.
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
diff --git a/.github/workflows/content-changes-table-comment.yml b/.github/workflows/content-changes-table-comment.yml
@@ -46,7 +46,7 @@ jobs:
 
   filterContentDir:
     needs: PR-Preview-Links
-    if: ${{ needs.PR-Preview-Links.outputs.filterContentDir == 'true' }}
+    if: ${{ needs.PR-Preview-Links.outputs.filterContentDir == 'true' && (github.repository == 'github/docs-internal' || github.repository == 'github/docs') }}
     runs-on: ubuntu-latest
     env:
       PR_NUMBER: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/manually-purge-fastly.yml b/.github/workflows/manually-purge-fastly.yml
@@ -14,6 +14,8 @@ jobs:
   purge:
     runs-on: ubuntu-latest
 
+    if: github.repository == 'github/docs-internal'
+
     steps:
       - name: Check out repo
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/move-existing-issues-to-the-correct-repo.yml b/.github/workflows/move-existing-issues-to-the-correct-repo.yml
@@ -13,6 +13,7 @@ permissions:
 jobs:
   transfer_issues:
     runs-on: ubuntu-latest
+    if: github.repository == 'github/docs-internal'
     steps:
       - id: move_to_correct_repo
         uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
diff --git a/.github/workflows/repo-sync-stalls.yml b/.github/workflows/repo-sync-stalls.yml
@@ -15,10 +15,10 @@ permissions:
 
 jobs:
   repo-sync-stalls:
+    if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
     runs-on: ubuntu-latest
     steps:
-      - if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
-        name: Check if repo sync is stalled
+      - name: Check if repo sync is stalled
         uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
         with:
           script: |
diff --git a/.github/workflows/secret-scanning-pattern-table-updates.yml b/.github/workflows/secret-scanning-pattern-table-updates.yml
@@ -18,6 +18,7 @@ permissions:
 jobs:
   Process-secret-scanning-PR:
     runs-on: ubuntu-latest
+    if: github.repository == 'github/docs-internal'
     steps:
       - name: Check out repo
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/test-changed-content.yml b/.github/workflows/test-changed-content.yml
@@ -21,6 +21,7 @@ permissions:
 jobs:
   test-changed-content:
     runs-on: ${{ fromJSON('["ubuntu-latest", "ubuntu-20.04-xl"]')[github.repository == 'github/docs-internal'] }}
+    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
     steps:
       # Each of these ifs needs to be repeated at each step to make sure the required check still runs
       # Even if if doesn't do anything
diff --git a/.github/workflows/validate-asset-images.yml b/.github/workflows/validate-asset-images.yml
@@ -15,6 +15,7 @@ permissions:
 
 jobs:
   validate-asset-images:
+    if: ${{ github.repository == 'github/docs-internal' || github.repository == 'github/docs' }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
diff --git a/src/workflows/tests/actions-workflows.js b/src/workflows/tests/actions-workflows.js
@@ -36,6 +36,21 @@ const allUsedActions = chain(workflows)
 
 const scheduledWorkflows = workflows.filter(({ data }) => data.on.schedule)
 
+const alertWorkflows = workflows
+  // Only include jobs running on docs-internal
+  .filter(({ data }) =>
+    Object.values(data.jobs)
+      .map((job) => job.if)
+      .toString()
+      .includes('docs-internal'),
+  )
+  // Require slack alerts on workflows that aren't actively watched at time of run
+  .filter(({ data }) => data.on.schedule || data.on.push || data.on.issues || data.on.issue_comment)
+// Not including
+// - premerge workflows: pull_request, pull_request_target, pull_request_review, merge_group
+// - adhoc workflows: workflow_dispatch, workflow_run, workflow_call, repository_dispatch
+// to generate list, console.log(new Set(workflows.map(({ data }) => Object.keys(data.on)).flat()))
+
 const dailyWorkflows = scheduledWorkflows.filter(({ data }) =>
   data.on.schedule.find(({ cron }) => /^20 [^*]/.test(cron)),
 )
@@ -73,7 +88,13 @@ describe('GitHub Actions workflows', () => {
     },
   )
 
-  test.each(scheduledWorkflows)(
+  test.each(workflows)('limits repository scope $filename', ({ filename, data }) => {
+    for (const condition of Object.values(data.jobs).map((job) => job.if)) {
+      expect(condition).toContain('github.repository')
+    }
+  })
+
+  test.each(alertWorkflows)(
     'scheduled workflows slack alert on fail $filename',
     ({ filename, data }) => {
       for (const [name, job] of Object.entries(data.jobs)) {
@@ -84,7 +105,7 @@ describe('GitHub Actions workflows', () => {
     },
   )
 
-  test.each(scheduledWorkflows)(
+  test.each(alertWorkflows)(
     'performs a checkout before calling composite action $filename',
     ({ filename, data }) => {
       for (const [name, job] of Object.entries(data.jobs)) {
