OpenROAD-flow-scripts/.github/workflows/github-actions-on-label-create.yml at cda2f8d05975a4eb08035a50cb16e2de78286c20 · jeffng-or/OpenROAD-flow-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Labelled Ready to Sync Public

on:
  pull_request:
    types: [labeled]

env:
  ROT13_STAGING_OWNER: ${{ secrets.ROT13_STAGING_OWNER }}
  ROT13_UPSTREAM_OWNER: ${{ secrets.ROT13_UPSTREAM_OWNER }}
  ROT13_UPSTREAM_BRANCH: ${{ secrets.ROT13_UPSTREAM_BRANCH }}

jobs:
  Push-To-Staging:
    name: Push to staging
    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}

    permissions:
      # Read-only access so we don't accidentally try to push to *this* repository.
      contents: read
      # Pull request write access, so we can remove the label.
      issues: write
      pull-requests: write
      # Deployment write access, so we can add the nice deployment info.
      deployments: write

    # Only run on the private repository.
    if: github.event.repository.private && github.event.label.name == 'Ready To Sync Public'
    steps:
    - name: Detect configuration
      uses: The-OpenROAD-Project/actions/auto_config@main

    - name: Removing label '${{ github.event.label.name }}'
      uses: The-OpenROAD-Project/actions/remove_label@main
      continue-on-error: true

    - name: Clone repository
      uses: The-OpenROAD-Project/actions/clone_from@main
      with:
        branch: ${{ env.PRIVATE_BRANCH }}
        checkout: true

    - name: Run security scan
      uses: The-OpenROAD-Project/actions/security_scan_on_push@main

    - name: Push to staging repository.
      uses: The-OpenROAD-Project/actions/push_to@main
      with:
        owner: ${{ env.STAGING_OWNER }}
        repo: ${{ env.STAGING_REPO }}
        branch: ${{ env.STAGING_BRANCH }}
        deployToken: ${{ secrets.STAGING_GITHUB_TOKEN }}
        force: true

    - id: resolve_key
      name: Compute per-user secret key
      env:
        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
      run: |
        key=$(echo "$PR_AUTHOR" | tr 'a-z-' 'A-Z_')
        echo "key=$key" >> "$GITHUB_OUTPUT"

    - id: resolve_token
      name: Pick per-user PAT or fall back to bot token
      env:
        USER_PAT: ${{ secrets[format('PAT_{0}', steps.resolve_key.outputs.key)] }}
        BOT_TOKEN: ${{ secrets.STAGING_GITHUB_TOKEN }}
      run: |
        if [ -n "$USER_PAT" ]; then
          echo "::add-mask::$USER_PAT"
          echo "token=$USER_PAT" >> "$GITHUB_OUTPUT"
          echo "source=user-pat" >> "$GITHUB_OUTPUT"
          echo "Using per-user PAT for PR creation"
        else
          echo "::add-mask::$BOT_TOKEN"
          echo "token=$BOT_TOKEN" >> "$GITHUB_OUTPUT"
          echo "source=bot-fallback" >> "$GITHUB_OUTPUT"
          echo "No per-user PAT found; falling back to bot token"
        fi

    - id: send_pr
      name: Create PR if needed.
      uses: The-OpenROAD-Project/actions/send_pr@main
      env:
        STAGING_GITHUB_TOKEN: ${{ steps.resolve_token.outputs.token }}

    - name: Linking to PR using deployment.
      uses: The-OpenROAD-Project/actions/link_pr@main
      env:
        GITHUB_TOKEN: ${{ github.token }}
        UPSTREAM_PR: ${{ steps.send_pr.outputs.pr }}