chore: fork CI (#4051)

Author: turip

.github/workflows/ci.yaml

@@ -522,9 +522,10 @@ jobs:
         run: |
           nix develop --impure .#ci -c make lint-helm
 
-  artifacts:
+  trusted-artifacts:
     name: Artifacts
     uses: ./.github/workflows/artifacts.yaml
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     with:
       publish: ${{ github.event_name == 'push' }}
     permissions:
@@ -533,6 +534,23 @@ jobs:
       id-token: write
       security-events: write
 
+  untrusted-artifacts:
+    name: Untrusted Artifacts
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
+    uses: ./.github/workflows/untrusted-artifacts.yaml
+    permissions:
+      contents: read
+
+  artifacts-pass:
+    name: Artifacts
+    needs:
+      - trusted-artifacts
+      - untrusted-artifacts
+    if: ${{ always() }}
+    uses: ./.github/workflows/workflow-result.yaml
+    with:
+      result: ${{ contains(needs.*.result, 'failure') && 'fail' || 'pass' }}
+
   dependency-review:
     name: Dependency review
     runs-on: ubuntu-latest
@@ -568,7 +586,9 @@ jobs:
     name: Quickstart
     runs-on: depot-ubuntu-latest-8
     needs:
-      - artifacts
+      - trusted-artifacts
+      - untrusted-artifacts
+    if: ${{ !cancelled() && !contains(needs.*.result, 'failure') && contains(needs.*.result, 'success') }}
 
     steps:
       - name: Checkout repository
@@ -577,8 +597,9 @@ jobs:
           persist-credentials: false
 
       - name: Create override files for quickstart
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         env:
-          DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
+          DEPOT_IMAGE_URL: ${{ needs.trusted-artifacts.outputs.container-image-url-depot }}
         run: |
           cat > quickstart/docker-compose.override.yaml <<EOF
           services:
@@ -605,7 +626,36 @@ jobs:
           docker ps -a
           docker network ls
           echo "### DEBUG"
-
+      - name: Build as part of quickstart
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          cat > quickstart/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              image: openmeter-quickstart-openmeter:ci
+              pull_policy: build
+              build: ..
+            sink-worker:
+              image: openmeter-quickstart-sink-worker:ci
+              pull_policy: build
+              build: ..
+            balance-worker:
+              image: openmeter-quickstart-balance-worker:ci
+              pull_policy: build
+              build: ..
+            notification-service:
+              image: openmeter-quickstart-notification-service:ci
+              pull_policy: build
+              build: ..
+            billing-worker:
+              image: openmeter-quickstart-billing-worker:ci
+              pull_policy: build
+              build: ..
+            openmeter-jobs:
+              image: openmeter-quickstart-openmeter-jobs:ci
+              pull_policy: build
+              build: ..
+          EOF
       - name: Launch Docker Compose
         run: docker compose -f docker-compose.yaml -f docker-compose.override.yaml up -d
         working-directory: quickstart
@@ -666,7 +716,9 @@ jobs:
     runs-on: depot-ubuntu-latest-8
     # Note: This check is running against the image that is going to be pushed.
     needs:
-      - artifacts
+      - trusted-artifacts
+      - untrusted-artifacts
+    if: ${{ !cancelled() && !contains(needs.*.result, 'failure') && contains(needs.*.result, 'success') }}
 
     steps:
       - name: Checkout repository
@@ -676,7 +728,8 @@ jobs:
 
       - name: Create override files for e2e
         env:
-          DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
+          DEPOT_IMAGE_URL: ${{ needs.trusted-artifacts.outputs.container-image-url-depot }}
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         run: |
           cat > e2e/docker-compose.override.yaml <<EOF
           services:
@@ -695,6 +748,18 @@ jobs:
           docker ps -a
           docker network ls
           echo "### DEBUG"
+      - name: Build as part of e2e
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
+        run: |
+          cat > e2e/docker-compose.override.yaml <<EOF
+          services:
+            openmeter:
+              build: ..
+            sink-worker:
+              build: ..
+          EOF
+
+          cat e2e/docker-compose.override.yaml
 
       - name: Launch Docker Compose infra
         run: docker compose -f docker-compose.infra.yaml -f docker-compose.openmeter.yaml -f docker-compose.override.yaml up -d

.github/workflows/untrusted-artifacts.yaml

@@ -0,0 +1,99 @@
+name: Untrusted Artifacts
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  container-image:
+    name: Container image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr,prefix=pr-
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch,suffix=-{{sha}}-{{date 'X'}},enable={{is_default_branch}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Build image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          build-args: |
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          push: false
+
+  benthos-collector-container-image:
+    name: Benthos Collector Container image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/openmeterio/benthos-collector" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr,prefix=pr-
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch,suffix=-{{sha}}-{{date 'X'}},enable={{is_default_branch}}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Build image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: benthos-collector.Dockerfile
+          build-args: |
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          push: false

.github/workflows/workflow-result.yaml

@@ -0,0 +1,25 @@
+name: Workflow Result for Required Check
+
+on:
+  workflow_call:
+    inputs:
+      result:
+        description: Workflow result
+        required: true
+        type: string
+
+jobs:
+  workflow_result:
+    name: Workflow Result
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Pass or Fail
+        run: |
+          if [[ "$INPUTS_RESULT" == true ]]; then
+            exit 1
+          else
+            exit 0
+          fi
+        env:
+          INPUTS_RESULT: ${{ inputs.result == 'fail' }}