Skip to content
gha: macOS & Windows Untrusted

ci: add org member check #3

Sign in to view logs

ci: add org member check

ci: add org member check #3

Workflow file for this run

.github/workflows/test-runner-untrusted.yml at 07dfab0
name: "gha: macOS & Windows Untrusted"
# Build on pull requests and pushes to `main`. The PR builds will be
# non-blocking for now, but that is configured elsewhere.
on:
# Start the build in the context of the target branch. This is considered
# "safe", as the workflow files are already committed. These types of builds
# have access to the secrets in the build, which we need to use the remote
# caches (Bazel and sccache).
pull_request:
types:
- opened
- synchronize
- reopened
workflow_dispatch:
# Cancel in-progress runs of the workflow if somebody adds a new commit to the
# PR or branch. That reduces billing, but it creates more noise about cancelled
# jobs
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
pre-flight:

Check failure on line 25 in .github/workflows/test-runner-untrusted.yml

View workflow run for this annotation

GitHub Actions / gha: macOS & Windows Untrusted

Invalid workflow file 

The workflow is not valid. .github/workflows/test-runner-untrusted.yml (Line: 25, Col: 3): The workflow must contain at least one job with no dependencies.
# For external contributors, run the build in the `external` environment.
# This requires manual approval from a contributor. It also saves the
# `ref` of the pull request, so downstream jobs know what to checkout.
environment: 'external'
name: Require Approval for External PRs
if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
needs: [author-association-external]
runs-on: ubuntu-latest
outputs:
checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
steps:
- name: Save Pull Request
id: save-pull-request
run: >
echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
# Run other jobs once the `pre-flight` job passes. When the `pre-flight`
# job requires approval, these blocks all the other jobs. The jobs are defined
# in separate files to keep the size of this file under control. Note how
# the additional jobs inherit any secrets needed to use the remote caches and
# receive what version to checkout as an input.
external-account-integration:
name: External Account Integration
if: ${{ github.event.pull_request.author_association != 'MEMBER' }}
needs: [pre-flight]
uses: ./.github/workflows/external-account-integration.yml
with:
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
macos-bazel:
# Build the full matrix only on push events to the default branch, or
# when PR gets the has a `gha:full-build` label, or when it had the
# label already and it gets a new commit.
if: |-
${{
github.event.pull_request.author_association != 'MEMBER' &&
(github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
}}
name: macOS-Bazel
needs: [pre-flight]
uses: ./.github/workflows/macos-bazel.yml
with:
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
windows-bazel:
# Build the full matrix only on push events to the default branch, or
# when PR gets the has a `gha:full-build` label, or when it had the
# label already and it gets a new commit.
if: |-
${{
github.event.pull_request.author_association != 'MEMBER' &&
(github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
}}
name: Windows-Bazel
needs: [pre-flight]
uses: ./.github/workflows/windows-bazel.yml
with:
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
macos-cmake:
name: macOS-CMake
needs: [pre-flight]
uses: ./.github/workflows/macos-cmake.yml
with:
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
# Build the full matrix only on push events to the default branch, or
# when PR gets the has a `gha:full-build` label, or when it had the
# label already and it gets a new commit.
full-matrix: |-
${{
github.event.pull_request.author_association != 'MEMBER' &&
(github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
}}
windows-cmake:
name: Windows-CMake
needs: [pre-flight]
uses: ./.github/workflows/windows-cmake.yml
with:
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
# Build the full matrix only on push events to the default branch, or
# when PR gets the has a `gha:full-build` label, or when it had the
# label already and it gets a new commit.
full-matrix: |-
${{
github.event.pull_request.author_association != 'MEMBER' &&
(github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
contains(github.event.pull_request.labels.*.name, 'gha:full-build'))
}}
notify:
name: Notify-Google-Chat
# Wait until all the other jobs have completed.
needs:
- external-account-integration
- macos-bazel
- macos-cmake
- windows-bazel
- windows-cmake
# Run even if the other jobs failed or were skipped.
if: always()
runs-on: ubuntu-latest
steps:
- name: Notify Google Chat
shell: bash
run: |
event_name="${{ github.event_name }}"
case "${event_name}" in
schedule)
;;
push)
;;
workflow_dispatch)
;;
*)
exit 0
;;
esac
failure="${{ contains(needs.*.result, 'failure') }}"
cancelled="${{ contains(needs.*.result, 'cancelled') }}"
status=""
# Report whether any of the jobs failed or were cancelled.
if [[ "${cancelled}" == "true" ]]; then status="cancelled"; fi
if [[ "${failure}" == "true" ]]; then status="failure"; fi
# Exit early if there is nothing interesting to report.
if [[ -z "${status}" ]]; then exit 0; fi
printf '{"text": "GHA Build %s %s/%s/actions/runs/%s"}' \
"${status}" "${{ github.server_url }}" "${{ github.repository }}" "${{ github.run_id }}" |
curl -fsX POST -o /dev/null -d@- -H "Content-Type: application/json; charset=UTF-8" '${{ secrets.CLOUD_CPP_BUILD_ALERTS_WEBHOOK }}'