chore(actions): run forks with access tokens from protected envs (#3217)

rnmapbox · Nov 30, 2023 · 8269c3b · 8269c3b
1 parent 8abeae6
commit 8269c3b
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 30 deletions.
diff --git a/.github/workflows/android-actions.yml b/.github/workflows/android-actions.yml
@@ -3,6 +3,13 @@ name: Android Build
 on:
   workflow_call:
     inputs:
+      env_name:
+        required: true
+        default: default
+        type: string
+      ref:
+        required: false
+        type: string 
       NVMRC:
         required: true
         type: string
@@ -11,10 +18,6 @@ on:
         default: mapbox
         required: false
         type: string
-      REF_FORK:
-        description: "If build from fork repo or not"
-        required: false
-        type: string
       NEW_ARCH:
         description: "If build with new architecture or not"
         default: false
@@ -25,21 +28,26 @@ on:
         required: true
       MAPBOX_DOWNLOAD_TOKEN:
         required: true
+      ENV_MAPBOX_ACCESS_TOKEN:
+        required: false
+      ENV_MAPBOX_DOWNLOAD_TOKEN:
+        required: false
 
 jobs:
   build_example:
     name: Android Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }}
     runs-on: ubuntu-latest
+    environment: ${{ inputs.env_name }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        if: ${{ github.event.inputs.REF_FORK == false }}
+        if: ${{ inputs.ref == '' }}
 
       - name: Checkout fork
         uses: actions/checkout@v4
-        if: ${{ github.event.inputs.REF_FORK == true }}
+        if: ${{ inputs.ref != '' }}
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ inputs.ref }}
 
       - name: Setup node ${{ inputs.NVMRC }}
         uses: actions/[email protected]
@@ -57,12 +65,12 @@ jobs:
           echo MAPBOX_DOWNLOADS_TOKEN=$MAPBOX_DOWNLOAD_TOKEN > ~/.gradle/gradle.properties
         working-directory: example
         env:
-          MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+          MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN || secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
       - run: echo $MAPBOX_ACCESS_TOKEN > ./accesstoken
         working-directory: example
         env:
-          MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+          MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN || secrets.ENV_MAPBOX_ACCESS_TOKEN }}
 
       - run: yarn install --network-timeout 1000000
         working-directory: example

diff --git a/.github/workflows/ci-for-forked-repos.yml b/.github/workflows/ci-for-forked-repos.yml
@@ -3,22 +3,14 @@ on:
     branches: [ main ]
 
 jobs:
-  approve:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Approve
-      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
-
   call_ci_requiring_tokens:
     name: "CI requiring tokens"
-    environment:
-      name: CI with Mapbox Tokens
-    needs: [approve]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: ./.github/workflows/ci-requiring-tokens.yml
-        with:
-          NVMRC: v18.18.0
-          MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
-          MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
+    uses: ./.github/workflows/ci-requiring-tokens.yml
+    with:
+      NVMRC: v18.18.0
+      env_name: CI with Mapbox Tokens
+      ref: ${{ github.event.pull_request.head.sha }}
+    secrets:
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
diff --git a/.github/workflows/ci-requiring-tokens.yml b/.github/workflows/ci-requiring-tokens.yml
@@ -6,11 +6,22 @@ on:
       NVMRC:
         required: true
         type: string
+      env_name:
+        required: false
+        type: string
+        default: default
+      ref:
+        required: false
+        type: string
     secrets:
       MAPBOX_ACCESS_TOKEN:
-        required: true
+        required: false
       MAPBOX_DOWNLOAD_TOKEN:
-        required: true
+        required: false
+      ENV_MAPBOX_ACCESS_TOKEN:
+        required: false
+      ENV_MAPBOX_DOWNLOAD_TOKEN:
+        required: false
 
 concurrency: 
   group: ${{ github.head_ref || github.run_id }}-ci-with-tokens
@@ -21,61 +32,79 @@ jobs:
     name: "Android/Mapbox"
     uses: ./.github/workflows/android-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
       MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
   call_android_workflow_fabric:
     name: "Android/Mapbox/Fabric"
     uses: ./.github/workflows/android-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox
       NEW_ARCH: true
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
       MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
 
   call_android_workflow_11:
     name: "Android/Mapbox11"
     uses: ./.github/workflows/android-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox11
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
       MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
   call_ios_workflow:
     name: "iOS/Mapbox"
     uses: ./.github/workflows/ios-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
       MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
   call_ios_workflow_fabric:
     name: "iOS/Mapbox/Fabric"
     uses: ./.github/workflows/ios-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox
       NEW_ARCH: true
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
       MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
   call_ios_workflow_11:
     name: "iOS/Mapbox11"
     uses: ./.github/workflows/ios-actions.yml
     with:
+      env_name: ${{ inputs.env_name }}
       NVMRC: ${{ inputs.NVMRC }}
       MAP_IMPL: mapbox11
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
diff --git a/.github/workflows/ios-actions.yml b/.github/workflows/ios-actions.yml
@@ -3,6 +3,13 @@ name: iOS Build & Detox
 on:
   workflow_call:
     inputs:
+      env_name:
+        required: true
+        default: default
+        type: string
+      ref:
+        required: false
+        type: string 
       NVMRC:
         required: true
         type: string
@@ -21,12 +28,17 @@ on:
         required: true
       MAPBOX_DOWNLOAD_TOKEN:
         required: true
+      ENV_MAPBOX_ACCESS_TOKEN:
+        required: false
+      ENV_MAPBOX_DOWNLOAD_TOKEN:
+        required: false
 
 jobs:
   build:
     name: iOS Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }}
     runs-on: macos-12
     timeout-minutes: 55
+    environment: ${{ inputs.env_name }}
 
     defaults:
       run:
@@ -35,11 +47,18 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        if: ${{ inputs.ref == '' }}
+
+      - name: Checkout fork
+        uses: actions/checkout@v4
+        if: ${{ inputs.ref != '' }}
+        with:
+          ref: ${{ inputs.ref }}
 
       - name: Access Token
         run: echo $MAPBOX_ACCESS_TOKEN > ./accesstoken
         env:
-          MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+          MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN || secrets.ENV_MAPBOX_ACCESS_TOKEN }}
 
       - name: Setup .netrc with MAPBOX_DOWNLOAD_TOKEN
         run: |
@@ -49,7 +68,7 @@ jobs:
           chmod 0600 ~/.netrc
         if: "${{ env.MAPBOX_DOWNLOAD_TOKEN != '' }}"
         env:
-          MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+          MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN || secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
 
       - name: Setup node ${{ inputs.NVMRC }}
         uses: actions/[email protected]