From 8269c3b4dbb86039ef6191f67cbd8ee1fd5fb1bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mikl=C3=B3s=20Fazekas?= Date: Thu, 30 Nov 2023 12:04:38 +0100 Subject: [PATCH] chore(actions): run forks with access tokens from protected envs (#3217) --- .github/workflows/android-actions.yml | 26 +++++++++++------ .github/workflows/ci-for-forked-repos.yml | 24 ++++++---------- .github/workflows/ci-requiring-tokens.yml | 35 +++++++++++++++++++++-- .github/workflows/ios-actions.yml | 23 +++++++++++++-- 4 files changed, 78 insertions(+), 30 deletions(-) diff --git a/.github/workflows/android-actions.yml b/.github/workflows/android-actions.yml index 5cb58aa05..2fc5bcb4d 100644 --- a/.github/workflows/android-actions.yml +++ b/.github/workflows/android-actions.yml @@ -3,6 +3,13 @@ name: Android Build on: workflow_call: inputs: + env_name: + required: true + default: default + type: string + ref: + required: false + type: string NVMRC: required: true type: string @@ -11,10 +18,6 @@ on: default: mapbox required: false type: string - REF_FORK: - description: "If build from fork repo or not" - required: false - type: string NEW_ARCH: description: "If build with new architecture or not" default: false @@ -25,21 +28,26 @@ on: required: true MAPBOX_DOWNLOAD_TOKEN: required: true + ENV_MAPBOX_ACCESS_TOKEN: + required: false + ENV_MAPBOX_DOWNLOAD_TOKEN: + required: false jobs: build_example: name: Android Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }} runs-on: ubuntu-latest + environment: ${{ inputs.env_name }} steps: - name: Checkout uses: actions/checkout@v4 - if: ${{ github.event.inputs.REF_FORK == false }} + if: ${{ inputs.ref == '' }} - name: Checkout fork uses: actions/checkout@v4 - if: ${{ github.event.inputs.REF_FORK == true }} + if: ${{ inputs.ref != '' }} with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ inputs.ref }} - name: Setup node ${{ inputs.NVMRC }} uses: actions/setup-node@v3.5.1 @@ -57,12 +65,12 @@ jobs: echo MAPBOX_DOWNLOADS_TOKEN=$MAPBOX_DOWNLOAD_TOKEN > ~/.gradle/gradle.properties working-directory: example env: - MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN || secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} - run: echo $MAPBOX_ACCESS_TOKEN > ./accesstoken working-directory: example env: - MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} + MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN || secrets.ENV_MAPBOX_ACCESS_TOKEN }} - run: yarn install --network-timeout 1000000 working-directory: example diff --git a/.github/workflows/ci-for-forked-repos.yml b/.github/workflows/ci-for-forked-repos.yml index 33d21fb61..dd9486e55 100644 --- a/.github/workflows/ci-for-forked-repos.yml +++ b/.github/workflows/ci-for-forked-repos.yml @@ -3,22 +3,14 @@ on: branches: [ main ] jobs: - approve: - runs-on: ubuntu-latest - steps: - - name: Approve - run: echo For security reasons, all pull requests need to be approved first before running any automated CI. - call_ci_requiring_tokens: name: "CI requiring tokens" - environment: - name: CI with Mapbox Tokens - needs: [approve] - runs-on: ubuntu-latest - steps: - - uses: ./.github/workflows/ci-requiring-tokens.yml - with: - NVMRC: v18.18.0 - MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} - MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} + uses: ./.github/workflows/ci-requiring-tokens.yml + with: + NVMRC: v18.18.0 + env_name: CI with Mapbox Tokens + ref: ${{ github.event.pull_request.head.sha }} + secrets: + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} diff --git a/.github/workflows/ci-requiring-tokens.yml b/.github/workflows/ci-requiring-tokens.yml index b55a5c068..669ff2042 100644 --- a/.github/workflows/ci-requiring-tokens.yml +++ b/.github/workflows/ci-requiring-tokens.yml @@ -6,11 +6,22 @@ on: NVMRC: required: true type: string + env_name: + required: false + type: string + default: default + ref: + required: false + type: string secrets: MAPBOX_ACCESS_TOKEN: - required: true + required: false MAPBOX_DOWNLOAD_TOKEN: - required: true + required: false + ENV_MAPBOX_ACCESS_TOKEN: + required: false + ENV_MAPBOX_DOWNLOAD_TOKEN: + required: false concurrency: group: ${{ github.head_ref || github.run_id }}-ci-with-tokens @@ -21,61 +32,79 @@ jobs: name: "Android/Mapbox" uses: ./.github/workflows/android-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} call_android_workflow_fabric: name: "Android/Mapbox/Fabric" uses: ./.github/workflows/android-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox NEW_ARCH: true secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} call_android_workflow_11: name: "Android/Mapbox11" uses: ./.github/workflows/android-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox11 secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} call_ios_workflow: name: "iOS/Mapbox" uses: ./.github/workflows/ios-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} call_ios_workflow_fabric: name: "iOS/Mapbox/Fabric" uses: ./.github/workflows/ios-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox NEW_ARCH: true secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} call_ios_workflow_11: name: "iOS/Mapbox11" uses: ./.github/workflows/ios-actions.yml with: + env_name: ${{ inputs.env_name }} NVMRC: ${{ inputs.NVMRC }} MAP_IMPL: mapbox11 secrets: MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} - MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} \ No newline at end of file + MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + ENV_MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }} + ENV_MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/ios-actions.yml b/.github/workflows/ios-actions.yml index a6a1dce2b..faf0fe53e 100644 --- a/.github/workflows/ios-actions.yml +++ b/.github/workflows/ios-actions.yml @@ -3,6 +3,13 @@ name: iOS Build & Detox on: workflow_call: inputs: + env_name: + required: true + default: default + type: string + ref: + required: false + type: string NVMRC: required: true type: string @@ -21,12 +28,17 @@ on: required: true MAPBOX_DOWNLOAD_TOKEN: required: true + ENV_MAPBOX_ACCESS_TOKEN: + required: false + ENV_MAPBOX_DOWNLOAD_TOKEN: + required: false jobs: build: name: iOS Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }} runs-on: macos-12 timeout-minutes: 55 + environment: ${{ inputs.env_name }} defaults: run: @@ -35,11 +47,18 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + if: ${{ inputs.ref == '' }} + + - name: Checkout fork + uses: actions/checkout@v4 + if: ${{ inputs.ref != '' }} + with: + ref: ${{ inputs.ref }} - name: Access Token run: echo $MAPBOX_ACCESS_TOKEN > ./accesstoken env: - MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }} + MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN || secrets.ENV_MAPBOX_ACCESS_TOKEN }} - name: Setup .netrc with MAPBOX_DOWNLOAD_TOKEN run: | @@ -49,7 +68,7 @@ jobs: chmod 0600 ~/.netrc if: "${{ env.MAPBOX_DOWNLOAD_TOKEN != '' }}" env: - MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} + MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN || secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }} - name: Setup node ${{ inputs.NVMRC }} uses: actions/setup-node@v3.5.1