From dc33dafcfaf012e7353bc0e00440b89de3901e23 Mon Sep 17 00:00:00 2001 From: Matt Sturgeon Date: Mon, 3 Jun 2024 21:21:39 +0100 Subject: [PATCH 1/4] Enable `build` CI on PRs --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8e2488f9..8d4ec015 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,6 +2,7 @@ name: Build on: push: + pull_request: # Only allow running one build job at a time to optimise cache hits concurrency: From 9299cdee8f510f3bf83dfaa08cbfd83cc1d06dbe Mon Sep 17 00:00:00 2001 From: Matt Sturgeon Date: Thu, 6 Jun 2024 04:45:12 +0100 Subject: [PATCH 2/4] Prevent duplicate build CI runs See: - https://github.com/zopefoundation/meta/pull/146/files - https://wildwolf.name/github-actions-how-to-avoid-running-the-same-workflow-multiple-times/ --- .github/workflows/build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8d4ec015..37e89ef9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,6 +11,9 @@ concurrency: jobs: build: runs-on: ubuntu-latest + # Avoid duplicate runs when both `push` and `pull_request` are triggered: + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name + steps: - name: Checkout uses: actions/checkout@v4 From 619dd73cd583f62b24691c91d3797097048b945b Mon Sep 17 00:00:00 2001 From: Matt Sturgeon Date: Mon, 3 Jun 2024 21:30:18 +0100 Subject: [PATCH 3/4] Use owner's PAT in bump-version CI This is to bypass branch-protection rules on `main`. --- .github/workflows/bump-version.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bump-version.yaml b/.github/workflows/bump-version.yaml index d0b558c4..d9dda44c 100644 --- a/.github/workflows/bump-version.yaml +++ b/.github/workflows/bump-version.yaml @@ -21,9 +21,9 @@ on: concurrency: group: builds -# Grant GITHUB_TOKEN write access +# GITHUB_TOKEN only needs read access because we'll use a PAT to push permissions: - contents: write + contents: read env: # sed expression to strip whitespace from property keys @@ -63,6 +63,9 @@ jobs: id: commit uses: stefanzweifel/git-auto-commit-action@v5 with: + # We need to commit as a user to ensure CI is run on the commit + # We need to push as an admin/owner to bypass branch-protection + token: ${{ secrets.HASHALITE_PAT }} commit_message: Bump version to ${{ steps.new_props.outputs.mod_version }} - name: Summarize From bbacda53d32b240a29986278804210538f0ea879 Mon Sep 17 00:00:00 2001 From: Matt Sturgeon Date: Mon, 3 Jun 2024 21:48:28 +0100 Subject: [PATCH 4/4] Ensure bump-version commits as a bot Use actor's username for the commit author, but use the bot email since we don't have access to user's display names or emails. --- .github/workflows/bump-version.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/bump-version.yaml b/.github/workflows/bump-version.yaml index d9dda44c..83dfcefa 100644 --- a/.github/workflows/bump-version.yaml +++ b/.github/workflows/bump-version.yaml @@ -66,6 +66,11 @@ jobs: # We need to commit as a user to ensure CI is run on the commit # We need to push as an admin/owner to bypass branch-protection token: ${{ secrets.HASHALITE_PAT }} + # Ensure we commit as a bot, since we can't reliably get an author slug from `github.actor` + commit_user_name: github-actions[bot] + commit_user_email: 41898282+github-actions[bot]@users.noreply.github.com + commit_author: ${{ github.actor }} <41898282+github-actions[bot]@users.noreply.github.com> + # The commit message, specify the new version commit_message: Bump version to ${{ steps.new_props.outputs.mod_version }} - name: Summarize