granite-legal-cookbook/.github/workflows/notebooks.yaml at main · ibm-granite-community/granite-legal-cookbook · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# SPDX-License-Identifier: Apache-2.0

name: Testing Notebooks

on:
  schedule: # Test all notebooks daily
  - cron: '0 11 * * *'
  workflow_dispatch: # Test notebooks on demand
    inputs:
      pr:
        description: 'Pull Request number or leave empty for all notebooks'
        required: false
        type: string
        default: ''
  push:
    branches:
      - main
    paths:
      - '.github/workflows/notebooks.yaml' # This workflow
      - '.github/notebook_lists/*' # Notebook lists
      - 'recipes/**/*.ipynb'
  pull_request:
    branches:
      - main
    paths:
      - '.github/workflows/notebooks.yaml' # This workflow
      - '.github/notebook_lists/*' # Notebook lists
      - 'recipes/**/*.ipynb'

env:
  LC_ALL: en_US.UTF-8

defaults:
  run:
    shell: bash

permissions:
  contents: read

jobs:
  test_workflow_ready:
    # Don't run schedule target in forks
    if: ${{ (github.event_name != 'schedule') || (github.repository_owner == 'ibm-granite-community') }}
    permissions:
      pull-requests: write
      statuses: write
    runs-on: ubuntu-latest
    outputs:
      ref: ${{ inputs.pr && format('refs/pull/{0}/merge',inputs.pr) || '' }}
      all: ${{ contains(fromJSON('["schedule","workflow_dispatch"]'), github.event_name) && !inputs.pr }}
      status_url: ${{ steps.pr.outputs.status_url }}
      run_url: ${{ steps.pr.outputs.run_url }}
    steps:
      - name: "Harden Runner"
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          disable-sudo-and-containers: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443

      - name: Checkout
        if: ${{ inputs.pr }}
        id: checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.pr && format('refs/pull/{0}/head',inputs.pr) || '' }}

      - name: Pull Request dispatch
        if: ${{ inputs.pr }}
        id: pr
        run: |
          echo "status_url=$STATUS_URL" >> "$GITHUB_OUTPUT"
          echo "run_url=$RUN_URL" >> "$GITHUB_OUTPUT"
          gh api -X POST "$STATUS_URL" -f "context=PR Test" -f "state=$STATUS_STATE" -f "description=$STATUS_DESCRIPTION" -f "target_url=$RUN_URL&pr=$PR"
          gh pr comment "$PR" -b "$GITHUB_WORKFLOW workflow launched on this PR: [View run]($RUN_URL)"
        env:
          PR: ${{ inputs.pr }}
          STATUS_URL: ${{ github.api_url }}/repos/${{ github.repository }}/statuses/${{ steps.checkout.outputs.commit }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          STATUS_STATE: pending
          STATUS_DESCRIPTION: This check has started...
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  vanilla:
    needs:
      - test_workflow_ready
    permissions:
      contents: read
    uses: ibm-granite-community/utils/.github/workflows/test_notebook.yaml@main
    secrets:
      REPLICATE_API_TOKEN: ${{ secrets.REPLICATE_API_TOKEN }}
    with:
      notebook-lists: |
        .github/notebook_lists/vanilla_notebooks.txt
      python-versions: >-
        3.11
        3.12
      ref: ${{ needs.test_workflow_ready.outputs.ref }}
      all: ${{ fromJSON(needs.test_workflow_ready.outputs.all) }}

  test_workflow_complete:
    needs:
      - test_workflow_ready
      - vanilla
    permissions:
      pull-requests: write
      statuses: write
    runs-on: ubuntu-latest
    if: ${{ !cancelled() && (needs.test_workflow_ready.result == 'success') }}
    steps:
      - name: "Harden Runner"
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          disable-sudo-and-containers: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443

      - name: Pull Request dispatch
        if: ${{ inputs.pr }}
        run: |
          gh api -X POST "$STATUS_URL" -f "context=PR Test" -f "state=$STATUS_STATE" -f "description=$STATUS_DESCRIPTION" -f "target_url=$RUN_URL&pr=$PR"
        env:
          PR: ${{ inputs.pr }}
          STATUS_URL: ${{ needs.test_workflow_ready.outputs.status_url }}
          RUN_URL: ${{ needs.test_workflow_ready.outputs.run_url }}
          STATUS_STATE: ${{ (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && 'failure' || 'success' }}
          STATUS_DESCRIPTION: ${{ (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && 'Failure' || 'Success' }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}