[WIP, DO NOT MERGE] Gate Private CI workflow on workflow authorization #15540
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright lowRISC contributors (OpenTitan project). | |
| # Licensed under the Apache License, Version 2.0, see LICENSE for details. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Private CI | |
| # Require an auth gate to pass, to ensure that the "Require approval for fork | |
| # pull request workflows" repository action setting is respected even for this | |
| # workflow (which would otherwise need to use a `pull_request_target` event for | |
| # correct token perms for cross-repo dispatch, which is trusted by default). | |
| on: | |
| workflow_run: | |
| workflows: [PR Auth Gate] | |
| types: | |
| - completed | |
| permissions: | |
| contents: write # For repository dispatch | |
| jobs: | |
| trigger: | |
| name: Trigger Private CI | |
| runs-on: ubuntu-latest | |
| # We should currently only run Private CI for pushes, or PRs to `master`. | |
| if: > | |
| github.event.workflow_run.conclusion == 'success' && | |
| ( | |
| github.event.workflow_run != 'pull_request' || | |
| github.event.workflow_run.pull_requests[0].base.ref == 'master' | |
| ) | |
| steps: | |
| - name: Trigger Private CI | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const wr = context.payload.workflow_run; | |
| const payload = { | |
| sha: wr.event === 'pull_request' ? wr.pull_requests[0].head.sha : wr.head.sha, | |
| pull_request: wr.event === 'pull_request' ? wr.pull_requests[0].number : context.issue.number, | |
| inputs: { | |
| // For push events, also send branch name (for batching) | |
| branch: wr.event === 'pull_request' ? undefined : wr.head_branch, | |
| run_name: wr.event === 'pull_request' ? wr.pull_requests[0].title : wr.head_commit.message.split('\n')[0], | |
| }, | |
| }; | |
| // Log the Dispatched Payload | |
| core.info("Private CI Dispatch payload:") | |
| core.info(JSON.stringify(payload, null, 2)) | |
| // Dispatch to Private CI | |
| await github.rest.repos.createDispatchEvent({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| event_type: 'cross-repo-ci', | |
| client_payload: { | |
| ...payload, | |
| target: `${context.repo.owner}/opentitan-private-ci/master/private-ci.yml`, | |
| } | |
| }); | |
| // Dispatch to AscentLint CI | |
| await github.rest.repos.createDispatchEvent({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| event_type: 'cross-repo-ci', | |
| client_payload: { | |
| ...payload, | |
| target: `${context.repo.owner}/opentitan-realintent-ci/main/ascentlint-ci.yml`, | |
| } | |
| }); |