Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip signed plugin build on pull requests #271

Merged
merged 1 commit into from
Nov 6, 2024
Merged

Skip signed plugin build on pull requests #271

merged 1 commit into from
Nov 6, 2024

Conversation

lpetrora
Copy link
Member

@lpetrora lpetrora commented Nov 5, 2024

A pull request from a fork is not able to build the signed plugin due to the secret API KEY, so this step should be skipped. In other instances, like releases and daily builds, the signed plugin should be created.

@lpetrora lpetrora force-pushed the lp-master-skip_signed_plugin_on_pull_request branch from 400e99b to e0c8fa7 Compare November 5, 2024 09:18
BenediktSeidl
BenediktSeidl requested changes Nov 5, 2024
View reviewed changes
.github/workflows/ci.yml Outdated
@@ -74,6 +74,7 @@ jobs:
uses: actions/checkout@v4

- name: Build frontend signed
if: github.event_name != 'pull_request'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm. but this would mean, this is also skipped if we do internal pull requests, like this one, right?
so if we want to debug the signing, we would have to merge it into the master, otherwise we can not test it?
have you seen pull_request_target? https://runs-on.com/github-actions/pull-request-vs-pull-request-target/

what do you think of the following: we change the event to pull_request_target (thus external prs can access our secrets) but activate that all external collaborations have to be manually approved:
https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks

image

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, I did not consider our PRs. Your solution works but will add us the additional task to manually validate the collaborators.
What do you think about triggering the validation if the action does not come from a PR or if the PR comes from our own repo?

(github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == github.repository)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice. i have also searched for something like that, but could not find it.
the worst thing that can happen with your solution is that the signed build fails, which is not a catastrophe, so let's go for it!

@lpetrora
Skip signed plugin build on pull requests
dca6e70 
A pull request from a fork is not able to build the signed plugin due to
the secret API KEY, so this step should be skipped. In other instances,
like releases and daily builds, the signed plugin should be created.
@lpetrora lpetrora force-pushed the lp-master-skip_signed_plugin_on_pull_request branch from e0c8fa7 to dca6e70 Compare November 5, 2024 10:26
@lpetrora lpetrora merged commit 8d620d5 into main Nov 6, 2024
5 checks passed
@lpetrora lpetrora deleted the lp-master-skip_signed_plugin_on_pull_request branch November 6, 2024 08:54
@github-actions github-actions bot locked and limited conversation to collaborators Nov 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@BenediktSeidl BenediktSeidl BenediktSeidl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lpetrora @BenediktSeidl