[Internal] Migrate workflows that need write access to use hosted runners (#397)

pietern · web-flow · commit 12a824582e76 · 2025-01-07T07:27:04.000Z
Fixes #396. Note: the YAML files were unformatted; please review with "hide whitespace".
diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml
@@ -13,7 +13,10 @@ on:
 
 jobs:
   comment-on-pr:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     permissions:
       pull-requests: write
 
@@ -22,19 +25,19 @@ jobs:
 
       - name: Delete old comments
         env:
-           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-            # Delete previous comment if it exists
-            previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-              --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
-            echo "Previous comment IDs: $previous_comment_ids"
-            # Iterate over each comment ID and delete the comment
-            if [ ! -z "$previous_comment_ids" ]; then
-              echo "$previous_comment_ids" | while read -r comment_id; do
-                echo "Deleting comment with ID: $comment_id"
-                gh api "repos/${{ github.repository }}/issues/comments/$comment_id" -X DELETE
-              done
-            fi
+          # Delete previous comment if it exists
+          previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
+          echo "Previous comment IDs: $previous_comment_ids"
+          # Iterate over each comment ID and delete the comment
+          if [ ! -z "$previous_comment_ids" ]; then
+            echo "$previous_comment_ids" | while read -r comment_id; do
+              echo "Deleting comment with ID: $comment_id"
+              gh api "repos/${{ github.repository }}/issues/comments/$comment_id" -X DELETE
+            done
+          fi
 
       - name: Comment on PR
         env:
@@ -44,13 +47,13 @@ jobs:
           gh pr comment ${{ github.event.pull_request.number }} --body \
           "<!-- INTEGRATION_TESTS_MANUAL -->
           If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
-          
+
           Trigger:
           [go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java)
 
           Inputs:
           * PR number: ${{github.event.pull_request.number}}
           * Commit SHA: \`${{ env.COMMIT_SHA }}\`
-          
+
           Checks will be approved automatically on success.
           "
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -1,75 +1,87 @@
 name: Integration Tests
 
 on:
-    pull_request:
-        types: [opened, synchronize]
+  pull_request:
+    types: [opened, synchronize]
 
-    merge_group:
+  merge_group:
 
 jobs:
-    check-token:
-        name: Check secrets access
-        runs-on: ubuntu-latest
-        environment: "test-trigger-is"
-        outputs:
-            has_token: ${{ steps.set-token-status.outputs.has_token }}
-        steps:
-        - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
-          id: set-token-status
-          run: |
-            if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
-                echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
-                echo "::set-output name=has_token::false"
-            else
-                echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
-                echo "::set-output name=has_token::true"
-            fi
+  check-token:
+    name: Check secrets access
 
-    trigger-tests:
-        name: Trigger Tests
-        runs-on: ubuntu-latest
-        needs: check-token
-        if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
-        environment: "test-trigger-is"
-        steps:
-            - uses: actions/checkout@v3
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
 
-            - name: Generate GitHub App Token
-              id: generate-token
-              uses: actions/create-github-app-token@v1
-              with:
-                  app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
-                  private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
-                  owner: ${{ secrets.ORG_NAME }}
-                  repositories: ${{secrets.REPO_NAME}}
+    environment: "test-trigger-is"
+    outputs:
+      has_token: ${{ steps.set-token-status.outputs.has_token }}
+    steps:
+      - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
+        id: set-token-status
+        run: |
+          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
+              echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
+              echo "::set-output name=has_token::false"
+          else
+              echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
+              echo "::set-output name=has_token::true"
+          fi
 
-            - name: Trigger Workflow in Another Repo
-              env:
-                  GH_TOKEN: ${{ steps.generate-token.outputs.token }}
-              run: |
-                  gh workflow run sdk-java-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
-                  --ref main \
-                  -f pull_request_number=${{ github.event.pull_request.number }} \
-                  -f commit_sha=${{ github.event.pull_request.head.sha }}
+  trigger-tests:
+    name: Trigger Tests
 
-    # Statuses and checks apply to specific commits (by hash).
-    # Enforcement of required checks is done both at the PR level and the merge queue level.
-    # In case of multiple commits in a single PR, the hash of the squashed commit
-    # will not match the one for the latest (approved) commit in the PR.
-    # We auto approve the check for the merge queue for two reasons:
-    # * Queue times out due to duration of tests.
-    # * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
-    auto-approve:
-        if: github.event_name == 'merge_group'
-        runs-on: ubuntu-latest
-        steps:
-            - name: Mark Check
-              env:
-                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              shell: bash
-              run: |
-                  gh api -X POST -H "Accept: application/vnd.github+json" \
-                    -H "X-GitHub-Api-Version: 2022-11-28" \
-                    /repos/${{ github.repository }}/statuses/${{ github.sha }} \
-                    -f 'state=success' \
-                    -f 'context=Integration Tests Check'
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
+    needs: check-token
+    if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
+    environment: "test-trigger-is"
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+          owner: ${{ secrets.ORG_NAME }}
+          repositories: ${{secrets.REPO_NAME}}
+
+      - name: Trigger Workflow in Another Repo
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh workflow run sdk-java-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+          --ref main \
+          -f pull_request_number=${{ github.event.pull_request.number }} \
+          -f commit_sha=${{ github.event.pull_request.head.sha }}
+
+  # Statuses and checks apply to specific commits (by hash).
+  # Enforcement of required checks is done both at the PR level and the merge queue level.
+  # In case of multiple commits in a single PR, the hash of the squashed commit
+  # will not match the one for the latest (approved) commit in the PR.
+  # We auto approve the check for the merge queue for two reasons:
+  # * Queue times out due to duration of tests.
+  # * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
+  auto-approve:
+    if: github.event_name == 'merge_group'
+
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
+    steps:
+      - name: Mark Check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/statuses/${{ github.sha }} \
+            -f 'state=success' \
+            -f 'context=Integration Tests Check'
diff --git a/.github/workflows/message.yml b/.github/workflows/message.yml
@@ -24,9 +24,9 @@ jobs:
           TITLE: ${{ github.event.pull_request.title }}
         run: |
           TAG=$(echo "$TITLE" | sed -ne 's/\[\(.*\)\].*/\1/p')
-          if grep -q "tag: \"\[$TAG\]\"" .codegen/changelog_config.yml; then 
+          if grep -q "tag: \"\[$TAG\]\"" .codegen/changelog_config.yml; then
             echo "Valid tag found: [$TAG]"
-          else 
-            echo "Invalid or missing tag in commit message: [$TAG]" 
+          else
+            echo "Invalid or missing tag in commit message: [$TAG]"
             exit 1
-          fi
+          fi
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -33,7 +33,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [macos-latest, ubuntu-latest]
-        java-version: [8, 11, 17, 20]  # 20 is the latest version as of 2023 and 17 is the latest LTS
+        java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS
 
     runs-on: ${{ matrix.os }}
 
@@ -55,4 +55,3 @@ jobs:
 
       - name: Check Unit Tests
         run: mvn --errors test
-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,10 +2,13 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
