Switch dispatch ref to utilize the base of the PR

This change makes usage of the dispatch on label paradigm possible at the expense of slowing development by forcing the running in the base of the pull request rather than the merge ref. Ultimately this may be more desirable as it enables the workflows run by self-hosted runners to only execute trusted code from the base ref.
islas · Dec 13, 2024 · a8c66da · a8c66da
1 parent d53ef51
commit a8c66da
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 33 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -88,7 +88,7 @@ jobs:
 
     uses : ./.github/workflows/test_workflow.yml
     with :
-      # This should be the only hard-coded value, we don't use ${{ github.event.label.name }}
+      # This should be the only hard-coded value, we don't use ${{ inputs.test }}
       # to avoid 'all-tests' to be used in this workflow
       label    : compile-tests
 
@@ -119,20 +119,22 @@ jobs:
     name : Test ${{ matrix.testSet.name }} on ${{ matrix.testSet.host }}
 
 
-  # # In the event that 'all-tests' is used, this final job will be the one to remove
-  # # the label from the PR
-  # removeAllLabel :
-  #   if : ${{ !cancelled() && github.event.label.name == 'all-tests' }}
-  #   name : Remove 'all-tests' label
-  #   runs-on: ubuntu-latest
-  #   needs : [ buildtests ] # Put tests here to make this wait for the tests to complete
-  #   steps: 
-  #     - name : Remove '${{ github.event.label.name }}' label
-  #       env:
-  #         PR_NUMBER: ${{ github.event.number }}
-  #       run: |
-  #         curl \
-  #           -X DELETE \
-  #           -H "Accept: application/vnd.github.v3+json" \
-  #           -H 'Authorization: token ${{ github.token }}' \
-  #           https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ github.event.label.name }}
+  # In the event that 'all-tests' is used, this final job will be the one to remove
+  # the label from the PR
+  removeAllLabel :
+    if : ${{ !cancelled() && inputs.test == 'all-tests' }}
+    name : Remove 'all-tests' label
+    runs-on: ubuntu-latest
+    needs : [ buildtests ] # Put tests here to make this wait for the tests to complete
+    permissions:
+      pull-requests: write
+    steps: 
+      - name : Remove '${{ inputs.test }}' label
+        env:
+          PR_NUMBER: ${{ inputs.event_number }}
+        run: |
+          curl \
+            -X DELETE \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H 'Authorization: token ${{ github.token }}' \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.test }}
diff --git a/.github/workflows/entry_point.yml b/.github/workflows/entry_point.yml
@@ -28,16 +28,15 @@ jobs:
     permissions:
       actions: write
     steps:
-      - name: Test
+      - name: Dispatch Regression Suite
         run : |
-          echo "Hello World!"
           curl  -L \
                 -X POST \
                 -H "Accept: application/vnd.github+json" \
                 -H "Authorization: Bearer ${{ github.token }}" \
                 -H "X-GitHub-Api-Version: 2022-11-28" \
                 https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows/ci.yml/dispatches \
-                -d '{"ref":"${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.head.ref }}","inputs":{"event_name":"${{ github.event_name }}", "event_number" : "${{ github.event.number }}", "test":"${{ github.event.label.name }}", "ref":"${{ github.ref }}"}}'
+                -d '{"ref":"${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}","inputs":{"event_name":"${{ github.event_name }}", "event_number" : "${{ github.event.number }}", "test":"${{ github.event.label.name }}", "ref":"${{ github.ref }}"}}'
 
 
 
diff --git a/.github/workflows/test_workflow.yml b/.github/workflows/test_workflow.yml
@@ -183,18 +183,17 @@ jobs:
             context:      '${{ inputs.host }}/${{ inputs.id }}',
             state:        '${{ job.status == 'success' && 'success' || 'failure' }}'
           })
-    # As noted in ci.yml, this will need to be moved to a separate workflow with pull_request_target
-    # and strictly controlled usage of the GH token
-    # - name : Remove '${{ inputs.label }}' label
-    #   if : ${{ !cancelled() && github.event.label.name == inputs.label }}
-    #   env:
-    #     PR_NUMBER: ${{ github.event.number }}
-    #   run: |
-    #     curl \
-    #       -X DELETE \
-    #       -H "Accept: application/vnd.github.v3+json" \
-    #       -H 'Authorization: token ${{ github.token }}' \
-    #       https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.label }}
+
+    - name : Remove '${{ inputs.label }}' label
+      if : ${{ !cancelled() && github.event.label.name == inputs.label }}
+      env:
+        PR_NUMBER: ${{ github.event.number }}
+      run: |
+        curl \
+          -X DELETE \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H 'Authorization: token ${{ github.token }}' \
+          https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.label }}