Skip to content

Commit

Permalink
Fix CI failing dependabot PR because no access to secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
FirelightFlagboy committed Nov 25, 2024
1 parent 5f75235 commit a851910
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 8 deletions.
23 changes: 16 additions & 7 deletions .github/workflows/package-client.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ jobs:
needs: version
runs-on: ubuntu-22.04
# Always run the job if `version` job is skipped otherwise only if `version` job was successful.
if: ${{ inputs.version_patch_run_id != '' && always() || success() }}
if: inputs.version_patch_run_id != '' && always() || success()
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin v4.2.2
with:
Expand Down Expand Up @@ -176,20 +176,26 @@ jobs:
working-directory: client/electron

# We need to patch the vite.config.js because we cannot pass the secret to the snap build (either via build-args or env).
# Build we only do that is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build).
- name: Patch vite config for snap build
if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
run: >-
sed -i
-e s'/if (process.env.PARSEC_APP_SENTRY_AUTH_TOKEN)/if (true)/'
-e s';authToken: process.env.PARSEC_APP_SENTRY_AUTH_TOKEN;authToken: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
vite.config.ts
working-directory: client

- name: Patch snapcraft file for sentry auth token and vite mode
# We only patch snapcraft.yaml is the event is not a PR from dependabot (because it does not have access to secrets, thus failing the build).
- name: Patch snapcraft file for sentry auth token
if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
run: >-
sed -i
-e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
-e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/'
snap/snapcraft.yaml
sed -i -e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";' snap/snapcraft.yaml
working-directory: client/electron

- name: Patch snapcraft file for vite mode
run: >-
sed -i -e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/' snap/snapcraft.yaml
working-directory: client/electron

- name: Build snap
Expand Down Expand Up @@ -344,9 +350,10 @@ jobs:
working-directory: client
timeout-minutes: 1

# Do not prepare codesign if the PR is from dependabot (it does not have access to secrets).
- name: Prepare codesign
shell: bash -o pipefail -eux {0}
if: matrix.platform == 'macos'
if: matrix.platform == 'macos' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
run: |
printenv MACOS_CERT | base64 --decode > certificate.p12
Expand Down Expand Up @@ -387,7 +394,9 @@ jobs:
working-directory: client/electron
timeout-minutes: 10

# Do not upload sourcemaps if it's a PR from dependabot because it does not have access to secrets.
- name: Upload client electron sourcemaps
if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
run: npm run sentry:sourcemaps
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ env:
jobs:
publish:
runs-on: ubuntu-24.04
# We don't want to run this workflow on dependabot PRs because it will not be able to read the secrets
if: !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]')
permissions:
contents: read
id-token: write
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/releaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ jobs:

package-parsec-client:
needs: version
if: needs.version.result == 'success' && always()
# Do not run this job if the event is a pull request from dependabot.
if: needs.version.result == 'success' && !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') && always()
uses: ./.github/workflows/package-client.yml
with:
version: ${{ needs.version.outputs.full }}
Expand Down

0 comments on commit a851910

Please sign in to comment.