Skip to content

Commit

Permalink
chore(ci): relocate permission checking after should-run step
Browse files Browse the repository at this point in the history
This induces a failure if the job has to run AND if the triggering actor isn't a member of the zama-ai organization. That would help tfhe-rs maintainers to re-run only workflows that are supposed to run.

The reference is selected based on the event emitted.

We also now use token with restricted permission to check out the repository.
  • Loading branch information
soonum committed Jan 7, 2025
1 parent 1f39de6 commit 97bbf5f
Showing 1 changed file with 12 additions and 14 deletions.
26 changes: 12 additions & 14 deletions .github/workflows/aws_tfhe_fast_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,24 +12,16 @@ env:
SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
IS_PULL_REQUEST: ${{ github.event_name == 'pull_request_target' }}
REF: ${{ github.event.pull_request.head.sha || github.sha }}

on:
# Allows you to run this workflow manually from the Actions tab as an alternative.
workflow_dispatch:
pull_request_target:

jobs:
check-user-permission:
if: github.event_name == 'pull_request_target'
uses: ./.github/workflows/check_triggering_actor.yml
secrets:
TOKEN: ${{ secrets.GITHUB_TOKEN }}

should-run:
runs-on: ubuntu-latest
needs: check-user-permission
if: github.event_name != 'pull_request_target' ||
needs.check-user-permission.result == 'success'
permissions:
pull-requests: write
outputs:
Expand Down Expand Up @@ -63,8 +55,8 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
token: ${{ secrets.FHE_ACTIONS_TOKEN }}
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
ref: ${{ env.REF }}

- name: Check for file changes
id: changed-files
Expand Down Expand Up @@ -132,11 +124,17 @@ jobs:
run: |
echo "any_changed=true" >> "$GITHUB_OUTPUT"
check-user-permission:
needs: should-run
uses: ./.github/workflows/check_triggering_actor.yml
secrets:
TOKEN: ${{ secrets.GITHUB_TOKEN }}

setup-instance:
name: Setup instance (fast-tests)
if: github.event_name != 'pull_request_target' ||
needs.should-run.outputs.any_file_changed == 'true'
needs: should-run
needs: [ should-run, check-user-permission ]
runs-on: ubuntu-latest
outputs:
runner-name: ${{ steps.start-instance.outputs.label }}
Expand Down Expand Up @@ -166,8 +164,8 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: 'false'
token: ${{ secrets.FHE_ACTIONS_TOKEN }}
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
ref: ${{ env.REF }}

- name: Install latest stable
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
Expand Down

0 comments on commit 97bbf5f

Please sign in to comment.