From f14da2dc6605c895ca8e701f328df377e707ba35 Mon Sep 17 00:00:00 2001 From: "jose.vazquez" Date: Thu, 14 Mar 2024 17:38:39 +0100 Subject: [PATCH] Do NOT use pull_request_target events Just avoid contributions to run ANY tests at all by default. Instead, testing needs to be excplictly alloed by lebaling the PR after inspecting it looks sane. --- .github/workflows/test.yml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 52f7af62ba..f3a6054df3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,9 +12,6 @@ on: - '**' paths-ignore: - 'docs/**' - pull_request_target: - paths-ignore: - - 'docs/**' merge_group: workflow_dispatch: @@ -23,19 +20,41 @@ concurrency: cancel-in-progress: true jobs: + allowed: + runs-on: ubuntu-latest + # Contributions do NOT run any testing by default, a label is needed to allow testing + if: | + github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name || + contains(github.event.pull_request.labels.*.name, 'safe-to-test') || + contains(github.event.pull_request.labels.*.name, 'cloud-tests') || + contains(github.event.pull_request.labels.*.name, 'retest') + steps: + - name: allowed message + run: echo "Allowed to test" + lint: + needs: + - allowed uses: ./.github/workflows/lint.yaml validate-manifests: + needs: + - allowed uses: ./.github/workflows/validate-manifests.yml unit-tests: + needs: + - allowed uses: ./.github/workflows/test-unit.yml check-licenses: + needs: + - allowed uses: ./.github/workflows/check-licenses.yml cloud-tests-filter: + needs: + - allowed uses: ./.github/workflows/cloud-tests-filter.yml cloud-tests: