From 509f608a9345e9d87901d8092e96514bace3e5f4 Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 6 Jun 2023 09:34:28 +0100 Subject: [PATCH 1/5] Only run twisted_trunk.yml workflow on matrix-org/synapse --- .github/workflows/twisted_trunk.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 14fc6a0389c3..258e4655bc40 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -18,7 +18,18 @@ concurrency: cancel-in-progress: true jobs: + check_repo: + if: github.repository == 'matrix-org/synapse' + runs-on: ubuntu-latest + outputs: + should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} + steps: + - id: check_condition + run: echo "::set-output name=should_run_workflow::${{ github.repository == 'matrix-org/synapse' }}" + mypy: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest steps: @@ -41,6 +52,8 @@ jobs: - run: poetry run mypy trial: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest steps: @@ -75,6 +88,8 @@ jobs: || true sytest: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest container: image: matrixdotorg/sytest-synapse:buster @@ -119,7 +134,8 @@ jobs: /logs/**/*.log* complement: - if: "${{ !failure() && !cancelled() }}" + needs: check_repo + if: "!failure() && !cancelled() && needs.check_repo.outputs.should_run_workflow == 'true'" runs-on: ubuntu-latest strategy: @@ -166,7 +182,7 @@ jobs: # open an issue if the build fails, so we know about it. open-issue: - if: failure() + if: failure() && needs.check_repo.outputs.should_run_workflow == 'true' needs: - mypy - trial From 6fdfdc607431e85a917b3f40df6b17708f72854a Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 6 Jun 2023 14:35:33 +0100 Subject: [PATCH 2/5] Only run latest_deps.yml workflow on matrix-org/synapse --- .github/workflows/latest_deps.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 452600ba1633..c65d74a6ba8a 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -22,7 +22,17 @@ concurrency: cancel-in-progress: true jobs: + check_repo: + runs-on: ubuntu-latest + outputs: + should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} + steps: + - id: check_condition + run: echo "::set-output name=should_run_workflow::${{ github.repository == 'matrix-org/synapse' }}" + mypy: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -47,6 +57,8 @@ jobs: run: sed '/warn_unused_ignores = True/d' -i mypy.ini - run: poetry run mypy trial: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest strategy: matrix: @@ -105,6 +117,8 @@ jobs: sytest: + needs: check_repo + if: needs.check_repo.outputs.should_run_workflow == 'true' runs-on: ubuntu-latest container: image: matrixdotorg/sytest-synapse:testing @@ -156,7 +170,8 @@ jobs: complement: - if: "${{ !failure() && !cancelled() }}" + needs: check_repo + if: "!failure() && !cancelled() && needs.check_repo.outputs.should_run_workflow == 'true'" runs-on: ubuntu-latest strategy: @@ -192,7 +207,7 @@ jobs: # Open an issue if the build fails, so we know about it. # Only do this if we're not experimenting with this action in a PR. open-issue: - if: "failure() && github.event_name != 'push' && github.event_name != 'pull_request'" + if: "failure() && github.event_name != 'push' && github.event_name != 'pull_request' && needs.check_repo.outputs.should_run_workflow == 'true'" needs: # TODO: should mypy be included here? It feels more brittle than the others. - mypy From 4607a1903de74d0092c7a61c7a2372ef62c1573c Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 6 Jun 2023 14:45:42 +0100 Subject: [PATCH 3/5] changelog --- changelog.d/15726.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/15726.misc diff --git a/changelog.d/15726.misc b/changelog.d/15726.misc new file mode 100644 index 000000000000..941e541e7766 --- /dev/null +++ b/changelog.d/15726.misc @@ -0,0 +1 @@ +Prevent the `latest_deps` and `twisted_trunk` daily GitHub Actions workflows from running on forks of the codebase. \ No newline at end of file From 9660d166e266705eb10f88a3c906ffe3099871ca Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 6 Jun 2023 18:22:48 +0100 Subject: [PATCH 4/5] Replace usage of ::set-output with GITHUB_OUTPUT --- .github/workflows/latest_deps.yml | 2 +- .github/workflows/twisted_trunk.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index c65d74a6ba8a..9b52a7953262 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -28,7 +28,7 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "::set-output name=should_run_workflow::${{ github.repository == 'matrix-org/synapse' }}" + run: echo "should_run_workflow=${{ github.repository == 'matrix-org/synapse' }}" >> "$GITHUB_OUTPUT" mypy: needs: check_repo diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 258e4655bc40..0e0cdd45c8ad 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -25,7 +25,7 @@ jobs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} steps: - id: check_condition - run: echo "::set-output name=should_run_workflow::${{ github.repository == 'matrix-org/synapse' }}" + run: echo "should_run_workflow=${{ github.repository == 'matrix-org/synapse' }}" >> "$GITHUB_OUTPUT" mypy: needs: check_repo From f9ea521d125533db471267b9a20567151ec7ad8d Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 6 Jun 2023 18:41:04 +0100 Subject: [PATCH 5/5] Add a comment explaining what the check_repo job does --- .github/workflows/latest_deps.yml | 4 ++++ .github/workflows/twisted_trunk.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/latest_deps.yml b/.github/workflows/latest_deps.yml index 9b52a7953262..ec6391cf8fd4 100644 --- a/.github/workflows/latest_deps.yml +++ b/.github/workflows/latest_deps.yml @@ -23,6 +23,10 @@ concurrency: jobs: check_repo: + # Prevent this workflow from running on any fork of Synapse other than matrix-org/synapse, as it is + # only useful to the Synapse core team. + # All other workflow steps depend on this one, thus if 'should_run_workflow' is not 'true', the rest + # of the workflow will be skipped as well. runs-on: ubuntu-latest outputs: should_run_workflow: ${{ steps.check_condition.outputs.should_run_workflow }} diff --git a/.github/workflows/twisted_trunk.yml b/.github/workflows/twisted_trunk.yml index 0e0cdd45c8ad..55081f8133b2 100644 --- a/.github/workflows/twisted_trunk.yml +++ b/.github/workflows/twisted_trunk.yml @@ -19,6 +19,10 @@ concurrency: jobs: check_repo: + # Prevent this workflow from running on any fork of Synapse other than matrix-org/synapse, as it is + # only useful to the Synapse core team. + # All other workflow steps depend on this one, thus if 'should_run_workflow' is not 'true', the rest + # of the workflow will be skipped as well. if: github.repository == 'matrix-org/synapse' runs-on: ubuntu-latest outputs: