|
| 1 | +# Please ping @DilumAluthge when making any changes to this file. |
| 2 | + |
| 3 | +# Here are some steps that we take in this workflow file for security reasons: |
| 4 | +# 1. We do not checkout any code. |
| 5 | +# 2. We only run actions that are defined in a repository in the `JuliaLang` GitHub organization. |
| 6 | +# 3. We do not give the `GITHUB_TOKEN` any permissions. |
| 7 | +# 4. We only give the Buildkite API token (`BUILDKITE_API_TOKEN_RETRY`) the minimum necessary |
| 8 | +# set of permissions. |
| 9 | + |
| 10 | +# Important note to Buildkite maintainers: |
| 11 | +# In order to make this work, you need to tell Buildkite that it should NOT create a brand-new |
| 12 | +# build when someone closes and reopens a pull request. To do so: |
| 13 | +# 1. Go to the relevant pipeline (e.g. https://buildkite.com/julialang/julia-master). |
| 14 | +# 2. Click on the "Pipeline Settings" button. |
| 15 | +# 3. In the left sidebar, under "Pipeline Settings", click on "GitHub". |
| 16 | +# 4. In the "GitHub Settings", under "Build Pull Requests", make sure that the "Skip pull |
| 17 | +# request builds for existing commits" checkbox is checked. This is the setting that tells |
| 18 | +# Buildkite that it should NOT create a brand-new build when someone closes and reopens a |
| 19 | +# pull request. |
| 20 | +# 5. At the bottom of the page, click the "Save GitHub Settings" button. |
| 21 | + |
| 22 | +name: Rerun Failed Buildkite Jobs |
| 23 | + |
| 24 | +# There are two ways that a user can rerun the failed Buildkite jobs: |
| 25 | +# 1. Close and reopen the pull request. |
| 26 | +# In order to use this approach, the user must be in one of the following three categories: |
| 27 | +# (i) Author of the pull request |
| 28 | +# (ii) Commit permissions |
| 29 | +# (iii) Triage permissions |
| 30 | +# 2. Post a comment on the pull request with exactly the following contents: /buildkite rerun failed |
| 31 | +# In order to use this approach, the user must be in the following category: |
| 32 | +# - A member of the JuliaLang GitHub organization (the membership must be publicized) |
| 33 | + |
| 34 | +on: |
| 35 | + # When using the `pull_request_target` event, all PRs will get access to secret environment |
| 36 | + # variables (such as the `BUILDKITE_API_TOKEN_RETRY` secret environment variable), even if |
| 37 | + # the PR is from a fork. Therefore, for security reasons, we do not checkout any code in |
| 38 | + # this workflow. |
| 39 | + pull_request_target: |
| 40 | + types: [ reopened ] |
| 41 | + issue_comment: |
| 42 | + types: [ created ] |
| 43 | + |
| 44 | +# We do not give the `GITHUB_TOKEN` any permissions. |
| 45 | +# Therefore, the `GITHUB_TOKEN` only has the same access as any member of the public. |
| 46 | +permissions: |
| 47 | + contents: none |
| 48 | + |
| 49 | +jobs: |
| 50 | + rerun-failed-buildkite-jobs: |
| 51 | + name: Rerun Failed Buildkite Jobs |
| 52 | + runs-on: ubuntu-latest |
| 53 | + if: (github.repository == 'DilumAluthge/julia') && ((github.event_name == 'pull_request_target' && github.event.action == 'reopened') || (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/buildkite rerun failed')) |
| 54 | + steps: |
| 55 | + - name: Check organization membership |
| 56 | + env: |
| 57 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 58 | + run: | |
| 59 | + if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then |
| 60 | + if [[ "${{ github.event.action }}" == "reopened" ]]; then |
| 61 | + echo "This is a \"reopened\" event, so we do not need to check the user's organization membership." |
| 62 | + echo "GOOD_TO_PROCEED=yes" >> ${GITHUB_ENV:?} |
| 63 | + else |
| 64 | + echo "ERROR: The github.event_name is \"pull_request_target\", but the github.event.action is not \"reopened\"." |
| 65 | + exit 1 |
| 66 | + fi |
| 67 | + else |
| 68 | + curl -H "Authorization: token ${GITHUB_TOKEN:?}" "https://api.github.com/users/${{ github.event.sender.login }}" |
| 69 | + curl -H "Authorization: token ${GITHUB_TOKEN:?}" "https://api.github.com/users/${{ github.event.sender.login }}/orgs" |
| 70 | + export USER_IS_ORGANIZATION_MEMBER=`curl -H "Authorization: token ${GITHUB_TOKEN:?}" "https://api.github.com/users/${{ github.event.sender.login }}/orgs" | jq '[.[] | .login] | index("JuliaLang") != null' | tr -s ' '` |
| 71 | + if [[ "${USER_IS_ORGANIZATION_MEMBER:?}" == "true" ]]; then |
| 72 | + echo "The \"${{ github.event.sender.login }}\" user is a public member of the JuliaLang organization." |
| 73 | + echo "GOOD_TO_PROCEED=yes" >> ${GITHUB_ENV:?} |
| 74 | + else |
| 75 | + echo "ERROR: the \"${{ github.event.sender.login }}\" user is NOT a public member of the JuliaLang organization." |
| 76 | + echo "If you are a member, please make sure that you have publicized your membership." |
| 77 | + exit 1 |
| 78 | + fi |
| 79 | + fi |
| 80 | + # For security reasons, we do not checkout any code in this workflow. |
| 81 | + - uses: JuliaLang/buildkite-rerun-failed@057f6f2d37aa29a57b7679fd2af0df1d9f9188b4 |
| 82 | + if: env.GOOD_TO_PROCEED == 'yes' |
| 83 | + with: |
| 84 | + buildkite_api_token: ${{ secrets.BUILDKITE_API_TOKEN_RETRY }} |
| 85 | + buildkite_organization_slug: 'julialang' |
| 86 | + buildkite_pipeline_slug: 'julia-master' |
| 87 | + pr_number: ${{github.event.number}} |
0 commit comments