From ffa30b7daf486e4ee306fac2173865334e2a09db Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Sat, 4 May 2024 16:29:44 +0200 Subject: [PATCH 1/6] Fix gha smells: - Use 'if' for upload-artifact action - Avoid uploading artifacts on forks - Prevent running issue/PR actions on forks - Avoid deploying jobs on forks --- .github/workflows/after-release.yml | 4 ++-- .github/workflows/build.yml | 8 +++++--- .github/workflows/on-push-do-docs.yml | 2 +- .github/workflows/release.yml | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index b8291405ace..fb30484d07b 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -16,7 +16,7 @@ jobs: update-changelog: runs-on: [ ubuntu-latest ] - if: github.event_name == 'release' + if: github.event_name == 'release' && github.repository == 'App-vNext/Polly' concurrency: group: '${{ github.workflow }}-changelog' @@ -122,7 +122,7 @@ jobs: concurrency: group: '${{ github.workflow }}-milestone' cancel-in-progress: false - + if: github.repository == 'App-vNext/Polly' permissions: issues: write diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fd555adf87b..f728199f961 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: run: ./build.ps1 - name: Upload Coverage Reports - if: always() + if: always() && github.repository == 'App-vNext/Polly' uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage-${{ matrix.os_name }} @@ -86,19 +86,21 @@ jobs: - name: Upload coverage to Codecov uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1 + if: always() && github.repository == 'App-vNext/Polly' with: files: ./artifacts/coverage-reports/Polly.Core.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Specs/Cobertura.xml,./artifacts/coverage-reports/Polly.RateLimiting.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Extensions.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Testing.Tests/Cobertura.xml, flags: ${{ matrix.os_name }} token: ${{ secrets.CODECOV_TOKEN }} - name: Upload Mutation Report - if: always() && env.RUN_MUTATION_TESTS == 'true' + if: always() && env.RUN_MUTATION_TESTS == 'true' && github.repository == 'App-vNext/Polly' uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: mutation-report path: ./artifacts/mutation-report - name: Publish NuGet packages + if: github.repository == 'App-vNext/Polly' uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: packages-${{ matrix.os_name }} @@ -107,7 +109,7 @@ jobs: - name: Upload signing file list uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - if: matrix.os_name == 'windows' + if: matrix.os_name == 'windows' with: name: signing-config path: eng/signing diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml index 1e7e85186db..029c5c64706 100644 --- a/.github/workflows/on-push-do-docs.yml +++ b/.github/workflows/on-push-do-docs.yml @@ -12,7 +12,7 @@ jobs: update-docs: name: update-docs runs-on: ubuntu-latest - + if: github.repository == 'App-vNext/Polly' steps: - name: Generate GitHub application token diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index de0c4435d8e..c3ab933ec3b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ permissions: {} jobs: release: runs-on: [ ubuntu-latest ] - + if: github.repository == 'App-vNext/Polly' concurrency: group: ${{ github.workflow }} cancel-in-progress: false From a527256807e5b0b8b26debe64ab7a7ddb1bb0f30 Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Mon, 13 May 2024 10:30:32 +0200 Subject: [PATCH 2/6] Replace github.repository with github.event.repository.fork --- .github/workflows/after-release.yml | 4 ++-- .github/workflows/build.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index fb30484d07b..5e89adbd107 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -16,7 +16,7 @@ jobs: update-changelog: runs-on: [ ubuntu-latest ] - if: github.event_name == 'release' && github.repository == 'App-vNext/Polly' + if: github.event_name == 'release' && github.event.repository.fork == false concurrency: group: '${{ github.workflow }}-changelog' @@ -122,7 +122,7 @@ jobs: concurrency: group: '${{ github.workflow }}-milestone' cancel-in-progress: false - if: github.repository == 'App-vNext/Polly' + if: github.event.repository.fork == false permissions: issues: write diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f728199f961..201b2f57233 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: run: ./build.ps1 - name: Upload Coverage Reports - if: always() && github.repository == 'App-vNext/Polly' + if: always() && github.event.repository.fork == false uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage-${{ matrix.os_name }} @@ -86,21 +86,21 @@ jobs: - name: Upload coverage to Codecov uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1 - if: always() && github.repository == 'App-vNext/Polly' + if: always() && github.event.repository.fork == false with: files: ./artifacts/coverage-reports/Polly.Core.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Specs/Cobertura.xml,./artifacts/coverage-reports/Polly.RateLimiting.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Extensions.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Testing.Tests/Cobertura.xml, flags: ${{ matrix.os_name }} token: ${{ secrets.CODECOV_TOKEN }} - name: Upload Mutation Report - if: always() && env.RUN_MUTATION_TESTS == 'true' && github.repository == 'App-vNext/Polly' + if: always() && env.RUN_MUTATION_TESTS == 'true' && github.event.repository.fork == false uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: mutation-report path: ./artifacts/mutation-report - name: Publish NuGet packages - if: github.repository == 'App-vNext/Polly' + if: github.event.repository.fork == false uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: packages-${{ matrix.os_name }} From 29df7846707a205ec6533df374c6799afb08acea Mon Sep 17 00:00:00 2001 From: Cedric Date: Mon, 13 May 2024 10:31:30 +0200 Subject: [PATCH 3/6] Remove trailing space Co-authored-by: Martin Costello --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 201b2f57233..d4cac013b1a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -109,7 +109,7 @@ jobs: - name: Upload signing file list uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - if: matrix.os_name == 'windows' + if: matrix.os_name == 'windows' with: name: signing-config path: eng/signing From d8323657b4d2a2ef337b045dda7aaefe7d677946 Mon Sep 17 00:00:00 2001 From: Cedric Willekens Date: Mon, 13 May 2024 11:03:02 +0200 Subject: [PATCH 4/6] Revert preventing uploading artifacts on forks --- .github/workflows/after-release.yml | 3 +-- .github/workflows/build.yml | 7 +++---- .github/workflows/on-push-do-docs.yml | 1 - .github/workflows/release.yml | 1 - 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index 5e89adbd107..9149eb026f5 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -118,11 +118,10 @@ jobs: update-milestone: runs-on: [ ubuntu-latest ] - + if: github.event.repository.fork == false concurrency: group: '${{ github.workflow }}-milestone' cancel-in-progress: false - if: github.event.repository.fork == false permissions: issues: write diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4cac013b1a..746e849f234 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: run: ./build.ps1 - name: Upload Coverage Reports - if: always() && github.event.repository.fork == false + if: always() uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: coverage-${{ matrix.os_name }} @@ -85,22 +85,21 @@ jobs: if-no-files-found: ignore - name: Upload coverage to Codecov - uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1 if: always() && github.event.repository.fork == false + uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1 with: files: ./artifacts/coverage-reports/Polly.Core.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Specs/Cobertura.xml,./artifacts/coverage-reports/Polly.RateLimiting.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Extensions.Tests/Cobertura.xml,./artifacts/coverage-reports/Polly.Testing.Tests/Cobertura.xml, flags: ${{ matrix.os_name }} token: ${{ secrets.CODECOV_TOKEN }} - name: Upload Mutation Report - if: always() && env.RUN_MUTATION_TESTS == 'true' && github.event.repository.fork == false + if: always() && env.RUN_MUTATION_TESTS == 'true' uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: mutation-report path: ./artifacts/mutation-report - name: Publish NuGet packages - if: github.event.repository.fork == false uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: packages-${{ matrix.os_name }} diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml index 029c5c64706..533615be5f4 100644 --- a/.github/workflows/on-push-do-docs.yml +++ b/.github/workflows/on-push-do-docs.yml @@ -12,7 +12,6 @@ jobs: update-docs: name: update-docs runs-on: ubuntu-latest - if: github.repository == 'App-vNext/Polly' steps: - name: Generate GitHub application token diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c3ab933ec3b..269d4659e68 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,6 @@ permissions: {} jobs: release: runs-on: [ ubuntu-latest ] - if: github.repository == 'App-vNext/Polly' concurrency: group: ${{ github.workflow }} cancel-in-progress: false From f78d0fd2c6de11ce7e658d2e73b1e33465167e96 Mon Sep 17 00:00:00 2001 From: Martin Costello Date: Mon, 13 May 2024 10:11:20 +0100 Subject: [PATCH 5/6] Fix formatting Restore whitespace. --- .github/workflows/after-release.yml | 2 ++ .github/workflows/release.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/after-release.yml b/.github/workflows/after-release.yml index 9149eb026f5..e4680bcbb60 100644 --- a/.github/workflows/after-release.yml +++ b/.github/workflows/after-release.yml @@ -119,9 +119,11 @@ jobs: update-milestone: runs-on: [ ubuntu-latest ] if: github.event.repository.fork == false + concurrency: group: '${{ github.workflow }}-milestone' cancel-in-progress: false + permissions: issues: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 269d4659e68..de0c4435d8e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ permissions: {} jobs: release: runs-on: [ ubuntu-latest ] + concurrency: group: ${{ github.workflow }} cancel-in-progress: false From 7415ae8ee97c63153775835b327f3fd4c96580e6 Mon Sep 17 00:00:00 2001 From: Martin Costello Date: Mon, 13 May 2024 10:11:45 +0100 Subject: [PATCH 6/6] Disable workflows on forks Disable three additional workflows on forks. --- .github/workflows/on-push-do-docs.yml | 2 ++ .github/workflows/ossf-scorecard.yml | 1 + .github/workflows/stale.yml | 3 +++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/on-push-do-docs.yml b/.github/workflows/on-push-do-docs.yml index 533615be5f4..8575318851e 100644 --- a/.github/workflows/on-push-do-docs.yml +++ b/.github/workflows/on-push-do-docs.yml @@ -12,6 +12,8 @@ jobs: update-docs: name: update-docs runs-on: ubuntu-latest + if: github.event.repository.fork == false + steps: - name: Generate GitHub application token diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 9e47679b0ec..1496719aac5 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -13,6 +13,7 @@ jobs: analysis: name: analysis runs-on: ubuntu-latest + if: github.event.repository.fork == false permissions: id-token: write diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4e89ec6bb85..54d2edfc955 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,9 +12,12 @@ permissions: jobs: stale: runs-on: ubuntu-latest + if: github.event.repository.fork == false + permissions: issues: write pull-requests: write + steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: