Protocol Buffers - Google's data interchange format (grpc依赖) https://developers.google.com/protocol-buffers/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123 lines
3.9 KiB

name: Tests
# This file implements the protection strategy laid out in
# go/protobuf-gha-protected-resources. Pull requests from branches within this
# repository are considered safe and will immediately start running tests on
# every commit. Pull requests from forked repositories are unsafe, and leave
# us vulnerable to PWN requests and stolen resources. In these cases, we
# require a special "safe for tests" tag to be added to the pull request before
# we start testing. This will be immediately removed, so that further commits
# require their own stamp to test.
on:
# continuous
schedule:
# Run daily at 10 AM UTC (2 AM PDT)
- cron: 0 10 * * *
# postsubmit
push:
branches:
- main
- '[0-9]+.x'
# For testing purposes so we can stage this on the `gha` branch.
- gha
# safe presubmit
pull_request:
branches:
- main
- '[0-9]+.x'
# For testing purposes so we can stage this on the `gha` branch.
- gha
# unsafe presubmit
pull_request_target:
branches:
- main
- '[0-9]+.x'
# For testing purposes so we can stage this on the `gha` branch.
- gha
types: [labeled, opened, reopened, synchronize]
# manual
workflow_dispatch:
jobs:
check-tag:
name: Check for Safety
# Avoid running tests twice on PR updates. If the PR is coming from our
# repository, it's safe and we can use `pull_request`. Otherwise, we should
# use `pull_request_target`.
if: |
github.event_name == 'push' ||
(github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') ||
(github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf')
runs-on: ubuntu-latest
outputs:
# Store the sha for checkout so we can easily use it later. For safe
# events, this will be blank and use the defaults.
checkout-sha: ${{ steps.safe-checkout.outputs.sha }}
steps:
- name: Check
# Trivially pass for safe PRs, and explicitly error for unsafe ones
# unless this is specifically an event for adding the safe label.
run: >
${{ github.event_name != 'pull_request_target' || github.event.label.name == 'safe for tests' }} ||
(echo "This pull request is from an unsafe fork and hasn't been approved to run tests!" && exit 1)
- name: Cache safe commit
id: safe-checkout
run: >
${{ github.event_name != 'pull_request_target' }} ||
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
remove-tag:
name: Remove safety tag
needs: [check-tag]
if: github.event.action == 'labeled'
runs-on: ubuntu-latest
steps:
- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
with:
labels: safe for tests
# Note: this pattern of passing the head sha is vulnerable to PWN requests for
# pull_request_target events. We carefully limit those workflows to require a
# human stamp before continuing.
cpp-bazel:
name: C++
needs: [check-tag]
uses: ./.github/workflows/test_cpp.yml
with:
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
secrets: inherit
ruby-install:
name: Ruby Install
needs: [check-tag]
uses: ./.github/workflows/test_ruby_install.yml
with:
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
secrets: inherit
php:
name: PHP
needs: [check-tag]
uses: ./.github/workflows/test_php.yml
with:
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
secrets: inherit
php-ext:
name: PHP Extension
needs: [check-tag]
uses: ./.github/workflows/test_php_ext.yml
with:
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
secrets: inherit