name: Tests # This file implements the protection strategy laid out in # go/protobuf-gha-protected-resources. Pull requests from branches within this # repository are considered safe and will immediately start running tests on # every commit. Pull requests from forked repositories are unsafe, and leave # us vulnerable to PWN requests and stolen resources. In these cases, we # require a special "safe for tests" tag to be added to the pull request before # we start testing. This will be immediately removed, so that further commits # require their own stamp to test. on: # continuous schedule: # Run every hour - cron: "0 * * * *" # postsubmit push: branches: - main - '[0-9]+.x' # For testing purposes so we can stage this on the `gha` branch. - gha # safe presubmit pull_request: branches: - main - '[0-9]+.x' # For testing purposes so we can stage this on the `gha` branch. - gha # unsafe presubmit pull_request_target: branches: - main - '[0-9]+.x' # For testing purposes so we can stage this on the `gha` branch. - gha types: [labeled, opened, reopened, synchronize] # manual workflow_dispatch: permissions: contents: read concurrency: group: ${{ github.event_name }}-${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: ${{ contains(fromJSON('["pull_request", "pull_request_target", "workflow_dispatch", "schedule"]'), github.event_name) }} jobs: set-vars: name: Set Variables # Avoid running tests twice on PR updates. If the PR is coming from our # repository, it's safe and we can use `pull_request`. Otherwise, we should # use `pull_request_target`. if: | (github.event_name != 'pull_request' && github.event_name != 'pull_request_target' && github.event.repository.full_name == 'protocolbuffers/protobuf') || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') || (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf') runs-on: ubuntu-latest outputs: # Store the sha for checkout so we can easily use it later. For safe # events, this will be blank and use the defaults. checkout-sha: ${{ steps.safe-checkout.outputs.sha }} # Stores a string to be used as a boolean denoting whether this is a # continuous run. An empty string denotes that the run is on presubmit, # otherwise we are in a continuous run. This helps us determine which # tests to block on. continuous-run: ${{ steps.set-test-type-vars.outputs.continuous-run }} # Stores a string that will serve as the prefix for all continuous tests. # Either way we prepend "(Continuous)" but in the case that we are in # a presubmit run, we should also mark them "[SKIPPED]" continuous-prefix: ${{ steps.set-test-type-vars.outputs.continuous-prefix }} steps: - name: Check # Trivially pass for safe PRs, and explicitly error for unsafe ones # unless this is specifically an event for adding the safe label. run: > ${{ github.event_name != 'pull_request_target' || github.event.label.name == ':a: safe for tests' }} || (echo "This pull request is from an unsafe fork and hasn't been approved to run tests." && echo "A protobuf team member will need to review the PR and add the 'safe for tests' tag." && exit 1) - name: Cache safe commit id: safe-checkout run: > ${{ github.event_name != 'pull_request_target' }} || echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT - name: Set Test Type Variables id: set-test-type-vars run: | if ([ "${{ github.event_name }}" == 'pull_request' ] || [ "${{ github.event_name }}" == 'pull_request_target' ]) && ${{ !contains(toJson(github.event.pull_request.body), '\n#test-continuous') }}; then echo "continuous-run=" >> "$GITHUB_OUTPUT" echo "continuous-prefix=[SKIPPED] (Continuous)" >> "$GITHUB_OUTPUT" else echo "continuous-run=continuous" >> "$GITHUB_OUTPUT" echo "continuous-prefix=(Continuous)" >> "$GITHUB_OUTPUT" fi remove-tag: name: Remove safety tag needs: [set-vars] if: github.event.action == 'labeled' runs-on: ubuntu-latest permissions: pull-requests: write steps: - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 with: fail_on_error: true labels: ':a: safe for tests' validate-yaml: name: Validate YAML needs: [set-vars] uses: ./.github/workflows/test_yaml.yml with: safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} # Note: this pattern of passing the head sha is vulnerable to PWN requests for # pull_request_target events. We carefully limit those workflows to require a # human stamp before continuing. bazel: name: Bazel needs: [set-vars] uses: ./.github/workflows/test_bazel.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit cpp: name: C++ needs: [set-vars] uses: ./.github/workflows/test_cpp.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit java: name: Java needs: [set-vars] uses: ./.github/workflows/test_java.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit python: name: Python needs: [set-vars] uses: ./.github/workflows/test_python.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit ruby: name: Ruby needs: [set-vars] uses: ./.github/workflows/test_ruby.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit php: name: PHP needs: [set-vars] uses: ./.github/workflows/test_php.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit php-ext: name: PHP Extension needs: [set-vars] uses: ./.github/workflows/test_php_ext.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit csharp: name: C# needs: [set-vars] uses: ./.github/workflows/test_csharp.yml with: safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} secrets: inherit objectivec: name: Objective-C needs: [set-vars] uses: ./.github/workflows/test_objectivec.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit rust: name: Rust needs: [set-vars] uses: ./.github/workflows/test_rust.yml with: safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} secrets: inherit upb: name: μpb needs: [set-vars] uses: ./.github/workflows/test_upb.yml with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }} secrets: inherit staleness: name: Staleness needs: [set-vars] uses: ./.github/workflows/staleness_check.yml # Staleness tests have scheduled runs during off-hours to avoid race conditions. if: ${{ github.event_name != 'schedule' }} with: continuous-run: ${{ needs.set-vars.outputs.continuous-run }} safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }} secrets: inherit # This test depends on all blocking tests and indicates whether they all suceeded. all-blocking-tests: name: All Blocking Tests${{ github.event_name == 'pull_request_target' && ' (fork)' || ''}} needs: [set-vars, validate-yaml, bazel, cpp, java, python, ruby, php, php-ext, csharp, objectivec, rust, upb, staleness] runs-on: ubuntu-latest steps: - name: Check test results run: "${{ !contains(join(needs.*.result, ' '), 'failure') && !contains(join(needs.*.result, ' '), 'cancelled') }}" # This workflow must run even if one or more of the dependent workflows # failed. if: always()