Protocol Buffers - Google's data interchange format (grpc依赖)
https://developers.google.com/protocol-buffers/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
4.9 KiB
162 lines
4.9 KiB
name: Tests |
|
|
|
# This file implements the protection strategy laid out in |
|
# go/protobuf-gha-protected-resources. Pull requests from branches within this |
|
# repository are considered safe and will immediately start running tests on |
|
# every commit. Pull requests from forked repositories are unsafe, and leave |
|
# us vulnerable to PWN requests and stolen resources. In these cases, we |
|
# require a special "safe for tests" tag to be added to the pull request before |
|
# we start testing. This will be immediately removed, so that further commits |
|
# require their own stamp to test. |
|
|
|
on: |
|
# continuous |
|
schedule: |
|
# Run daily at 10 AM UTC (2 AM PDT) |
|
- cron: 0 10 * * * |
|
|
|
# postsubmit |
|
push: |
|
branches: |
|
- main |
|
- '[0-9]+.x' |
|
# The 21.x branch still uses Kokoro |
|
- '!21.x' |
|
# For testing purposes so we can stage this on the `gha` branch. |
|
- gha |
|
|
|
# safe presubmit |
|
pull_request: |
|
branches: |
|
- main |
|
- '[0-9]+.x' |
|
# The 21.x branch still uses Kokoro |
|
- '!21.x' |
|
# For testing purposes so we can stage this on the `gha` branch. |
|
- gha |
|
|
|
# unsafe presubmit |
|
pull_request_target: |
|
branches: |
|
- main |
|
- '[0-9]+.x' |
|
# The 21.x branch still uses Kokoro |
|
- '!21.x' |
|
# For testing purposes so we can stage this on the `gha` branch. |
|
- gha |
|
types: [labeled, opened, reopened, synchronize] |
|
|
|
# manual |
|
workflow_dispatch: |
|
|
|
jobs: |
|
check-tag: |
|
name: Check for Safety |
|
|
|
# Avoid running tests twice on PR updates. If the PR is coming from our |
|
# repository, it's safe and we can use `pull_request`. Otherwise, we should |
|
# use `pull_request_target`. |
|
if: | |
|
(github.event_name != 'pull_request' && |
|
github.event_name != 'pull_request_target' && |
|
github.event.repository.full_name == 'protocolbuffers/protobuf') || |
|
(github.event_name == 'pull_request' && |
|
github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') || |
|
(github.event_name == 'pull_request_target' && |
|
github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf') |
|
|
|
runs-on: ubuntu-latest |
|
outputs: |
|
# Store the sha for checkout so we can easily use it later. For safe |
|
# events, this will be blank and use the defaults. |
|
checkout-sha: ${{ steps.safe-checkout.outputs.sha }} |
|
steps: |
|
- name: Check |
|
# Trivially pass for safe PRs, and explicitly error for unsafe ones |
|
# unless this is specifically an event for adding the safe label. |
|
run: > |
|
${{ github.event_name != 'pull_request_target' || github.event.label.name == ':a: safe for tests' }} || |
|
(echo "This pull request is from an unsafe fork and hasn't been approved to run tests!" && exit 1) |
|
|
|
- name: Cache safe commit |
|
id: safe-checkout |
|
run: > |
|
${{ github.event_name != 'pull_request_target' }} || |
|
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT |
|
|
|
remove-tag: |
|
name: Remove safety tag |
|
needs: [check-tag] |
|
if: github.event.action == 'labeled' |
|
runs-on: ubuntu-latest |
|
steps: |
|
- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 |
|
with: |
|
labels: ':a: safe for tests' |
|
|
|
# Note: this pattern of passing the head sha is vulnerable to PWN requests for |
|
# pull_request_target events. We carefully limit those workflows to require a |
|
# human stamp before continuing. |
|
cpp: |
|
name: C++ |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_cpp.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
java: |
|
name: Java |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_java.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
python: |
|
name: Python |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_python.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
ruby: |
|
name: Ruby |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_ruby.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
php: |
|
name: PHP |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_php.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
php-ext: |
|
name: PHP Extension |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_php_ext.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
csharp: |
|
name: C# |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_csharp.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit |
|
|
|
objectivec: |
|
name: Objective-C |
|
needs: [check-tag] |
|
uses: ./.github/workflows/test_objectivec.yml |
|
with: |
|
safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }} |
|
secrets: inherit
|
|
|