Implement sensitive workflows for PRs

Serious-senpai · Oct 3, 2024 · 00aad63 · 00aad63
1 parent cbd20b7
commit 00aad63
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 7 deletions.
diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml
@@ -0,0 +1,23 @@
+name: Trigger PR sensitive workflows
+
+on: pull_request  # Require approval
+# IMPORTANT: Change settings in Actions/General to "Require approval for all outside collaborators".
+# Before approving workflow from public forks, triple check the code.
+
+permissions:
+  contents: read
+
+jobs:
+  pr-sha:
+    name: Get pull request SHA
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Save pull request HEAD SHA
+        run: echo ${{ github.event.pull_request.head.sha }} > pr.txt
+
+      - name: Upload pull request HEAD SHA
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-sha
+          path: pr.txt
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -2,17 +2,17 @@ name: Run tests
 
 on:
   push:
-    branches:
-      - main
-
-  pull_request_target:
+  workflow_run:
+    workflows: Trigger PR sensitive workflows
+    types: completed
 
 permissions:
   contents: read
 
 jobs:
   python:
     name: Test web application
+    if: ${{ github.event_name == 'push' || github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -28,11 +28,27 @@ jobs:
 
     steps:
       - name: Checkout repository
+        if: ${{ github.event_name == 'push' }}
+        uses: actions/checkout@v4
+
+      - name: Get pull request HEAD SHA
+        if: ${{ github.event_name == 'workflow_run' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-sha
+          path: /tmp/
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Print pull request HEAD SHA
+        id: pr-sha-step
+        if: ${{ github.event_name == 'workflow_run' }}
+        run: echo "sha=$(cat /tmp/pr.txt)" > $GITHUB_OUTPUT
+
+      - name: Checkout pull request directory
+        if: ${{ github.event_name == 'workflow_run' }}
         uses: actions/checkout@v4
         with:
-          # IMPORTANT: Change settings in Actions/General to "Require approval for all outside collaborators".
-          # Before approving workflow from public forks, triple check the code.
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ steps.pr-sha-step.outputs.sha }}
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -67,6 +83,7 @@ jobs:
 
   flutter:
     name: Test client application
+    if: ${{ github.event_name == 'push' || github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -78,8 +95,28 @@ jobs:
 
     steps:
       - name: Checkout repository
+        if: ${{ github.event_name == 'push' }}
         uses: actions/checkout@v4
 
+      - name: Get pull request HEAD SHA
+        if: ${{ github.event_name == 'workflow_run' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-sha
+          path: /tmp/
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Print pull request HEAD SHA
+        id: pr-sha-step
+        if: ${{ github.event_name == 'workflow_run' }}
+        run: echo "sha=$(cat /tmp/pr.txt)" > $GITHUB_OUTPUT
+
+      - name: Checkout pull request directory
+        if: ${{ github.event_name == 'workflow_run' }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.pr-sha-step.outputs.sha }}
+
       - name: Setup Flutter
         uses: subosito/flutter-action@v2
         with: