forked from storybookjs/storybook
-
Notifications
You must be signed in to change notification settings - Fork 0
167 lines (157 loc) · 10.1 KB
/
Copy pathtrigger-circle-ci-workflow.yml
File metadata and controls
167 lines (157 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
###################################################################################################
# #
# ██ #
# ██░░██ #
# ░░ ░░ ██░░░░░░██ ░░░░ #
# ██░░░░░░░░░░██ #
# ██░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░██ #
# ██░░░░░░██████░░░░░░██ #
# ██░░░░░░██████░░░░░░██ #
# ██░░░░░░░░██████░░░░░░░░██ #
# ██░░░░░░░░██████░░░░░░░░██ #
# ██░░░░░░░░░░██████░░░░░░░░░░██ #
# ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░██████░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░██ #
# ██░░░░░░░░░░░░░░░░░░██████░░░░░░░░░░░░░░░░░░██ #
# ░░ ██░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ #
# ██████████████████████████████████████████ #
# #
# #
# SECURITY WARNING: Ensure your `pull_request_target` job respects the following rules: #
# #
# - Never write to GitHub Actions cache, as it would allow cache poisoning attacks #
# - Only call third-party systems that are aware the code passed to them could be untrustworthy #
# - Always set explicit permissions on your PR to limit the capabilities of secrets.GITHUB_TOKEN #
# #
###################################################################################################
name: Trigger CircleCI workflow
# Start with empty permissions on `pull_request_target`, then set permissions per job as needed.
permissions: {}
on:
# zizmor: ignore[dangerous-triggers] # required for fork PRs; no fork code is checked out — only the Circle CI API is called
pull_request_target:
types: [opened, synchronize, labeled, reopened]
push:
branches:
- next
- main
# For PR events, group per-PR (github.ref is refs/pull/<n>/merge) so redundant
# re-triggers on the same PR cancel each other. For pushes to a shared branch
# (next/main), key on the commit SHA instead: otherwise two merges landing close
# together share the refs/heads/<branch> group and the earlier merge's trigger is
# cancelled before it can POST to CircleCI, silently skipping its `merged` workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.sha || github.event.pull_request.number }}
cancel-in-progress: true
jobs:
get-branch:
if: github.repository_owner == 'storybookjs'
runs-on: ubuntu-latest
permissions: {}
steps:
- id: get-branch
env:
REF_NAME: ${{ github.ref_name }}
PR_REF_NAME: ${{ github.event.pull_request.head.ref }}
PR_NUMBER: ${{ github.event.pull_request.number }}
IS_FORK: ${{ github.event.pull_request.head.repo.fork }}
EVENT_NAME: ${{ github.event_name }}
run: |
if [ "$IS_FORK" = "true" ]; then
BRANCH="pull/${PR_NUMBER}/head"
elif [ "$EVENT_NAME" = "push" ]; then
BRANCH="$REF_NAME"
else
BRANCH="$PR_REF_NAME"
fi
echo "$BRANCH"
echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
outputs:
branch: ${{ steps.get-branch.outputs.branch }}
get-parameters:
if: github.repository_owner == 'storybookjs'
runs-on: ubuntu-latest
permissions: {}
steps:
- id: normal
if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:normal'))
run: echo "workflow=normal" >> "$GITHUB_OUTPUT"
- id: docs
if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:docs'))
run: echo "workflow=docs" >> "$GITHUB_OUTPUT"
- id: merged
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci:merged')
run: echo "workflow=merged" >> "$GITHUB_OUTPUT"
- id: daily
if: github.event_name == 'pull_request_target' && (contains(github.event.pull_request.labels.*.name, 'ci:daily'))
run: echo "workflow=daily" >> "$GITHUB_OUTPUT"
- id: trusted-author
env:
EVENT_NAME: ${{ github.event_name }}
USER_TYPE: ${{ github.event.pull_request.user.type }}
USER_LOGIN: ${{ github.event.pull_request.user.login }}
GITHUB_API_TOKEN: ${{ secrets.STORYBOOKJS_ORG_MEMBERSHIP_TOKEN }}
run: |
# You can only push to `main` and `next` as a core team member, so the content is trustworthy.
if [ "$EVENT_NAME" = "push" ]; then
echo "result=true" >> "$GITHUB_OUTPUT"
# These commits are made by the release actions, which are gated to core team members.
elif [ "$USER_LOGIN" = "github-actions[bot]" ] && [ "$USER_TYPE" = "Bot" ]; then
echo "result=true" >> "$GITHUB_OUTPUT"
else
# Explicitly trust only members of specific Storybook teams.
# Team slugs for: Maintainers, Core, Developer Experience.
TRUSTED_TEAMS="maintainers core developer-experience"
IS_TRUSTED=false
for TEAM in $TRUSTED_TEAMS; do
STATE=$(curl -fsSL \
-H "Authorization: Bearer $GITHUB_API_TOKEN" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/orgs/storybookjs/teams/$TEAM/memberships/$USER_LOGIN" \
| jq -r '.state' 2>/dev/null || true)
if [ "$STATE" = "active" ]; then
IS_TRUSTED=true
break
fi
done
echo "result=$IS_TRUSTED" >> "$GITHUB_OUTPUT"
fi
outputs:
workflow: ${{ steps.normal.outputs.workflow || steps.docs.outputs.workflow || steps.merged.outputs.workflow || steps.daily.outputs.workflow }}
ghBaseBranch: ${{ github.event.pull_request.base.ref }}
ghPrNumber: ${{ github.event.pull_request.number }}
ghTrustedAuthor: ${{ steps.trusted-author.outputs.result }}
trigger-circle-ci-workflow:
runs-on: ubuntu-latest
needs: [get-branch, get-parameters]
if: github.repository_owner == 'storybookjs' && needs.get-parameters.outputs.workflow != ''
permissions: {}
steps:
- name: Trigger CircleCI pipeline
env:
CIRCLE_CI_TOKEN: ${{ secrets.CIRCLE_CI_TOKEN }}
BRANCH: ${{ needs.get-branch.outputs.branch }}
WORKFLOW: ${{ needs.get-parameters.outputs.workflow }}
GH_BASE_BRANCH: ${{ needs.get-parameters.outputs.ghBaseBranch }}
GH_PR_NUMBER: ${{ needs.get-parameters.outputs.ghPrNumber }}
GH_TRUSTED_AUTHOR: ${{ needs.get-parameters.outputs.ghTrustedAuthor }}
run: |
PARAMETERS=$(jq -nc \
--arg workflow "$WORKFLOW" \
--arg ghBaseBranch "$GH_BASE_BRANCH" \
--arg ghPrNumber "$GH_PR_NUMBER" \
--arg ghTrustedAuthor "$GH_TRUSTED_AUTHOR" \
'{workflow: $workflow, ghBaseBranch: $ghBaseBranch, ghPrNumber: $ghPrNumber, ghTrustedAuthor: $ghTrustedAuthor}')
PAYLOAD=$(jq -nc --arg branch "$BRANCH" --argjson parameters "$PARAMETERS" \
'{branch: $branch, parameters: $parameters}')
curl -sS --fail-with-body -X POST \
-H "Content-Type: application/json" \
-H "Circle-Token: $CIRCLE_CI_TOKEN" \
-d "$PAYLOAD" \
"https://circleci.com/api/v2/project/gh/storybookjs/storybook/pipeline"