Add permissions and approval flow (#8625)

2025-11-02 19:48:17 +00:00 · 2022-11-10 09:03:08 +01:00 · 2022-11-10 09:03:08 +01:00 · 8a73d7e855
commit 8a73d7e855
parent 5d4f4a819f
11 changed files with 76 additions and 49 deletions
--- a/.github/workflows/airflow-apis-tests-3_9.yml
+++ b/.github/workflows/airflow-apis-tests-3_9.yml
@ -23,6 +23,9 @@ on:
    paths:
      - 'openmetadata-airflow-apis/**'

+permissions:
+  contents: read
+
 concurrency: 
  group: airflow-apis-tests-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -30,6 +33,13 @@ jobs:
  airflow-apis-tests:
    runs-on: ubuntu-latest
    steps:
+    - name: Wait for approval
+      uses: lewagon/wait-on-check-action@v1.2.0
+      with:
+        ref: ${{ github.ref }}
+        check-name: 'approval'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
    - name: Checkout
      uses: actions/checkout@v2
      with:
--- a/.github/workflows/cypress-integration-tests-mysql.yml
+++ b/.github/workflows/cypress-integration-tests-mysql.yml
@ -26,6 +26,9 @@ on:
    paths-ignore:
      - 'openmetadata-docs/**'

+permissions:
+  contents: read
+
 concurrency:
  group: cypress-integration-tests-mysql-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -38,6 +41,13 @@ jobs:
        job: [0, 1]
    environment: cypress
    steps:
+      - name: Wait for approval
+        uses: lewagon/wait-on-check-action@v1.2.0
+        with:
+          ref: ${{ github.ref }}
+          check-name: 'approval'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Checkout
        uses: actions/checkout@v2
        with:
--- a/.github/workflows/cypress-integration-tests-postgresql.yml
+++ b/.github/workflows/cypress-integration-tests-postgresql.yml
@ -26,6 +26,9 @@ on:
    paths-ignore:
      - 'openmetadata-docs/**'

+permissions:
+  contents: read
+
 concurrency:
  group: cypress-integration-tests-postgresql-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -38,6 +41,13 @@ jobs:
        job: [0, 1]
    environment: cypress
    steps:
+      - name: Wait for approval
+        uses: lewagon/wait-on-check-action@v1.2.0
+        with:
+          ref: ${{ github.ref }}
+          check-name: 'approval'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Checkout
        uses: actions/checkout@v2
        with:
--- a/.github/workflows/docs-tests.yml
+++ b/.github/workflows/docs-tests.yml
@ -18,11 +18,14 @@ on:
      - '0.[0-9]+.[0-9]+'
    paths:
      - 'openmetadata-docs/**'
-  pull_request_target:
+  pull_request:
    types: [labeled, opened, synchronize, reopened]
    paths:
      - 'openmetadata-docs/**'

+permissions:
+  contents: read
+
 concurrency: 
  group: docs-tests-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -32,9 +35,6 @@ jobs:
    steps:
    - name: Checkout
      uses: actions/checkout@v2
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-        fetch-depth: 0

    - name: Run Docs export
      run: make docker-docs-validate
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@ -27,6 +27,9 @@ on:
      - "openmetadata-service/**"
      - "openmetadata-ui/**"

+permissions:
+  contents: read
+
 concurrency: 
  group: maven-build-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
@ -42,6 +45,13 @@ jobs:
          - 16.x

    steps:
+      - name: Wait for approval
+        uses: lewagon/wait-on-check-action@v1.2.0
+        with:
+          ref: ${{ github.ref }}
+          check-name: 'approval'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
      - name: install libssl
        run: |
         sudo su -c "echo 'deb http://security.ubuntu.com/ubuntu xenial-security main' >> /etc/apt/sources.list"
--- a/.github/workflows/openmetadata-ingestion-core-version-comment.yml
+++ b/.github/workflows/openmetadata-ingestion-core-version-comment.yml
@ -1,45 +0,0 @@
-#  Copyright 2021 Collate
-#  Licensed under the Apache License, Version 2.0 (the "License");
-#  you may not use this file except in compliance with the License.
-#  You may obtain a copy of the License at
-#  http://www.apache.org/licenses/LICENSE-2.0
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-
-name: OpenMetadata Ingestion Core Version Check Comment
-
-# read-write repo token
-# access to secrets
-on:
-  pull_request_target:
-    branches:
-      - main
-      - '0.[0-9]+.[0-9]+'
-    types: [ opened ]
-    paths:
-    - 'openmetadata-service/src/main/resources/json/schema/**'
-
-concurrency: 
-  group: openmetadata-ingestion-core-version-comment-${{ github.head_ref }}
-  cancel-in-progress: true
-jobs:
-  py-ingestion-core-comment:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Create a comment in the PR with the instructions
-        uses: peter-evans/create-or-update-comment@v1
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            **Schema Change Detected. Needs ingestion-core version bump**
-
-            Please run `make core_bump_version_dev` in the project's root and commit the changes to _version.py in this PR. Please ignore if this has been handled already.
--- a/.github/workflows/py-checkstyle.yml
+++ b/.github/workflows/py-checkstyle.yml
@ -19,6 +19,9 @@ on:
      - main
      - '0.[0-9]+.[0-9]+'

+permissions:
+  contents: read
+
 concurrency: 
  group: py-checkstyle-${{ github.head_ref }}
  cancel-in-progress: true
@ -26,6 +29,8 @@ concurrency:
 jobs:
  py-checkstyle:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write

    steps:
      - name: Checkout
--- a/.github/workflows/py-generate.yml
+++ b/.github/workflows/py-generate.yml
@ -19,6 +19,9 @@ on:
    paths:
      - 'openmetadata-service/src/main/resources/json/**'

+permissions:
+  contents: read
+
 concurrency: 
  group: py-generate-${{ github.head_ref }}
  cancel-in-progress: true
--- a/.github/workflows/py-tests.yml
+++ b/.github/workflows/py-tests.yml
@ -26,6 +26,9 @@ on:
      - ingestion/**
      - openmetadata-service/**

+permissions:
+  contents: read
+
 jobs:
  py-run-tests:
    runs-on: ubuntu-latest
@ -33,6 +36,13 @@ jobs:
      matrix:
        py-version: ['3.7', '3.8', '3.9']
    steps:
+    - name: Wait for approval
+      uses: lewagon/wait-on-check-action@v1.2.0
+      with:
+        ref: ${{ github.ref }}
+        check-name: 'approval'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
    - name: Checkout
      uses: actions/checkout@v2
      with:
--- a/.github/workflows/selenium-noIngestion-tests.yml
+++ b/.github/workflows/selenium-noIngestion-tests.yml
@ -30,6 +30,9 @@ on:
      - 'openmetadata-ui/src/main/resources/ui/**'
      - 'openmetadata-ui/src/test/java/org/openmetadata/catalog/selenium/pagesWithoutData/**'

+permissions:
+  contents: read
+
 concurrency: 
  group: selenium-noIngestion-tests-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/yarn-coverage.yml
+++ b/.github/workflows/yarn-coverage.yml
@ -13,6 +13,10 @@ on:
    types: [opened, synchronize, reopened]
    paths:
      - openmetadata-ui/src/main/resources/ui/**
+
+permissions:
+  contents: read
+
 env:
  UI_WORKING_DIRECTORY: openmetadata-ui/src/main/resources/ui
 concurrency: 
@ -25,6 +29,13 @@ jobs:
        node-version: [16.x]
    runs-on: ubuntu-latest
    steps:
+    - name: Wait for approval
+      uses: lewagon/wait-on-check-action@v1.2.0
+      with:
+        ref: ${{ github.ref }}
+        check-name: 'approval'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
    - uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.sha }}