From 8a73d7e8553f3d21683ca304e1315e5bcff7b300 Mon Sep 17 00:00:00 2001 From: Pere Miquel Brull Date: Thu, 10 Nov 2022 09:03:08 +0100 Subject: [PATCH] Add permissions and approval flow (#8625) --- .github/workflows/airflow-apis-tests-3_9.yml | 10 +++++ .../cypress-integration-tests-mysql.yml | 10 +++++ .../cypress-integration-tests-postgresql.yml | 10 +++++ .github/workflows/docs-tests.yml | 8 ++-- .github/workflows/maven-build.yml | 10 +++++ ...etadata-ingestion-core-version-comment.yml | 45 ------------------- .github/workflows/py-checkstyle.yml | 5 +++ .github/workflows/py-generate.yml | 3 ++ .github/workflows/py-tests.yml | 10 +++++ .../workflows/selenium-noIngestion-tests.yml | 3 ++ .github/workflows/yarn-coverage.yml | 11 +++++ 11 files changed, 76 insertions(+), 49 deletions(-) delete mode 100644 .github/workflows/openmetadata-ingestion-core-version-comment.yml diff --git a/.github/workflows/airflow-apis-tests-3_9.yml b/.github/workflows/airflow-apis-tests-3_9.yml index d58070aa6e9..77747c85be3 100644 --- a/.github/workflows/airflow-apis-tests-3_9.yml +++ b/.github/workflows/airflow-apis-tests-3_9.yml @@ -23,6 +23,9 @@ on: paths: - 'openmetadata-airflow-apis/**' +permissions: + contents: read + concurrency: group: airflow-apis-tests-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -30,6 +33,13 @@ jobs: airflow-apis-tests: runs-on: ubuntu-latest steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout uses: actions/checkout@v2 with: diff --git a/.github/workflows/cypress-integration-tests-mysql.yml b/.github/workflows/cypress-integration-tests-mysql.yml index d8f67731eff..f31d9a366e2 100644 --- a/.github/workflows/cypress-integration-tests-mysql.yml +++ b/.github/workflows/cypress-integration-tests-mysql.yml @@ -26,6 +26,9 @@ on: paths-ignore: - 'openmetadata-docs/**' +permissions: + contents: read + concurrency: group: cypress-integration-tests-mysql-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -38,6 +41,13 @@ jobs: job: [0, 1] environment: cypress steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout uses: actions/checkout@v2 with: diff --git a/.github/workflows/cypress-integration-tests-postgresql.yml b/.github/workflows/cypress-integration-tests-postgresql.yml index 6675fd19aa1..18ab8a43b72 100644 --- a/.github/workflows/cypress-integration-tests-postgresql.yml +++ b/.github/workflows/cypress-integration-tests-postgresql.yml @@ -26,6 +26,9 @@ on: paths-ignore: - 'openmetadata-docs/**' +permissions: + contents: read + concurrency: group: cypress-integration-tests-postgresql-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -38,6 +41,13 @@ jobs: job: [0, 1] environment: cypress steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout uses: actions/checkout@v2 with: diff --git a/.github/workflows/docs-tests.yml b/.github/workflows/docs-tests.yml index e2273ddfe93..561eb2b95d5 100644 --- a/.github/workflows/docs-tests.yml +++ b/.github/workflows/docs-tests.yml @@ -18,11 +18,14 @@ on: - '0.[0-9]+.[0-9]+' paths: - 'openmetadata-docs/**' - pull_request_target: + pull_request: types: [labeled, opened, synchronize, reopened] paths: - 'openmetadata-docs/**' +permissions: + contents: read + concurrency: group: docs-tests-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -32,9 +35,6 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - name: Run Docs export run: make docker-docs-validate diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml index 8f38de62d94..9011d2f005f 100644 --- a/.github/workflows/maven-build.yml +++ b/.github/workflows/maven-build.yml @@ -27,6 +27,9 @@ on: - "openmetadata-service/**" - "openmetadata-ui/**" +permissions: + contents: read + concurrency: group: maven-build-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -42,6 +45,13 @@ jobs: - 16.x steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: install libssl run: | sudo su -c "echo 'deb http://security.ubuntu.com/ubuntu xenial-security main' >> /etc/apt/sources.list" diff --git a/.github/workflows/openmetadata-ingestion-core-version-comment.yml b/.github/workflows/openmetadata-ingestion-core-version-comment.yml deleted file mode 100644 index 3686e5b350c..00000000000 --- a/.github/workflows/openmetadata-ingestion-core-version-comment.yml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2021 Collate -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: OpenMetadata Ingestion Core Version Check Comment - -# read-write repo token -# access to secrets -on: - pull_request_target: - branches: - - main - - '0.[0-9]+.[0-9]+' - types: [ opened ] - paths: - - 'openmetadata-service/src/main/resources/json/schema/**' - -concurrency: - group: openmetadata-ingestion-core-version-comment-${{ github.head_ref }} - cancel-in-progress: true -jobs: - py-ingestion-core-comment: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Create a comment in the PR with the instructions - uses: peter-evans/create-or-update-comment@v1 - with: - issue-number: ${{ github.event.pull_request.number }} - body: | - **Schema Change Detected. Needs ingestion-core version bump** - - Please run `make core_bump_version_dev` in the project's root and commit the changes to _version.py in this PR. Please ignore if this has been handled already. diff --git a/.github/workflows/py-checkstyle.yml b/.github/workflows/py-checkstyle.yml index 05681a8d676..afbf36e5235 100644 --- a/.github/workflows/py-checkstyle.yml +++ b/.github/workflows/py-checkstyle.yml @@ -19,6 +19,9 @@ on: - main - '0.[0-9]+.[0-9]+' +permissions: + contents: read + concurrency: group: py-checkstyle-${{ github.head_ref }} cancel-in-progress: true @@ -26,6 +29,8 @@ concurrency: jobs: py-checkstyle: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Checkout diff --git a/.github/workflows/py-generate.yml b/.github/workflows/py-generate.yml index d616ea38c8b..fecc99a8603 100644 --- a/.github/workflows/py-generate.yml +++ b/.github/workflows/py-generate.yml @@ -19,6 +19,9 @@ on: paths: - 'openmetadata-service/src/main/resources/json/**' +permissions: + contents: read + concurrency: group: py-generate-${{ github.head_ref }} cancel-in-progress: true diff --git a/.github/workflows/py-tests.yml b/.github/workflows/py-tests.yml index b80023f2412..ac22465caaa 100644 --- a/.github/workflows/py-tests.yml +++ b/.github/workflows/py-tests.yml @@ -26,6 +26,9 @@ on: - ingestion/** - openmetadata-service/** +permissions: + contents: read + jobs: py-run-tests: runs-on: ubuntu-latest @@ -33,6 +36,13 @@ jobs: matrix: py-version: ['3.7', '3.8', '3.9'] steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout uses: actions/checkout@v2 with: diff --git a/.github/workflows/selenium-noIngestion-tests.yml b/.github/workflows/selenium-noIngestion-tests.yml index bce243a33ed..5b5b6bd0633 100644 --- a/.github/workflows/selenium-noIngestion-tests.yml +++ b/.github/workflows/selenium-noIngestion-tests.yml @@ -30,6 +30,9 @@ on: - 'openmetadata-ui/src/main/resources/ui/**' - 'openmetadata-ui/src/test/java/org/openmetadata/catalog/selenium/pagesWithoutData/**' +permissions: + contents: read + concurrency: group: selenium-noIngestion-tests-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/yarn-coverage.yml b/.github/workflows/yarn-coverage.yml index c07527831d4..125144e14c9 100644 --- a/.github/workflows/yarn-coverage.yml +++ b/.github/workflows/yarn-coverage.yml @@ -13,6 +13,10 @@ on: types: [opened, synchronize, reopened] paths: - openmetadata-ui/src/main/resources/ui/** + +permissions: + contents: read + env: UI_WORKING_DIRECTORY: openmetadata-ui/src/main/resources/ui concurrency: @@ -25,6 +29,13 @@ jobs: node-version: [16.x] runs-on: ubuntu-latest steps: + - name: Wait for approval + uses: lewagon/wait-on-check-action@v1.2.0 + with: + ref: ${{ github.ref }} + check-name: 'approval' + repo-token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v2 with: ref: ${{ github.event.pull_request.head.sha }}