From 0f1628fff2193c447cb66feec51b97a4c7c04c55 Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 6 Jun 2026 23:04:08 -0400 Subject: [PATCH 1/2] ci: fix PR workflow auto-cancellation --- .github/workflows/build.yml | 2 +- .github/workflows/prs-entrypoint-forks.yml | 34 ++++++++++++++++++ .github/workflows/prs-entrypoint-main.yml | 34 ++++++++++++++++++ .github/workflows/prs-entrypoint.yml | 40 ---------------------- 4 files changed, 69 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/prs-entrypoint-forks.yml create mode 100644 .github/workflows/prs-entrypoint-main.yml delete mode 100644 .github/workflows/prs-entrypoint.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4bd5108ce..e146d1025 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: path: site smoke-tests: - name: "Smoke (${{ matrix.os == 'ubuntu-latest' && 'Linux' || matrix.os == 'macos-latest' && 'macOS' || 'Windows' }}, ${{ matrix.python-version }})" + name: "Smoke test - (${{ matrix.os == 'ubuntu-latest' && 'Linux' || matrix.os == 'macos-latest' && 'macOS' || 'Windows' }}, ${{ matrix.python-version }})" strategy: fail-fast: false matrix: diff --git a/.github/workflows/prs-entrypoint-forks.yml b/.github/workflows/prs-entrypoint-forks.yml new file mode 100644 index 000000000..d665bb656 --- /dev/null +++ b/.github/workflows/prs-entrypoint-forks.yml @@ -0,0 +1,34 @@ +name: "CI - Fork PRs" + +# This workflow handles pull requests from forked repositories. +# It uses pull_request_target so the reusable CI workflow can receive explicit secrets. + +permissions: + actions: read + contents: read + pull-requests: write + security-events: write +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true + +on: + pull_request_target: + branches: + - main + +jobs: + pr_jobs: + name: "Pipeline" + # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + uses: ./.github/workflows/pr-ci-workflow.yml + permissions: + actions: read + contents: read + packages: read + pull-requests: write + security-events: write + with: + BRANCH_REF: ${{ github.event.pull_request.head.sha }} + secrets: inherit diff --git a/.github/workflows/prs-entrypoint-main.yml b/.github/workflows/prs-entrypoint-main.yml new file mode 100644 index 000000000..15ed149df --- /dev/null +++ b/.github/workflows/prs-entrypoint-main.yml @@ -0,0 +1,34 @@ +name: "CI - PRs" + +# This workflow is the entrypoint for pull requests opened from host repository. +# Fork PRs are handled by prs-entrypoint-forks.yml using pull_request_target. +# It forwards the branch SHA and explicit secrets to the reusable workflow. + +permissions: + actions: read + contents: read + pull-requests: write +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true + +on: + pull_request: + branches: + - main + +jobs: + pr_jobs: + name: "Pipeline" + # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request + if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} + uses: ./.github/workflows/pr-ci-workflow.yml + permissions: + actions: read + contents: read + packages: read + pull-requests: write + security-events: write + with: + BRANCH_REF: ${{ github.event.pull_request.head.sha }} + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/prs-entrypoint.yml b/.github/workflows/prs-entrypoint.yml deleted file mode 100644 index 7289b62e8..000000000 --- a/.github/workflows/prs-entrypoint.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: "CI" - -# This workflow is the entrypoint for pull request validation. -# It selects the correct event path for same-repo vs fork PRs, -# then forwards the branch SHA and explicit secrets to the reusable workflow. - -permissions: - actions: read - contents: read - pull-requests: write -concurrency: - group: ${{github.workflow}}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -on: - # PRs from branches in this repository - pull_request: - branches: - - main - # PRs from forked repositories - pull_request_target: - branches: - - main - -jobs: - pr_jobs: - name: "Pipeline" - # Only run pull_request for same-repo PRs, and pull_request_target for fork PRs. - # This prevents duplicate workflow runs and keeps fork secret handling safe. - if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'gitlabform/gitlabform') || (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'gitlabform/gitlabform') }} - uses: ./.github/workflows/pr-ci-workflow.yml - permissions: - actions: read - contents: read - packages: read - pull-requests: write - security-events: write - with: - BRANCH_REF: ${{ github.event.pull_request.head.sha }} - secrets: inherit \ No newline at end of file From ba87dd9b709ec36fefa2870ba6b01c0725b107bb Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 6 Jun 2026 23:05:12 -0400 Subject: [PATCH 2/2] chore: add newline --- .github/workflows/prs-entrypoint-main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prs-entrypoint-main.yml b/.github/workflows/prs-entrypoint-main.yml index 15ed149df..2a2917c8e 100644 --- a/.github/workflows/prs-entrypoint-main.yml +++ b/.github/workflows/prs-entrypoint-main.yml @@ -31,4 +31,4 @@ jobs: security-events: write with: BRANCH_REF: ${{ github.event.pull_request.head.sha }} - secrets: inherit \ No newline at end of file + secrets: inherit