From 3453eb38336426402692f97f8345bdf774635ac0 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Tue, 7 Jul 2026 16:45:11 -0600 Subject: [PATCH 1/4] Adding token, and making built artifacts unique per run --- .github/workflows/pr-build-test-branch.yml | 2 +- .github/workflows/pr-deploy-test-branch.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-build-test-branch.yml b/.github/workflows/pr-build-test-branch.yml index eb8b3e1d7..69d0ab45a 100644 --- a/.github/workflows/pr-build-test-branch.yml +++ b/.github/workflows/pr-build-test-branch.yml @@ -67,7 +67,7 @@ jobs: - name: Upload build to GHA uses: actions/upload-artifact@v4 with: - name: build + name: ${{ github.run_id }} path: ${{ runner.temp }}/build.tar diff --git a/.github/workflows/pr-deploy-test-branch.yml b/.github/workflows/pr-deploy-test-branch.yml index ab290f457..f5f7ee30e 100644 --- a/.github/workflows/pr-deploy-test-branch.yml +++ b/.github/workflows/pr-deploy-test-branch.yml @@ -42,8 +42,9 @@ jobs: - name: Fetch build from GHA uses: actions/download-artifact@v4 with: - name: build - path: ${{ runner.temp }}/build.tar + name: ${{ github.event.workflow_run.id }} + path: ${{ runner.temp }}/ + github-token: ${{ github.token }} run-id: ${{ github.event.workflow_run.id }} - name: Store build in the clone From 643744f56bd138e7347a39b70379859f3e133789 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Tue, 7 Jul 2026 16:45:23 -0600 Subject: [PATCH 2/4] Setting the PR number so that the comment making step can find it. --- .github/workflows/pr-deploy-test-branch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-deploy-test-branch.yml b/.github/workflows/pr-deploy-test-branch.yml index f5f7ee30e..d307e07a2 100644 --- a/.github/workflows/pr-deploy-test-branch.yml +++ b/.github/workflows/pr-deploy-test-branch.yml @@ -84,6 +84,7 @@ jobs: - name: Add comment with deployment location uses: thollander/actions-comment-pull-request@v3 with: + pr-number: ${{ github.event.workflow_run.pull_requests[0].number }} comment-tag: static-test-deployment message: > This pull request is deployed at From c2253de44550253be6127b573b4972be940ecf79 Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Tue, 7 Jul 2026 16:45:47 -0600 Subject: [PATCH 3/4] In some cases, like my test infra, the owner here needs to be templated. --- .github/workflows/pr-remove-test-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-remove-test-branch.yml b/.github/workflows/pr-remove-test-branch.yml index b1d8042ae..712c35c98 100644 --- a/.github/workflows/pr-remove-test-branch.yml +++ b/.github/workflows/pr-remove-test-branch.yml @@ -32,7 +32,7 @@ jobs: - name: Clone test repository run: | - git clone -b gh-pages "git@github.com:opencast/editor-test.git" editor-test + git clone -b gh-pages "git@github.com:${{ github.repository_owner }}/editor-test.git" editor-test - name: Delete build if present working-directory: editor-test From daef5d98845b3de10aa6a03b8feae7d28909037d Mon Sep 17 00:00:00 2001 From: Greg Logan Date: Tue, 7 Jul 2026 16:53:38 -0600 Subject: [PATCH 4/4] Removing developer/committer check prior to building PR. This would, in theory, prevent spam attacks from filling up the test repository, but in practice does nothing. GH by default requires manual enabling of builds from not-previously-contributing accounts, and if you *have* developer/committer access and your account gets compromised then... well there's not much we can do. --- .github/workflows/pr-build-test-branch.yml | 34 ---------------------- 1 file changed, 34 deletions(-) diff --git a/.github/workflows/pr-build-test-branch.yml b/.github/workflows/pr-build-test-branch.yml index 69d0ab45a..41b75d1c6 100644 --- a/.github/workflows/pr-build-test-branch.yml +++ b/.github/workflows/pr-build-test-branch.yml @@ -71,40 +71,6 @@ jobs: path: ${{ runner.temp }}/build.tar - #This is currently defunct, but kept around in case we run into issues in the future - # where this check might be handy, cf spammers filing PRs or something. - # Previously we checked is_team_member prior to doing anything else above - check-member: - name: Check organization membership - if: github.repository_owner == 'opencast' - runs-on: ubuntu-latest - - # Map a step output to a job output - outputs: - is_team_member: ${{ steps.is_developer.outputs.permitted == 'true' || steps.is_committer.outputs.permitted == 'true' }} - - steps: - - name: Check if user is Opencast developer - id: is_developer - if: ${{ github.event.pull_request.head.repo.full_name != 'opencast/editor' }} - uses: TheModdingInquisition/actions-team-membership@v1.0 - with: - team: developers - # Personal Access Token with the `read:org` permission - token: ${{ secrets.ORGANIZATION_MEMBER_SECRET }} - exit: false - - - name: Check if user is Opencast committer - id: is_committer - if: ${{ github.event.pull_request.head.repo.full_name != 'opencast/editor' }} - uses: TheModdingInquisition/actions-team-membership@v1.0 - with: - team: committers - # Personal Access Token with the `read:org` permission - token: ${{ secrets.ORGANIZATION_MEMBER_SECRET }} - exit: false - - check-no-modified-translations: name: Translations only via Crowdin if: github.repository_owner == 'opencast'