diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index ded8bad536c47..9192264266a1c 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -12,6 +12,9 @@ on: mergedSha: required: true type: string + ownersCanFail: + required: true + type: boolean targetSha: required: true type: string @@ -94,6 +97,7 @@ jobs: # handling untrusted PR input. owners: runs-on: ubuntu-24.04-arm + continue-on-error: ${{ inputs.ownersCanFail }} timeout-minutes: 5 steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index dac02065debf2..9af5cf0ebb71f 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -26,19 +26,30 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} - # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. - # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. - # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. - no-pr-failures: + unlock: + if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - lint - # WARNING: - # Do NOT change the name of this job, otherwise the rule will not catch it anymore. - # This would prevent all PRs from passing the merge queue. - name: no PR failures - if: ${{ failure() }} runs-on: ubuntu-24.04-arm + permissions: + statuses: write steps: - - run: exit 1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { serverUrl, repo, runId, payload } = context + const target_url = + `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}` + await github.rest.repos.createCommitStatus({ + ...repo, + sha: payload.merge_group.head_sha, + // WARNING: + // Do NOT change the name of this, otherwise the rule will not catch it anymore. + // This would prevent all PRs from merging. + context: 'no PR failures', + state: 'success', + target_url, + }) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a7720df7226ad..81f0f1d0f5074 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -61,6 +61,7 @@ jobs: headBranch: ${{ needs.prepare.outputs.headBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} targetSha: ${{ needs.prepare.outputs.targetSha }} + ownersCanFail: ${{ !contains(fromJSON(needs.prepare.outputs.touched), 'owners') }} lint: name: Lint @@ -119,26 +120,33 @@ jobs: baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} - # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. - # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. - # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. - no-pr-failures: + unlock: + if: github.event_name != 'pull_request' # Modify this list to add or remove jobs from required status checks. needs: - check - lint - eval - build - # WARNING: - # Do NOT change the name of this job, otherwise the rule will not catch it anymore. - # This would prevent all PRs from merging. - name: no PR failures - # A single job is "cancelled" when it hits its timeout. This is not the same - # as "skipped", which happens when the `if` condition doesn't apply. - # The "cancelled()" function only checks the whole workflow, but not individual - # jobs. - if: ${{ failure() || contains(needs.*.result, 'cancelled') }} runs-on: ubuntu-24.04-arm + permissions: + statuses: write steps: - - run: exit 1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { serverUrl, repo, runId, payload } = context + const target_url = + `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}` + await github.rest.repos.createCommitStatus({ + ...repo, + sha: payload.pull_request.head.sha, + // WARNING: + // Do NOT change the name of this, otherwise the rule will not catch it anymore. + // This would prevent all PRs from merging. + context: 'no PR failures', + state: 'success', + target_url, + }) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f26c371a55639..b3c2c6c598631 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -76,6 +76,9 @@ jobs: name: Merge Group needs: [prepare] uses: ./.github/workflows/merge-group.yml + # Those are actually only used on the merge_group event, but will throw an error if not set. + permissions: + statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: @@ -87,7 +90,7 @@ jobs: name: PR needs: [prepare] uses: ./.github/workflows/pr.yml - # Those are not actually used on pull_request, but will throw an error if not set. + # Those are actually only used on the pull_request_target event, but will throw an error if not set. permissions: issues: write pull-requests: write @@ -102,7 +105,7 @@ jobs: name: Push needs: [prepare] uses: ./.github/workflows/push.yml - # Those are not actually used on push, but will throw an error if not set. + # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: diff --git a/ci/github-script/prepare.js b/ci/github-script/prepare.js index fb000cb6820a6..0fcec880f3763 100644 --- a/ci/github-script/prepare.js +++ b/ci/github-script/prepare.js @@ -76,8 +76,10 @@ module.exports = async ({ github, context, core }) => { }) ).map((file) => file.filename) - if (files.includes('ci/pinned.json')) core.setOutput('touched', ['pinned']) - else core.setOutput('touched', []) + const touched = [] + if (files.includes('ci/pinned.json')) touched.push('pinned') + if (files.includes('ci/OWNERS')) touched.push('owners') + core.setOutput('touched', touched) return }