Skip to content

Commit

Permalink
Gitspiegel polkadot staging (paritytech#2695)
Browse files Browse the repository at this point in the history
* Adding gitspiegel-trigger workflow (paritytech#2661)

Using a workflow to trigger mirroring instead of a webhook allows us to reuse "Approving workflow runs from public forks" GitHub feature to somewhat protect us from malicious PRs

* Fixing gitspiegel trigger workflow (paritytech#2679)

The first attept to use a workflow to protect GitLab CI from untrusted contributors failed, because GitHub doesn't pass secrets to workflows for PRs that originate from forks. 
 
This uses a different approach: instead of triggerring gitspiegel API directly from the workflow, we're just spawning an empty workflow with a specific path, and gitspiegel listens for `workflow_run` event to start mirroring.  

The idea is the same: for the first-time contributors, running workflows would require manual aciton and that would block mirroring. But this time, we don't need any secrets to make it work.

---------

Co-authored-by: Yuri Volkov <0@mcornholio.ru>
  • Loading branch information
svyatonik and mutantcornholio authored Nov 14, 2023
1 parent 702a4c1 commit 03aaab2
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/gitspiegel-trigger.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: gitspiegel sync

# This workflow doesn't do anything, it's only use is to trigger "workflow_run"
# webhook, that'll be consumed by gitspiegel
# This way, gitspiegel won't do mirroring, unless this workflow runs,
# and running the workflow is protected by GitHub

on:
pull_request:
types:
- opened
- synchronize
- unlocked
- ready_for_review
- reopened

jobs:
sync:
runs-on: ubuntu-latest
steps:
- name: Do nothing
run: echo "let's go"

0 comments on commit 03aaab2

Please sign in to comment.