From a62187cdbbc93a1f2b047f440e445641efb77bd2 Mon Sep 17 00:00:00 2001 From: Greg Pfeil Date: Fri, 14 Feb 2025 11:24:10 -0700 Subject: [PATCH 1/2] Fix GitHub workflows There are two workflows that have bugs in them: - cd-deploy-nodes-gcp is missing a job name, which is then depended-on later - sub-ci-integration-tests-gcp changed the name of a job without changing its dependents --- .github/workflows/cd-deploy-nodes-gcp.yml | 7 ++----- .github/workflows/sub-ci-integration-tests-gcp.yml | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cd-deploy-nodes-gcp.yml b/.github/workflows/cd-deploy-nodes-gcp.yml index 1338ed5f7b3..e7d7c6154e7 100644 --- a/.github/workflows/cd-deploy-nodes-gcp.yml +++ b/.github/workflows/cd-deploy-nodes-gcp.yml @@ -227,12 +227,9 @@ jobs: # - on every push to the `main` branch # - on every release, when it's published # - on workflow_dispatch for manual deployments - + # Determine which networks to deploy based on the trigger - - - - : + set-matrix: runs-on: ubuntu-latest outputs: networks: ${{ steps.set-networks.outputs.matrix }} diff --git a/.github/workflows/sub-ci-integration-tests-gcp.yml b/.github/workflows/sub-ci-integration-tests-gcp.yml index 438b32ac235..fde8ef835ca 100644 --- a/.github/workflows/sub-ci-integration-tests-gcp.yml +++ b/.github/workflows/sub-ci-integration-tests-gcp.yml @@ -523,7 +523,7 @@ jobs: lightwalletd-grpc-test, get-block-template-test, submit-block-test, - scan-task-commands-test, + test-scanner, ] # Only open tickets for failed scheduled jobs, manual workflow runs, or `main` branch merges. # (PR statuses are already reported in the PR jobs list, and checked by GitHub's Merge Queue.) From 21acd540b274c8f77fb475213eb2d62f0a4d918a Mon Sep 17 00:00:00 2001 From: Greg Pfeil Date: Fri, 14 Feb 2025 11:28:55 -0700 Subject: [PATCH 2/2] Stop certain CI jobs from running on forks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are various GitHub CI jobs that won’t work on forks. E.g., some need credentials for ZF’s DockerHub or GCP accounts. Unfortunately, you can’t prevent entire workflows from running this way, but this disables a minimal number of jobs to keep forks from failing whenever `main` is pushed to. --- .github/workflows/cd-deploy-nodes-gcp.yml | 2 +- .github/workflows/chore-delete-gcp-resources.yml | 2 ++ .github/workflows/ci-unit-tests-os.yml | 2 +- .github/workflows/docs-deploy-firebase.yml | 6 ++++++ .github/workflows/docs-dockerhub-description.yml | 1 + .github/workflows/sub-build-docker-image.yml | 3 ++- 6 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd-deploy-nodes-gcp.yml b/.github/workflows/cd-deploy-nodes-gcp.yml index e7d7c6154e7..f7d15886293 100644 --- a/.github/workflows/cd-deploy-nodes-gcp.yml +++ b/.github/workflows/cd-deploy-nodes-gcp.yml @@ -265,7 +265,7 @@ jobs: permissions: contents: "read" id-token: "write" - if: ${{ !cancelled() && !failure() && ((github.event_name == 'push' && github.ref_name == 'main') || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }} + if: ${{ !cancelled() && !failure() && github.repository_owner == 'ZcashFoundation' && ((github.event_name == 'push' && github.ref_name == 'main') || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }} steps: - uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/chore-delete-gcp-resources.yml b/.github/workflows/chore-delete-gcp-resources.yml index 661c8c05093..92d9103480b 100644 --- a/.github/workflows/chore-delete-gcp-resources.yml +++ b/.github/workflows/chore-delete-gcp-resources.yml @@ -34,6 +34,7 @@ env: jobs: delete-resources: name: Delete old GCP resources + if: github.repository_owner == 'ZcashFoundation' runs-on: ubuntu-latest permissions: contents: 'read' @@ -105,6 +106,7 @@ jobs: # The same artifacts are used for both mainnet and testnet. clean-registries: name: Delete unused artifacts in registry + if: github.repository_owner == 'ZcashFoundation'' runs-on: ubuntu-latest permissions: contents: 'read' diff --git a/.github/workflows/ci-unit-tests-os.yml b/.github/workflows/ci-unit-tests-os.yml index 6e9dc77d91d..d37328a5c12 100644 --- a/.github/workflows/ci-unit-tests-os.yml +++ b/.github/workflows/ci-unit-tests-os.yml @@ -309,7 +309,7 @@ jobs: needs: [ test, install-from-lockfile-no-cache, check-cargo-lock, cargo-deny, unused-deps ] # Only open tickets for failed or cancelled jobs that are not coming from PRs. # (PR statuses are already reported in the PR jobs list, and checked by GitHub's Merge Queue.) - if: (failure() && github.event.pull_request == null) || (cancelled() && github.event.pull_request == null) + if: (failure() || cancelled()) && github.repository_owner == 'ZcashFoundation' && github.event.pull_request == null runs-on: ubuntu-latest steps: - uses: jayqi/failed-build-issue-action@v1 diff --git a/.github/workflows/docs-deploy-firebase.yml b/.github/workflows/docs-deploy-firebase.yml index eca70c4d98b..eecb9ffacf5 100644 --- a/.github/workflows/docs-deploy-firebase.yml +++ b/.github/workflows/docs-deploy-firebase.yml @@ -105,6 +105,7 @@ jobs: # Setup gcloud CLI - name: Authenticate to Google Cloud + if: github.repository_owner == 'ZcashFoundation' id: auth uses: google-github-actions/auth@v2.1.8 with: @@ -114,11 +115,13 @@ jobs: # TODO: remove this step after issue https://github.com/FirebaseExtended/action-hosting-deploy/issues/174 is fixed - name: Add $GCP_FIREBASE_SA_PATH to env + if: github.repository_owner == 'ZcashFoundation' run: | # shellcheck disable=SC2002 echo "GCP_FIREBASE_SA_PATH=$(cat ${{ steps.auth.outputs.credentials_file_path }} | tr -d '\n')" >> "$GITHUB_ENV" - name: Deploy Zebra book to firebase + if: github.repository_owner == 'ZcashFoundation' uses: FirebaseExtended/action-hosting-deploy@v0.9.0 with: firebaseServiceAccount: ${{ env.GCP_FIREBASE_SA_PATH }} @@ -163,6 +166,7 @@ jobs: # Setup gcloud CLI - name: Authenticate to Google Cloud + if: github.repository_owner == 'ZcashFoundation' id: auth uses: google-github-actions/auth@v2.1.8 with: @@ -171,11 +175,13 @@ jobs: # TODO: remove this step after issue https://github.com/FirebaseExtended/action-hosting-deploy/issues/174 is fixed - name: Add $GCP_FIREBASE_SA_PATH to env + if: github.repository_owner == 'ZcashFoundation' run: | # shellcheck disable=SC2002 echo "GCP_FIREBASE_SA_PATH=$(cat ${{ steps.auth.outputs.credentials_file_path }} | tr -d '\n')" >> "$GITHUB_ENV" - name: Deploy internal docs to firebase + if: github.repository_owner == 'ZcashFoundation' uses: FirebaseExtended/action-hosting-deploy@v0.9.0 with: firebaseServiceAccount: ${{ env.GCP_FIREBASE_SA_PATH }} diff --git a/.github/workflows/docs-dockerhub-description.yml b/.github/workflows/docs-dockerhub-description.yml index 754208d6651..8efdaca1d54 100644 --- a/.github/workflows/docs-dockerhub-description.yml +++ b/.github/workflows/docs-dockerhub-description.yml @@ -15,6 +15,7 @@ on: jobs: dockerHubDescription: + if: github.repository_owner == 'ZcashFoundation' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml index 1ec1b88c0d2..7a64abaa22b 100644 --- a/.github/workflows/sub-build-docker-image.yml +++ b/.github/workflows/sub-build-docker-image.yml @@ -61,6 +61,7 @@ env: jobs: build: name: Build images + if: github.repository_owner == 'ZcashFoundation' timeout-minutes: 210 runs-on: ubuntu-latest environment: ${{ github.event_name == 'release' && 'prod' || 'dev' }} @@ -111,7 +112,7 @@ jobs: # DockerHub release and CI tags. # This tag makes sure tests are using exactly the right image, even when multiple PRs run at the same time. type=sha,event=push - # These CI-only tags support CI on PRs, the main branch, and scheduled full syncs. + # These CI-only tags support CI on PRs, the main branch, and scheduled full syncs. # These tags do not appear on DockerHub, because DockerHub images are only published on the release event. type=ref,event=pr type=ref,event=branch