From d8fd7b090b75fbfe4d3fd3aebef44e1d85116fe1 Mon Sep 17 00:00:00 2001 From: Victor Gaydov Date: Sun, 13 Apr 2025 15:23:06 +0900 Subject: [PATCH] ci: Hardening - move automation workflows to ci/ repo and remove automation gh token from roc-java - separate workflows for build and release with different triggers and permissions --- .github/workflows/build.yaml | 39 ++++-------------------- .github/workflows/detect_conflicts.yml | 25 ---------------- .github/workflows/pr_closed.yml | 20 ------------- .github/workflows/pr_opened.yml | 29 ------------------ .github/workflows/pr_ready.yml | 21 ------------- .github/workflows/pr_reviewed.yml | 20 ------------- .github/workflows/pr_wip.yml | 21 ------------- .github/workflows/release.yml | 41 ++++++++++++++++++++++++++ 8 files changed, 46 insertions(+), 170 deletions(-) delete mode 100644 .github/workflows/detect_conflicts.yml delete mode 100644 .github/workflows/pr_closed.yml delete mode 100644 .github/workflows/pr_opened.yml delete mode 100644 .github/workflows/pr_ready.yml delete mode 100644 .github/workflows/pr_reviewed.yml delete mode 100644 .github/workflows/pr_wip.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e31533df..39119368 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,9 +4,6 @@ on: push: branches: - main - - v* - tags: - - v* pull_request: @@ -15,16 +12,19 @@ on: - trigger_build workflow_dispatch: + workflow_call: schedule: - cron: '0 0 * * 1' +permissions: + contents: read + concurrency: - group: build-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: - # build natively on desktop desktop: strategy: @@ -212,32 +212,3 @@ jobs: ndk: ${{ matrix.ndk }} cmake: ${{ matrix.cmake }} script: ./scripts/android/run_instrumented_tests.sh - - release: - needs: [desktop, android-linux, android-osx] - if: | - github.repository_owner == 'roc-streaming' && - github.event_name == 'push' && - startsWith(github.ref, 'refs/tags/v') - - name: publish - runs-on: ubuntu-24.04 - - env: - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} - SIGNING_KEY: ${{ secrets.SIGNING_KEY }} - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Choose roc-toolkit revision - run: echo ROC_REVISION=$(scripts/roc_revision.py) >> $GITHUB_ENV - - - name: Publish - run: scripts/android_docker.sh publish diff --git a/.github/workflows/detect_conflicts.yml b/.github/workflows/detect_conflicts.yml deleted file mode 100644 index fe67322c..00000000 --- a/.github/workflows/detect_conflicts.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: "detect_conflicts" - -on: - push: - branches: - - "*" - tags: - - "!*" - repository_dispatch: - types: - - pull_request_opened - - pull_request_reopened - - pull_request_synchronize - -permissions: - pull-requests: write - -concurrency: - group: detect-conflicts - -jobs: - main: - uses: roc-streaming/ci/.github/workflows/detect_conflicts.yml@main - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/pr_closed.yml b/.github/workflows/pr_closed.yml deleted file mode 100644 index 08834033..00000000 --- a/.github/workflows/pr_closed.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "pr_closed" - -on: - repository_dispatch: - types: - - pull_request_closed - -permissions: - pull-requests: write - -concurrency: - group: pullreq-${{ github.event.client_payload.number }} - -jobs: - main: - uses: roc-streaming/ci/.github/workflows/pr_status_closed.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/pr_opened.yml b/.github/workflows/pr_opened.yml deleted file mode 100644 index 64713968..00000000 --- a/.github/workflows/pr_opened.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "pr_opened" - -on: - repository_dispatch: - types: - - pull_request_opened - - pull_request_reopened - -permissions: - pull-requests: write - checks: read - -concurrency: - group: pullreq-${{ github.event.client_payload.number }} - -jobs: - lint-contribution: - uses: roc-streaming/ci/.github/workflows/pr_lint_contrib.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} - - set-status: - uses: roc-streaming/ci/.github/workflows/pr_status_opened.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/pr_ready.yml b/.github/workflows/pr_ready.yml deleted file mode 100644 index c2f490ea..00000000 --- a/.github/workflows/pr_ready.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "pr_ready" - -on: - repository_dispatch: - types: - - pull_request_review_requested - - pull_request_ready_for_review - -permissions: - pull-requests: write - -concurrency: - group: pullreq-${{ github.event.client_payload.number }} - -jobs: - main: - uses: roc-streaming/ci/.github/workflows/pr_status_ready.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/pr_reviewed.yml b/.github/workflows/pr_reviewed.yml deleted file mode 100644 index c3a1f5c2..00000000 --- a/.github/workflows/pr_reviewed.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "pr_reviewed" - -on: - repository_dispatch: - types: - - pull_request_review_submitted - -permissions: - pull-requests: write - -concurrency: - group: pullreq-${{ github.event.client_payload.number }} - -jobs: - main: - uses: roc-streaming/ci/.github/workflows/pr_status_reviewed.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/pr_wip.yml b/.github/workflows/pr_wip.yml deleted file mode 100644 index ec54cbe3..00000000 --- a/.github/workflows/pr_wip.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "pr_wip" - -on: - repository_dispatch: - types: - - pull_request_review_request_removed - - pull_request_converted_to_draft - -permissions: - pull-requests: write - -concurrency: - group: pullreq-${{ github.event.client_payload.number }} - -jobs: - main: - uses: roc-streaming/ci/.github/workflows/pr_status_wip.yml@main - with: - pr-number: ${{ github.event.client_payload.number }} - secrets: - triage-token: ${{ secrets.REPO_TRIAGE }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..8d2f734c --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,41 @@ +name: "release" + +on: + push: + tags: + - v* + + workflow_dispatch: + +permissions: + contents: write + +concurrency: + group: ${{ github.workflow }}{{ github.event.pull_request.number || github.ref }} + +jobs: + build: + uses: ./.github/workflows/build.yml + + release: + needs: [build] + + runs-on: ubuntu-24.04 + env: + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} + SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} + SIGNING_KEY: ${{ secrets.SIGNING_KEY }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Choose roc-toolkit revision + run: echo ROC_REVISION=$(scripts/roc_revision.py) >> $GITHUB_ENV + + - name: Publish + run: scripts/android_docker.sh publish