diff --git a/.github/workflows/ci3-external.yml b/.github/workflows/ci3-external.yml new file mode 100644 index 000000000000..0440104c09d7 --- /dev/null +++ b/.github/workflows/ci3-external.yml @@ -0,0 +1,89 @@ +# CI for external Aztec contributors. Like ci3.yml, but more locked down. +name: CI3 (External) + +on: + # For external devs. Workflow file edits won't take effect in the PR. + pull_request_target: + types: [opened, synchronize, reopened, ready_for_review, labeled] + +concurrency: + # Only allow one run per /. + group: | + ci3-external-${{format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.head_ref)}} + cancel-in-progress: true + +jobs: + ci-external: + runs-on: ubuntu-latest + # exclusive with ci3.yml, only run on forks. + if: github.event.pull_request.head.repo.full_name != github.repository + steps: + ############# + # Prepare Env + ############# + - name: Checkout + uses: actions/checkout@v4 + with: + # The commit to checkout. We want our actual commit, and not the result of merging the PR to the target. + ref: ${{ github.event.pull_request.head.sha || github.sha }} + + - name: Fail If Draft + if: github.event.pull_request.draft && (github.event.action != 'labeled' || github.event.label.name != 'trigger-workflow') + run: echo "CI is not run on drafts." && exit 1 + + - name: External Contributor Checks + # Run only if a pull request event type and we have a forked repository origin. + if: | + (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && + github.event.pull_request.head.repo.full_name != github.repository + run: | + set -o pipefail + git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 &>/dev/null + forbidden_changes=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD -- ci3 .github ci.sh) + if echo "$forbidden_changes" | grep -q .; then + echo "Error: External PRs can't contain CI changes (forbidden files: $forbidden_changes)." + exit 1 + fi + if [ ${{ github.event.pull_request.base.ref }} != "master" ]; then + echo "Error: External PRs can only target master, targeted: ${{ github.event.pull_request.base.ref }}." + exit 1 + fi + labeled="${{contains(github.event.pull_request.labels.*.name, 'ci-external') || contains(github.event.pull_request.labels.*.name, 'ci-external-once')}}" + if [ "$labeled" = false ]; then + echo "External PRs need the 'ci-external' or 'ci-external-once' labels to run." + exit 1 + fi + # Remove any ci-external-once labels. + GITHUB_TOKEN=${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} gh pr edit ${{ github.event.pull_request.number }} --remove-label "ci-external-once" + + - name: CI Full Override + # TODO consolidate legacy labels to just ci-full. + if: | + contains(github.event.pull_request.labels.*.name, 'e2e-all') || + contains(github.event.pull_request.labels.*.name, 'network-all') || + contains(github.event.pull_request.labels.*.name, 'ci-full') + run: echo "CI_FULL=1" >> $GITHUB_ENV + + - name: Setup + run: | + # Ensure we can SSH into the spot instances we request. + mkdir -p ~/.ssh + echo ${{ secrets.BUILD_INSTANCE_SSH_KEY }} | base64 --decode > ~/.ssh/build_instance_key + chmod 600 ~/.ssh/build_instance_key + + ############# + # Run + ############# + - name: Run + env: + # We need to pass these creds to start the AWS ec2 instance. + # They are not injected into that instance. Instead, it has minimal + # creds for being able to upload to cache. + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + REF_NAME: repo-fork/${{ github.repository }}/${{ github.head_ref }} + # We only test on amd64. + ARCH: amd64 + LOG_ID: ${{ github.run_id }} + run: | + ./ci.sh ec2 diff --git a/.github/workflows/ci3.yml b/.github/workflows/ci3.yml index 6b7b0d28c2b6..3df44015c9bc 100644 --- a/.github/workflows/ci3.yml +++ b/.github/workflows/ci3.yml @@ -1,4 +1,5 @@ # CI for Aztec. At a high-level, runs ./bootstrap.sh ci in root. See root README.md for more details. +# Only for internal devs. For external devs, see ci3-external.yml. name: CI3 on: @@ -8,33 +9,21 @@ on: - master tags: - "v*" - # For internal devs. pull_request: types: [opened, synchronize, reopened, ready_for_review, labeled] - # For external devs. Workflow file edits won't take effect in the PR. - pull_request_target: - types: [opened, synchronize, reopened, ready_for_review, labeled] concurrency: # On master or workflow_dispatch (checked via event_name) the group id is the unique run_id so we get parallel runs. - # On PR's the group id is the ref_name so only 1 can run at a time. Include the repo in case it is an external PR. + # On PR's the group id is the ref_name so only 1 can run at a time. group: | - ci3-${{ github.event_name }}-${{ - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - github.run_id || - format('{0}/{1}', github.event.pull_request.head.repo.full_name, github.head_ref) - }} + ci3-${{(github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.run_id || github.head_ref }} cancel-in-progress: true jobs: ci: runs-on: ubuntu-latest - # Always allow 'push' and 'workflow_dispatch' jobs. Otherwise, only run pull_request events on internal PRs and pull_request_target on external PRs. - if: | - github.event_name == 'push' || - github.event_name == 'workflow_dispatch' || - (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || - (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) + # exclusive with ci3-external.yml: if it is a pull request target only run if it is NOT a fork. + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository strategy: fail-fast: false matrix: @@ -58,27 +47,6 @@ jobs: if: github.event.pull_request.draft && (github.event.action != 'labeled' || github.event.label.name != 'trigger-workflow') run: echo "CI is not run on drafts." && exit 1 - - name: External Contributor Labels and Target - if: | - github.event_name == 'pull_request_target' && - contains(github.event.pull_request.labels.*.name, 'ci-external') == false && - contains(github.event.pull_request.labels.*.name, 'ci-external-once') == false - run: echo "External PRs need the 'ci-external' or 'ci-external-once' labels to run." && exit 1 - - - name: External Contributor Changes - if: github.event_name == 'pull_request_target' - run: | - set -o pipefail - git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 - if git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD -- ci3 .github ci.sh | grep -q .; then - echo "Error: External PRs can't contain CI changes." && exit 1 - fi - if [ ${{ github.event.pull_request.base.ref }} != "master" ]; then - echo "Error: External PRs can only target master, targeted: ${{ github.event.pull_request.base.ref }}." && exit 1 - fi - # Remove any ci-external-once labels. - GITHUB_TOKEN=${{ secrets.AZTEC_BOT_GITHUB_TOKEN }} gh pr edit ${{ github.event.pull_request.number }} --remove-label "ci-external-once" - - name: CI Full Override # TODO consolidate legacy labels to just ci-full. if: | @@ -151,7 +119,7 @@ jobs: ci-grind: runs-on: ubuntu-latest - if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/') && github.repository.fork == false + if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/') strategy: matrix: number: [1, 2, 3, 4, 5] @@ -188,7 +156,7 @@ jobs: notify: runs-on: ubuntu-latest - if: github.event_name == 'push' && failure() && github.repository.fork == false + if: github.event_name == 'push' && failure() needs: - ci - ci-grind diff --git a/ci3/bootstrap_ec2 b/ci3/bootstrap_ec2 index 7545040d4798..2b2524d25b94 100755 --- a/ci3/bootstrap_ec2 +++ b/ci3/bootstrap_ec2 @@ -102,7 +102,7 @@ container_script=$(cat <