From ae596375437e1e5366382bab69db719058813f07 Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Thu, 23 Nov 2023 16:58:06 +0100 Subject: [PATCH 01/12] wip --- .../split-tox-gh-actions/ci-yaml-test-latest-snippet.txt | 1 + scripts/split-tox-gh-actions/ci-yaml-test-py27-snippet.txt | 1 + scripts/split-tox-gh-actions/ci-yaml-test-snippet.txt | 1 + scripts/split-tox-gh-actions/ci-yaml.txt | 7 ++++++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/split-tox-gh-actions/ci-yaml-test-latest-snippet.txt b/scripts/split-tox-gh-actions/ci-yaml-test-latest-snippet.txt index 7c7a8dfb60..9f188c8b36 100644 --- a/scripts/split-tox-gh-actions/ci-yaml-test-latest-snippet.txt +++ b/scripts/split-tox-gh-actions/ci-yaml-test-latest-snippet.txt @@ -7,6 +7,7 @@ steps: - uses: actions/checkout@v4 +{{ checkout_with }} - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/scripts/split-tox-gh-actions/ci-yaml-test-py27-snippet.txt b/scripts/split-tox-gh-actions/ci-yaml-test-py27-snippet.txt index 0964dc38a6..5fed713cf7 100644 --- a/scripts/split-tox-gh-actions/ci-yaml-test-py27-snippet.txt +++ b/scripts/split-tox-gh-actions/ci-yaml-test-py27-snippet.txt @@ -7,6 +7,7 @@ steps: - uses: actions/checkout@v4 +{{ checkout_with }} - name: Setup Test Env run: | diff --git a/scripts/split-tox-gh-actions/ci-yaml-test-snippet.txt b/scripts/split-tox-gh-actions/ci-yaml-test-snippet.txt index 161b34f16b..585c9a884d 100644 --- a/scripts/split-tox-gh-actions/ci-yaml-test-snippet.txt +++ b/scripts/split-tox-gh-actions/ci-yaml-test-snippet.txt @@ -7,6 +7,7 @@ steps: - uses: actions/checkout@v4 +{{ checkout_with }} - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/scripts/split-tox-gh-actions/ci-yaml.txt b/scripts/split-tox-gh-actions/ci-yaml.txt index a5ba0ef725..33aac4a529 100644 --- a/scripts/split-tox-gh-actions/ci-yaml.txt +++ b/scripts/split-tox-gh-actions/ci-yaml.txt @@ -6,7 +6,7 @@ on: - master - release/** - pull_request: +{{ on_pull_request }} # Cancel in progress workflows on pull_requests. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value @@ -15,7 +15,10 @@ concurrency: cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read + # needed to remove the pull-request label + pull-requests: write env: {{ aws_credentials }} @@ -24,6 +27,8 @@ env: ${{ github.workspace }}/dist-serverless jobs: +{{ authorize }} + {{ test }} {{ test_py27 }} From 635d0015eebfa3284d312eeda2cfb2ca55d3f6dc Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Fri, 24 Nov 2023 15:06:07 +0100 Subject: [PATCH 02/12] wip --- .../scripts/trigger_tests_on_label.py | 72 +++++++++++++ scripts/ci-yaml-permissions-snippet.txt | 21 ++++ .../split-tox-gh-actions.py | 101 ++++++++++++------ 3 files changed, 162 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/scripts/trigger_tests_on_label.py create mode 100644 scripts/ci-yaml-permissions-snippet.txt diff --git a/.github/workflows/scripts/trigger_tests_on_label.py b/.github/workflows/scripts/trigger_tests_on_label.py new file mode 100644 index 0000000000..3f95f3865f --- /dev/null +++ b/.github/workflows/scripts/trigger_tests_on_label.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 +import argparse +import json +import os +from urllib.parse import quote +from urllib.request import Request, urlopen + +LABEL = "Trigger: tests" + + +def _has_write(repo_id: int, username: str, *, token: str) -> bool: + req = Request( + f"https://api.github.com/repositories/{repo_id}/collaborators/{username}/permission", + headers={"Authorization": f"token {token}"}, + ) + contents = json.load(urlopen(req, timeout=10)) + + return contents["permission"] in {"admin", "write"} + + +def _remove_label(repo_id: int, pr: int, label: str, *, token: str) -> None: + quoted_label = quote(label) + req = Request( + f"https://api.github.com/repositories/{repo_id}/issues/{pr}/labels/{quoted_label}", + method="DELETE", + headers={"Authorization": f"token {token}"}, + ) + urlopen(req) + + +def main() -> int: + parser = argparse.ArgumentParser() + parser.add_argument("--repo-id", type=int, required=True) + parser.add_argument("--pr", type=int, required=True) + parser.add_argument("--event", required=True) + parser.add_argument("--username", required=True) + parser.add_argument("--label-names", type=json.loads, required=True) + args = parser.parse_args() + + token = os.environ["GITHUB_TOKEN"] + + write_permission = _has_write(args.repo_id, args.username, token=token) + + if ( + not write_permission + # `reopened` is included here due to close => push => reopen + and args.event in {"synchronize", "reopened"} + and LABEL in args.label_names + ): + print(f"Invalidating label [{LABEL}] due to code change...") + _remove_label(args.repo_id, args.pr, LABEL, token=token) + args.label_names.remove(LABEL) + + if write_permission or LABEL in args.label_names: + print("Permissions passed!") + print(f"- has write permission: {write_permission}") + print(f"- has [{LABEL}] label: {LABEL in args.label_names}") + return 0 + else: + print("Permissions failed!") + print(f"- has write permission: {write_permission}") + print(f"- has [{LABEL}] label: {LABEL in args.label_names}") + print(f"- args.label_names: {args.label_names}") + print( + f"Please have a collaborator add the [{LABEL}] label once they " + f"have reviewed the code to trigger tests." + ) + return 1 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/scripts/ci-yaml-permissions-snippet.txt b/scripts/ci-yaml-permissions-snippet.txt new file mode 100644 index 0000000000..5d2109f071 --- /dev/null +++ b/scripts/ci-yaml-permissions-snippet.txt @@ -0,0 +1,21 @@ + if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: getsentry tests'" + name: getsentry dispatch + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: permissions + run: | + python3 -uS .github/workflows/scripts/getsentry-dispatch-setup \ + --repo-id ${{ github.event.repository.id }} \ + --pr ${{ github.event.number }} \ + --event ${{ github.event.action }} \ + --username "$ARG_USERNAME" \ + --label-names "$ARG_LABEL_NAMES" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # these can contain special characters + ARG_USERNAME: ${{ github.event.pull_request.user.login }} + ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }} diff --git a/scripts/split-tox-gh-actions/split-tox-gh-actions.py b/scripts/split-tox-gh-actions/split-tox-gh-actions.py index eada70db54..d4b345bdfb 100755 --- a/scripts/split-tox-gh-actions/split-tox-gh-actions.py +++ b/scripts/split-tox-gh-actions/split-tox-gh-actions.py @@ -32,6 +32,11 @@ TEMPLATE_SNIPPET_TEST = TEMPLATE_DIR / "ci-yaml-test-snippet.txt" TEMPLATE_SNIPPET_TEST_PY27 = TEMPLATE_DIR / "ci-yaml-test-py27-snippet.txt" TEMPLATE_SNIPPET_TEST_LATEST = TEMPLATE_DIR / "ci-yaml-test-latest-snippet.txt" +TEMPLATE_SNIPPET_PERMISSIONS = TEMPLATE_DIR / "ci-yaml-permissions-snippet.txt" + +FRAMEWORKS_NEEDING_SECRETS = [ + "aws_lambda", +] FRAMEWORKS_NEEDING_POSTGRES = [ "django", @@ -77,6 +82,34 @@ echo "One of the dependent jobs has failed. You may need to re-run it." && exit 1 """ +ON_PULL_REQUEST = """\ + pull_request: +""" + +ON_PULL_REQUEST_TARGET = """\ + # XXX: We are using `pull_request_target` instead of `pull_request` because we want + # this to run on forks. Only do this for workflows that need access to secrets. + # Prefer to use `pull_request` everywhere else. + pull_request_target: + types: [labeled, opened, reopened, synchronize] +""" + +CHECKOUT_WITH = """\ + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} +""" + + +def _extract_python_versions(versions): + return sorted( + [version.replace("py", "") for version in versions], + key=lambda v: tuple(map(int, v.split("."))), + ) + + +def _insert_snippet(template, index, snippet): + return template[:index] + snippet + template[index + 1 :] + def write_yaml_file( template, @@ -85,48 +118,52 @@ def write_yaml_file( python_versions_latest, ): """Write the YAML configuration file for one framework to disk.""" - py_versions = sorted( - [py.replace("py", "") for py in python_versions], - key=lambda v: tuple(map(int, v.split("."))), - ) + py_versions = _extract_python_versions(python_versions) py27_supported = "2.7" in py_versions - py_versions_latest = sorted( - [py.replace("py", "") for py in python_versions_latest], - key=lambda v: tuple(map(int, v.split("."))), - ) + py_versions_latest = _extract_python_versions(python_versions_latest) - test_loc = template.index("{{ test }}\n") - f = open(TEMPLATE_SNIPPET_TEST, "r") - test_snippet = f.readlines() - template = template[:test_loc] + test_snippet + template[test_loc + 1 :] - f.close() + template = [line for line in template] - test_py27_loc = template.index("{{ test_py27 }}\n") - if py27_supported: - f = open(TEMPLATE_SNIPPET_TEST_PY27, "r") - test_py27_snippet = f.readlines() - template = ( - template[:test_py27_loc] + test_py27_snippet + template[test_py27_loc + 1 :] - ) - f.close() + # fill in pull_request / pull_request_target + on_pull_request_loc = template.index("{{ on_pull_request }}\n") + if current_framework in FRAMEWORKS_NEEDING_SECRETS: + on_pull_request = " pull_request_target:\n" + else: + on_pull_request = " pull_request:\n" + + template[on_pull_request_loc] = on_pull_request + + # fill in permissions step, if applicable + loc = template.index("{{ permissions }}\n") + if current_framework in FRAMEWORKS_NEEDING_SECRETS: + with open(TEMPLATE_SNIPPET_PERMISSIONS, "r") as file: + template = _insert_snippet(template, loc, file.readlines()) + else: + template.pop(loc) + # fill in main test job + loc = template.index("{{ test }}\n") + with open(TEMPLATE_SNIPPET_TEST, "r") as file: + template = _insert_snippet(template, loc, file.readlines()) + + # fill in py2.7 test job + loc = template.index("{{ test_py27 }}\n") + if py27_supported: + with open(TEMPLATE_SNIPPET_TEST_PY27, "r") as file: + template = _insert_snippet(template, loc, file.readlines()) py_versions.remove("2.7") else: - template.pop(test_py27_loc) + template.pop(loc) - test_latest_loc = template.index("{{ test_latest }}\n") + # fill in latest test job + loc = template.index("{{ test_latest }}\n") if python_versions_latest: - f = open(TEMPLATE_SNIPPET_TEST_LATEST, "r") - test_latest_snippet = f.readlines() - template = ( - template[:test_latest_loc] - + test_latest_snippet - + template[test_latest_loc + 1 :] - ) - f.close() + with open(TEMPLATE_SNIPPET_TEST_LATEST, "r") as file: + template = _insert_snippet(template, loc, file.readlines()) else: - template.pop(test_latest_loc) + template.pop(loc) + # write the file out = "" py27_test_part = False for template_line in template: From e969ff2d4e1ea20c19c33887a3a3909bb2170f0f Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 11:33:12 +0100 Subject: [PATCH 03/12] Label-based test trigger --- .github/workflows/test-common.yml | 1 + .../workflows/test-integration-aiohttp.yml | 1 + .../workflows/test-integration-ariadne.yml | 1 + .github/workflows/test-integration-arq.yml | 1 + .github/workflows/test-integration-asgi.yml | 1 + .../workflows/test-integration-asyncpg.yml | 1 + .../workflows/test-integration-aws_lambda.yml | 32 ++++++++++++++++++- .github/workflows/test-integration-beam.yml | 1 + .github/workflows/test-integration-boto3.yml | 1 + .github/workflows/test-integration-bottle.yml | 1 + .github/workflows/test-integration-celery.yml | 1 + .../workflows/test-integration-chalice.yml | 1 + .../test-integration-clickhouse_driver.yml | 1 + ...est-integration-cloud_resource_context.yml | 1 + .github/workflows/test-integration-django.yml | 1 + .github/workflows/test-integration-falcon.yml | 1 + .../workflows/test-integration-fastapi.yml | 1 + .github/workflows/test-integration-flask.yml | 1 + .github/workflows/test-integration-gcp.yml | 1 + .github/workflows/test-integration-gevent.yml | 1 + .github/workflows/test-integration-gql.yml | 1 + .../workflows/test-integration-graphene.yml | 1 + .github/workflows/test-integration-grpc.yml | 1 + .github/workflows/test-integration-httpx.yml | 1 + .github/workflows/test-integration-huey.yml | 1 + .github/workflows/test-integration-loguru.yml | 1 + .../test-integration-opentelemetry.yml | 1 + .../workflows/test-integration-pure_eval.yml | 1 + .../workflows/test-integration-pymongo.yml | 1 + .../workflows/test-integration-pyramid.yml | 1 + .github/workflows/test-integration-quart.yml | 1 + .github/workflows/test-integration-redis.yml | 1 + .../test-integration-rediscluster.yml | 1 + .../workflows/test-integration-requests.yml | 1 + .github/workflows/test-integration-rq.yml | 1 + .github/workflows/test-integration-sanic.yml | 1 + .../workflows/test-integration-sqlalchemy.yml | 1 + .../workflows/test-integration-starlette.yml | 1 + .../workflows/test-integration-starlite.yml | 1 + .../workflows/test-integration-strawberry.yml | 1 + .../workflows/test-integration-tornado.yml | 1 + .../workflows/test-integration-trytond.yml | 1 + .../split-tox-gh-actions.py | 5 +++ .../split-tox-gh-actions/templates/base.jinja | 17 ++++++++++ .../templates/check_permissions.jinja} | 11 +++++-- .../split-tox-gh-actions/templates/test.jinja | 9 ++++++ 46 files changed, 111 insertions(+), 4 deletions(-) rename scripts/{ci-yaml-permissions-snippet.txt => split-tox-gh-actions/templates/check_permissions.jinja} (76%) diff --git a/.github/workflows/test-common.yml b/.github/workflows/test-common.yml index 74d66bc8f6..ee6962c294 100644 --- a/.github/workflows/test-common.yml +++ b/.github/workflows/test-common.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-aiohttp.yml b/.github/workflows/test-integration-aiohttp.yml index b6aeb55e6e..83c8fe63cd 100644 --- a/.github/workflows/test-integration-aiohttp.yml +++ b/.github/workflows/test-integration-aiohttp.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-ariadne.yml b/.github/workflows/test-integration-ariadne.yml index 191dcd3301..af7afd580a 100644 --- a/.github/workflows/test-integration-ariadne.yml +++ b/.github/workflows/test-integration-ariadne.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-arq.yml b/.github/workflows/test-integration-arq.yml index 276b69ddaa..c36c63d225 100644 --- a/.github/workflows/test-integration-arq.yml +++ b/.github/workflows/test-integration-arq.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-asgi.yml b/.github/workflows/test-integration-asgi.yml index 940d01f43f..ad41a624c5 100644 --- a/.github/workflows/test-integration-asgi.yml +++ b/.github/workflows/test-integration-asgi.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-asyncpg.yml b/.github/workflows/test-integration-asyncpg.yml index 66c112ad47..4d828edd4b 100644 --- a/.github/workflows/test-integration-asyncpg.yml +++ b/.github/workflows/test-integration-asyncpg.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 8862ea3d7e..a34a20e18e 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -4,14 +4,20 @@ on: branches: - master - release/** - pull_request: + # XXX: We are using `pull_request_target` instead of `pull_request` because we want + # this to run on forks. Prefer to use `pull_request` when possible. + pull_request_target: + types: [labeled, opened, reopened, synchronize] # Cancel in progress workflows on pull_requests. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read + # needed to remove the Trigger: tests label + pull-requests: write env: SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID: ${{ secrets.SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID }} SENTRY_PYTHON_TEST_AWS_SECRET_ACCESS_KEY: ${{ secrets.SENTRY_PYTHON_TEST_AWS_SECRET_ACCESS_KEY }} @@ -19,7 +25,29 @@ env: CACHED_BUILD_PATHS: | ${{ github.workspace }}/dist-serverless jobs: + check-permissions: + if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: tests'" + name: permissions check + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + - name: permissions + run: | + python3 -uS .github/workflows/scripts/trigger_tests_on_label.py \ + --repo-id ${{ github.event.repository.id }} \ + --pr ${{ github.event.number }} \ + --event ${{ github.event.action }} \ + --username "$ARG_USERNAME" \ + --label-names "$ARG_LABEL_NAMES" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # these can contain special characters + ARG_USERNAME: ${{ github.event.pull_request.user.login }} + ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }} test-pinned: + needs: check-permissions timeout-minutes: 30 name: aws_lambda pinned, python ${{ matrix.python-version }}, ${{ matrix.os }} runs-on: ${{ matrix.os }} @@ -34,6 +62,8 @@ jobs: os: [ubuntu-20.04] steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/test-integration-beam.yml b/.github/workflows/test-integration-beam.yml index 41322686c4..5df4ec39f5 100644 --- a/.github/workflows/test-integration-beam.yml +++ b/.github/workflows/test-integration-beam.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-boto3.yml b/.github/workflows/test-integration-boto3.yml index 34da054d64..37f0bdd192 100644 --- a/.github/workflows/test-integration-boto3.yml +++ b/.github/workflows/test-integration-boto3.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-bottle.yml b/.github/workflows/test-integration-bottle.yml index e178400779..4839f3a67a 100644 --- a/.github/workflows/test-integration-bottle.yml +++ b/.github/workflows/test-integration-bottle.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-celery.yml b/.github/workflows/test-integration-celery.yml index 27597859e3..5cd4257902 100644 --- a/.github/workflows/test-integration-celery.yml +++ b/.github/workflows/test-integration-celery.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-chalice.yml b/.github/workflows/test-integration-chalice.yml index b5181ca3e0..c8b85f47a2 100644 --- a/.github/workflows/test-integration-chalice.yml +++ b/.github/workflows/test-integration-chalice.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-clickhouse_driver.yml b/.github/workflows/test-integration-clickhouse_driver.yml index be976fb77f..42ffcdeef3 100644 --- a/.github/workflows/test-integration-clickhouse_driver.yml +++ b/.github/workflows/test-integration-clickhouse_driver.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-cloud_resource_context.yml b/.github/workflows/test-integration-cloud_resource_context.yml index b10c16b843..b0d5a0afff 100644 --- a/.github/workflows/test-integration-cloud_resource_context.yml +++ b/.github/workflows/test-integration-cloud_resource_context.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-django.yml b/.github/workflows/test-integration-django.yml index 25830afb78..f76a7af9ba 100644 --- a/.github/workflows/test-integration-django.yml +++ b/.github/workflows/test-integration-django.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-falcon.yml b/.github/workflows/test-integration-falcon.yml index a562c0b34f..b52564b66c 100644 --- a/.github/workflows/test-integration-falcon.yml +++ b/.github/workflows/test-integration-falcon.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-fastapi.yml b/.github/workflows/test-integration-fastapi.yml index 8aff5bc0b5..0b8aa30485 100644 --- a/.github/workflows/test-integration-fastapi.yml +++ b/.github/workflows/test-integration-fastapi.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-flask.yml b/.github/workflows/test-integration-flask.yml index f598af0b1c..825804a720 100644 --- a/.github/workflows/test-integration-flask.yml +++ b/.github/workflows/test-integration-flask.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gcp.yml b/.github/workflows/test-integration-gcp.yml index 560089b5c3..5d701834d6 100644 --- a/.github/workflows/test-integration-gcp.yml +++ b/.github/workflows/test-integration-gcp.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gevent.yml b/.github/workflows/test-integration-gevent.yml index 81edfe772e..9eb126d658 100644 --- a/.github/workflows/test-integration-gevent.yml +++ b/.github/workflows/test-integration-gevent.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gql.yml b/.github/workflows/test-integration-gql.yml index 7726d0cab9..8c960eaa5a 100644 --- a/.github/workflows/test-integration-gql.yml +++ b/.github/workflows/test-integration-gql.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-graphene.yml b/.github/workflows/test-integration-graphene.yml index 32d75edbdf..8f310ddf74 100644 --- a/.github/workflows/test-integration-graphene.yml +++ b/.github/workflows/test-integration-graphene.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-grpc.yml b/.github/workflows/test-integration-grpc.yml index 30034591d7..7675bf5595 100644 --- a/.github/workflows/test-integration-grpc.yml +++ b/.github/workflows/test-integration-grpc.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-httpx.yml b/.github/workflows/test-integration-httpx.yml index 835f24b3ab..9fde473ba9 100644 --- a/.github/workflows/test-integration-httpx.yml +++ b/.github/workflows/test-integration-httpx.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-huey.yml b/.github/workflows/test-integration-huey.yml index 1477111ecc..62ff29809e 100644 --- a/.github/workflows/test-integration-huey.yml +++ b/.github/workflows/test-integration-huey.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-loguru.yml b/.github/workflows/test-integration-loguru.yml index 1916f69b5a..3066f8b248 100644 --- a/.github/workflows/test-integration-loguru.yml +++ b/.github/workflows/test-integration-loguru.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-opentelemetry.yml b/.github/workflows/test-integration-opentelemetry.yml index e90015f9df..ecfd244a53 100644 --- a/.github/workflows/test-integration-opentelemetry.yml +++ b/.github/workflows/test-integration-opentelemetry.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pure_eval.yml b/.github/workflows/test-integration-pure_eval.yml index 7b025fe403..88a0491234 100644 --- a/.github/workflows/test-integration-pure_eval.yml +++ b/.github/workflows/test-integration-pure_eval.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pymongo.yml b/.github/workflows/test-integration-pymongo.yml index 4de6c3adfc..5f297085cf 100644 --- a/.github/workflows/test-integration-pymongo.yml +++ b/.github/workflows/test-integration-pymongo.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pyramid.yml b/.github/workflows/test-integration-pyramid.yml index efa204ca9b..4e81921049 100644 --- a/.github/workflows/test-integration-pyramid.yml +++ b/.github/workflows/test-integration-pyramid.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-quart.yml b/.github/workflows/test-integration-quart.yml index 14a8dff00f..753f362055 100644 --- a/.github/workflows/test-integration-quart.yml +++ b/.github/workflows/test-integration-quart.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-redis.yml b/.github/workflows/test-integration-redis.yml index 1579299fec..09939b3ca6 100644 --- a/.github/workflows/test-integration-redis.yml +++ b/.github/workflows/test-integration-redis.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-rediscluster.yml b/.github/workflows/test-integration-rediscluster.yml index e235e277ad..27b2d329d8 100644 --- a/.github/workflows/test-integration-rediscluster.yml +++ b/.github/workflows/test-integration-rediscluster.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-requests.yml b/.github/workflows/test-integration-requests.yml index dd08b2c669..79e0faab93 100644 --- a/.github/workflows/test-integration-requests.yml +++ b/.github/workflows/test-integration-requests.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-rq.yml b/.github/workflows/test-integration-rq.yml index 32f24ce305..cd22af1e69 100644 --- a/.github/workflows/test-integration-rq.yml +++ b/.github/workflows/test-integration-rq.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-sanic.yml b/.github/workflows/test-integration-sanic.yml index c359c3b4fa..920b17bb0d 100644 --- a/.github/workflows/test-integration-sanic.yml +++ b/.github/workflows/test-integration-sanic.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-sqlalchemy.yml b/.github/workflows/test-integration-sqlalchemy.yml index ea94aaa977..639f22ac37 100644 --- a/.github/workflows/test-integration-sqlalchemy.yml +++ b/.github/workflows/test-integration-sqlalchemy.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-starlette.yml b/.github/workflows/test-integration-starlette.yml index e1de19e038..6c4160c791 100644 --- a/.github/workflows/test-integration-starlette.yml +++ b/.github/workflows/test-integration-starlette.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-starlite.yml b/.github/workflows/test-integration-starlite.yml index 276693feeb..6a8357ac4a 100644 --- a/.github/workflows/test-integration-starlite.yml +++ b/.github/workflows/test-integration-starlite.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-strawberry.yml b/.github/workflows/test-integration-strawberry.yml index 555ee2450a..b477b0fb81 100644 --- a/.github/workflows/test-integration-strawberry.yml +++ b/.github/workflows/test-integration-strawberry.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-tornado.yml b/.github/workflows/test-integration-tornado.yml index cb8eca56c1..3a4910e706 100644 --- a/.github/workflows/test-integration-tornado.yml +++ b/.github/workflows/test-integration-tornado.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-trytond.yml b/.github/workflows/test-integration-trytond.yml index 11b94031b6..31223b2388 100644 --- a/.github/workflows/test-integration-trytond.yml +++ b/.github/workflows/test-integration-trytond.yml @@ -11,6 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/scripts/split-tox-gh-actions/split-tox-gh-actions.py b/scripts/split-tox-gh-actions/split-tox-gh-actions.py index 4726b177cc..98695713f7 100755 --- a/scripts/split-tox-gh-actions/split-tox-gh-actions.py +++ b/scripts/split-tox-gh-actions/split-tox-gh-actions.py @@ -41,6 +41,10 @@ "aws_lambda", ] +FRAMEWORKS_NEEDING_GITHUB_SECRETS = [ + "aws_lambda", +] + ENV = Environment( loader=FileSystemLoader(TEMPLATE_DIR), ) @@ -152,6 +156,7 @@ def render_template(framework, py_versions_pinned, py_versions_latest): "needs_aws_credentials": framework in FRAMEWORKS_NEEDING_AWS, "needs_clickhouse": framework in FRAMEWORKS_NEEDING_CLICKHOUSE, "needs_postgres": framework in FRAMEWORKS_NEEDING_POSTGRES, + "needs_github_secrets": framework in FRAMEWORKS_NEEDING_GITHUB_SECRETS, "py_versions": { # formatted for including in the matrix "pinned": [f'"{v}"' for v in py_versions_pinned if v != "2.7"], diff --git a/scripts/split-tox-gh-actions/templates/base.jinja b/scripts/split-tox-gh-actions/templates/base.jinja index e65b9cc470..a335f42ff2 100644 --- a/scripts/split-tox-gh-actions/templates/base.jinja +++ b/scripts/split-tox-gh-actions/templates/base.jinja @@ -6,7 +6,15 @@ on: - master - release/** + {% if needs_github_secrets %} + # XXX: We are using `pull_request_target` instead of `pull_request` because we want + # this to run on forks with access to the secrets necessary to run the test suite. + # Prefer to use `pull_request` when possible. + pull_request_target: + types: [labeled, opened, reopened, synchronize] + {% else %} pull_request: + {% endif %} # Cancel in progress workflows on pull_requests. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value @@ -15,7 +23,12 @@ concurrency: cancel-in-progress: true permissions: + # needed for `actions/checkout` to clone the code contents: read + {% if needs_github_secrets %} + # needed to remove the Trigger: tests label + pull-requests: write + {% endif %} env: {% if needs_aws_credentials %} @@ -29,6 +42,10 @@ env: {% raw %}${{ github.workspace }}/dist-serverless{% endraw %} jobs: +{% if needs_github_secrets %} +{% include "check_permissions.jinja" %} +{% endif %} + {% if py_versions.pinned %} {% with category="pinned", versions=py_versions.pinned %} {% include "test.jinja" %} diff --git a/scripts/ci-yaml-permissions-snippet.txt b/scripts/split-tox-gh-actions/templates/check_permissions.jinja similarity index 76% rename from scripts/ci-yaml-permissions-snippet.txt rename to scripts/split-tox-gh-actions/templates/check_permissions.jinja index 5d2109f071..a14234ef2c 100644 --- a/scripts/ci-yaml-permissions-snippet.txt +++ b/scripts/split-tox-gh-actions/templates/check_permissions.jinja @@ -1,5 +1,6 @@ - if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: getsentry tests'" - name: getsentry dispatch + check-permissions: + if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: tests'" + name: permissions check runs-on: ubuntu-20.04 steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 @@ -8,14 +9,18 @@ - name: permissions run: | - python3 -uS .github/workflows/scripts/getsentry-dispatch-setup \ + {% raw %} + python3 -uS .github/workflows/scripts/trigger_tests_on_label.py \ --repo-id ${{ github.event.repository.id }} \ --pr ${{ github.event.number }} \ --event ${{ github.event.action }} \ --username "$ARG_USERNAME" \ --label-names "$ARG_LABEL_NAMES" + {% endraw %} env: + {% raw %} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # these can contain special characters ARG_USERNAME: ${{ github.event.pull_request.user.login }} ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }} + {% endraw %} diff --git a/scripts/split-tox-gh-actions/templates/test.jinja b/scripts/split-tox-gh-actions/templates/test.jinja index 481df3b723..57e715f924 100644 --- a/scripts/split-tox-gh-actions/templates/test.jinja +++ b/scripts/split-tox-gh-actions/templates/test.jinja @@ -1,4 +1,7 @@ test-{{ category }}: + {% if needs_github_secrets %} + needs: check-permissions + {% endif %} timeout-minutes: 30 {% if category == "py27" %} name: {{ framework }} {{ category }}, python 2.7 @@ -41,6 +44,12 @@ steps: - uses: actions/checkout@v4 + {% if needs_github_secrets %} + {% raw %} + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} + {% endraw %} + {% endif %} {% if category != "py27" %} - uses: actions/setup-python@v4 with: From dbf6c7f647b4dae428d3c57137c6adcf832cd220 Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 11:34:21 +0100 Subject: [PATCH 04/12] comment --- .github/workflows/test-integration-aws_lambda.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index a34a20e18e..8c9c6fb93a 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -5,7 +5,8 @@ on: - master - release/** # XXX: We are using `pull_request_target` instead of `pull_request` because we want - # this to run on forks. Prefer to use `pull_request` when possible. + # this to run on forks with access to the secrets necessary to run the test suite. + # Prefer to use `pull_request` when possible. pull_request_target: types: [labeled, opened, reopened, synchronize] # Cancel in progress workflows on pull_requests. From 06aed3107e023ab37817350a4cc85b3a3334036c Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 11:35:45 +0100 Subject: [PATCH 05/12] formatting --- .github/workflows/test-integration-aws_lambda.yml | 2 +- scripts/split-tox-gh-actions/templates/base.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 8c9c6fb93a..b8c9db4956 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -17,7 +17,7 @@ concurrency: permissions: # needed for `actions/checkout` to clone the code contents: read - # needed to remove the Trigger: tests label + # needed to remove the `Trigger: tests` label pull-requests: write env: SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID: ${{ secrets.SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID }} diff --git a/scripts/split-tox-gh-actions/templates/base.jinja b/scripts/split-tox-gh-actions/templates/base.jinja index a335f42ff2..4e65eb6f27 100644 --- a/scripts/split-tox-gh-actions/templates/base.jinja +++ b/scripts/split-tox-gh-actions/templates/base.jinja @@ -26,7 +26,7 @@ permissions: # needed for `actions/checkout` to clone the code contents: read {% if needs_github_secrets %} - # needed to remove the Trigger: tests label + # needed to remove the `Trigger: tests` label pull-requests: write {% endif %} From 654c38983e26beef2f409619f06ceef9fe275e46 Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 11:36:20 +0100 Subject: [PATCH 06/12] wip --- .github/workflows/test-common.yml | 1 - .github/workflows/test-integration-aiohttp.yml | 1 - .github/workflows/test-integration-ariadne.yml | 1 - .github/workflows/test-integration-arq.yml | 1 - .github/workflows/test-integration-asgi.yml | 1 - .github/workflows/test-integration-asyncpg.yml | 1 - .github/workflows/test-integration-aws_lambda.yml | 3 +-- .github/workflows/test-integration-beam.yml | 1 - .github/workflows/test-integration-boto3.yml | 1 - .github/workflows/test-integration-bottle.yml | 1 - .github/workflows/test-integration-celery.yml | 1 - .github/workflows/test-integration-chalice.yml | 1 - .github/workflows/test-integration-clickhouse_driver.yml | 1 - .github/workflows/test-integration-cloud_resource_context.yml | 1 - .github/workflows/test-integration-django.yml | 1 - .github/workflows/test-integration-falcon.yml | 1 - .github/workflows/test-integration-fastapi.yml | 1 - .github/workflows/test-integration-flask.yml | 1 - .github/workflows/test-integration-gcp.yml | 1 - .github/workflows/test-integration-gevent.yml | 1 - .github/workflows/test-integration-gql.yml | 1 - .github/workflows/test-integration-graphene.yml | 1 - .github/workflows/test-integration-grpc.yml | 1 - .github/workflows/test-integration-httpx.yml | 1 - .github/workflows/test-integration-huey.yml | 1 - .github/workflows/test-integration-loguru.yml | 1 - .github/workflows/test-integration-opentelemetry.yml | 1 - .github/workflows/test-integration-pure_eval.yml | 1 - .github/workflows/test-integration-pymongo.yml | 1 - .github/workflows/test-integration-pyramid.yml | 1 - .github/workflows/test-integration-quart.yml | 1 - .github/workflows/test-integration-redis.yml | 1 - .github/workflows/test-integration-rediscluster.yml | 1 - .github/workflows/test-integration-requests.yml | 1 - .github/workflows/test-integration-rq.yml | 1 - .github/workflows/test-integration-sanic.yml | 1 - .github/workflows/test-integration-sqlalchemy.yml | 1 - .github/workflows/test-integration-starlette.yml | 1 - .github/workflows/test-integration-starlite.yml | 1 - .github/workflows/test-integration-strawberry.yml | 1 - .github/workflows/test-integration-tornado.yml | 1 - .github/workflows/test-integration-trytond.yml | 1 - scripts/split-tox-gh-actions/templates/base.jinja | 3 +-- 43 files changed, 2 insertions(+), 45 deletions(-) diff --git a/.github/workflows/test-common.yml b/.github/workflows/test-common.yml index ee6962c294..74d66bc8f6 100644 --- a/.github/workflows/test-common.yml +++ b/.github/workflows/test-common.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-aiohttp.yml b/.github/workflows/test-integration-aiohttp.yml index 83c8fe63cd..b6aeb55e6e 100644 --- a/.github/workflows/test-integration-aiohttp.yml +++ b/.github/workflows/test-integration-aiohttp.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-ariadne.yml b/.github/workflows/test-integration-ariadne.yml index af7afd580a..191dcd3301 100644 --- a/.github/workflows/test-integration-ariadne.yml +++ b/.github/workflows/test-integration-ariadne.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-arq.yml b/.github/workflows/test-integration-arq.yml index c36c63d225..276b69ddaa 100644 --- a/.github/workflows/test-integration-arq.yml +++ b/.github/workflows/test-integration-arq.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-asgi.yml b/.github/workflows/test-integration-asgi.yml index ad41a624c5..940d01f43f 100644 --- a/.github/workflows/test-integration-asgi.yml +++ b/.github/workflows/test-integration-asgi.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-asyncpg.yml b/.github/workflows/test-integration-asyncpg.yml index 4d828edd4b..66c112ad47 100644 --- a/.github/workflows/test-integration-asyncpg.yml +++ b/.github/workflows/test-integration-asyncpg.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index b8c9db4956..6d89d5ea57 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -15,9 +15,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read - # needed to remove the `Trigger: tests` label + # `write` is needed to remove the `Trigger: tests` label pull-requests: write env: SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID: ${{ secrets.SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/test-integration-beam.yml b/.github/workflows/test-integration-beam.yml index 5df4ec39f5..41322686c4 100644 --- a/.github/workflows/test-integration-beam.yml +++ b/.github/workflows/test-integration-beam.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-boto3.yml b/.github/workflows/test-integration-boto3.yml index 37f0bdd192..34da054d64 100644 --- a/.github/workflows/test-integration-boto3.yml +++ b/.github/workflows/test-integration-boto3.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-bottle.yml b/.github/workflows/test-integration-bottle.yml index 4839f3a67a..e178400779 100644 --- a/.github/workflows/test-integration-bottle.yml +++ b/.github/workflows/test-integration-bottle.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-celery.yml b/.github/workflows/test-integration-celery.yml index 5cd4257902..27597859e3 100644 --- a/.github/workflows/test-integration-celery.yml +++ b/.github/workflows/test-integration-celery.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-chalice.yml b/.github/workflows/test-integration-chalice.yml index c8b85f47a2..b5181ca3e0 100644 --- a/.github/workflows/test-integration-chalice.yml +++ b/.github/workflows/test-integration-chalice.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-clickhouse_driver.yml b/.github/workflows/test-integration-clickhouse_driver.yml index 42ffcdeef3..be976fb77f 100644 --- a/.github/workflows/test-integration-clickhouse_driver.yml +++ b/.github/workflows/test-integration-clickhouse_driver.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-cloud_resource_context.yml b/.github/workflows/test-integration-cloud_resource_context.yml index b0d5a0afff..b10c16b843 100644 --- a/.github/workflows/test-integration-cloud_resource_context.yml +++ b/.github/workflows/test-integration-cloud_resource_context.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-django.yml b/.github/workflows/test-integration-django.yml index f76a7af9ba..25830afb78 100644 --- a/.github/workflows/test-integration-django.yml +++ b/.github/workflows/test-integration-django.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-falcon.yml b/.github/workflows/test-integration-falcon.yml index b52564b66c..a562c0b34f 100644 --- a/.github/workflows/test-integration-falcon.yml +++ b/.github/workflows/test-integration-falcon.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-fastapi.yml b/.github/workflows/test-integration-fastapi.yml index 0b8aa30485..8aff5bc0b5 100644 --- a/.github/workflows/test-integration-fastapi.yml +++ b/.github/workflows/test-integration-fastapi.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-flask.yml b/.github/workflows/test-integration-flask.yml index 825804a720..f598af0b1c 100644 --- a/.github/workflows/test-integration-flask.yml +++ b/.github/workflows/test-integration-flask.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gcp.yml b/.github/workflows/test-integration-gcp.yml index 5d701834d6..560089b5c3 100644 --- a/.github/workflows/test-integration-gcp.yml +++ b/.github/workflows/test-integration-gcp.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gevent.yml b/.github/workflows/test-integration-gevent.yml index 9eb126d658..81edfe772e 100644 --- a/.github/workflows/test-integration-gevent.yml +++ b/.github/workflows/test-integration-gevent.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-gql.yml b/.github/workflows/test-integration-gql.yml index 8c960eaa5a..7726d0cab9 100644 --- a/.github/workflows/test-integration-gql.yml +++ b/.github/workflows/test-integration-gql.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-graphene.yml b/.github/workflows/test-integration-graphene.yml index 8f310ddf74..32d75edbdf 100644 --- a/.github/workflows/test-integration-graphene.yml +++ b/.github/workflows/test-integration-graphene.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-grpc.yml b/.github/workflows/test-integration-grpc.yml index 7675bf5595..30034591d7 100644 --- a/.github/workflows/test-integration-grpc.yml +++ b/.github/workflows/test-integration-grpc.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-httpx.yml b/.github/workflows/test-integration-httpx.yml index 9fde473ba9..835f24b3ab 100644 --- a/.github/workflows/test-integration-httpx.yml +++ b/.github/workflows/test-integration-httpx.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-huey.yml b/.github/workflows/test-integration-huey.yml index 62ff29809e..1477111ecc 100644 --- a/.github/workflows/test-integration-huey.yml +++ b/.github/workflows/test-integration-huey.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-loguru.yml b/.github/workflows/test-integration-loguru.yml index 3066f8b248..1916f69b5a 100644 --- a/.github/workflows/test-integration-loguru.yml +++ b/.github/workflows/test-integration-loguru.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-opentelemetry.yml b/.github/workflows/test-integration-opentelemetry.yml index ecfd244a53..e90015f9df 100644 --- a/.github/workflows/test-integration-opentelemetry.yml +++ b/.github/workflows/test-integration-opentelemetry.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pure_eval.yml b/.github/workflows/test-integration-pure_eval.yml index 88a0491234..7b025fe403 100644 --- a/.github/workflows/test-integration-pure_eval.yml +++ b/.github/workflows/test-integration-pure_eval.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pymongo.yml b/.github/workflows/test-integration-pymongo.yml index 5f297085cf..4de6c3adfc 100644 --- a/.github/workflows/test-integration-pymongo.yml +++ b/.github/workflows/test-integration-pymongo.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-pyramid.yml b/.github/workflows/test-integration-pyramid.yml index 4e81921049..efa204ca9b 100644 --- a/.github/workflows/test-integration-pyramid.yml +++ b/.github/workflows/test-integration-pyramid.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-quart.yml b/.github/workflows/test-integration-quart.yml index 753f362055..14a8dff00f 100644 --- a/.github/workflows/test-integration-quart.yml +++ b/.github/workflows/test-integration-quart.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-redis.yml b/.github/workflows/test-integration-redis.yml index 09939b3ca6..1579299fec 100644 --- a/.github/workflows/test-integration-redis.yml +++ b/.github/workflows/test-integration-redis.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-rediscluster.yml b/.github/workflows/test-integration-rediscluster.yml index 27b2d329d8..e235e277ad 100644 --- a/.github/workflows/test-integration-rediscluster.yml +++ b/.github/workflows/test-integration-rediscluster.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-requests.yml b/.github/workflows/test-integration-requests.yml index 79e0faab93..dd08b2c669 100644 --- a/.github/workflows/test-integration-requests.yml +++ b/.github/workflows/test-integration-requests.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-rq.yml b/.github/workflows/test-integration-rq.yml index cd22af1e69..32f24ce305 100644 --- a/.github/workflows/test-integration-rq.yml +++ b/.github/workflows/test-integration-rq.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-sanic.yml b/.github/workflows/test-integration-sanic.yml index 920b17bb0d..c359c3b4fa 100644 --- a/.github/workflows/test-integration-sanic.yml +++ b/.github/workflows/test-integration-sanic.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-sqlalchemy.yml b/.github/workflows/test-integration-sqlalchemy.yml index 639f22ac37..ea94aaa977 100644 --- a/.github/workflows/test-integration-sqlalchemy.yml +++ b/.github/workflows/test-integration-sqlalchemy.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-starlette.yml b/.github/workflows/test-integration-starlette.yml index 6c4160c791..e1de19e038 100644 --- a/.github/workflows/test-integration-starlette.yml +++ b/.github/workflows/test-integration-starlette.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-starlite.yml b/.github/workflows/test-integration-starlite.yml index 6a8357ac4a..276693feeb 100644 --- a/.github/workflows/test-integration-starlite.yml +++ b/.github/workflows/test-integration-starlite.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-strawberry.yml b/.github/workflows/test-integration-strawberry.yml index b477b0fb81..555ee2450a 100644 --- a/.github/workflows/test-integration-strawberry.yml +++ b/.github/workflows/test-integration-strawberry.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-tornado.yml b/.github/workflows/test-integration-tornado.yml index 3a4910e706..cb8eca56c1 100644 --- a/.github/workflows/test-integration-tornado.yml +++ b/.github/workflows/test-integration-tornado.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/.github/workflows/test-integration-trytond.yml b/.github/workflows/test-integration-trytond.yml index 31223b2388..11b94031b6 100644 --- a/.github/workflows/test-integration-trytond.yml +++ b/.github/workflows/test-integration-trytond.yml @@ -11,7 +11,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read env: BUILD_CACHE_KEY: ${{ github.sha }} diff --git a/scripts/split-tox-gh-actions/templates/base.jinja b/scripts/split-tox-gh-actions/templates/base.jinja index 4e65eb6f27..50357e5d20 100644 --- a/scripts/split-tox-gh-actions/templates/base.jinja +++ b/scripts/split-tox-gh-actions/templates/base.jinja @@ -23,10 +23,9 @@ concurrency: cancel-in-progress: true permissions: - # needed for `actions/checkout` to clone the code contents: read {% if needs_github_secrets %} - # needed to remove the `Trigger: tests` label + # `write` is needed to remove the `Trigger: tests` label pull-requests: write {% endif %} From 815a426392861b205f1069839a16ce81ad30634a Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 12:18:24 +0100 Subject: [PATCH 07/12] trying something out --- .github/workflows/test-integration-aws_lambda.yml | 1 - scripts/split-tox-gh-actions/templates/check_permissions.jinja | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 6d89d5ea57..52f22c4065 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -26,7 +26,6 @@ env: ${{ github.workspace }}/dist-serverless jobs: check-permissions: - if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: tests'" name: permissions check runs-on: ubuntu-20.04 steps: diff --git a/scripts/split-tox-gh-actions/templates/check_permissions.jinja b/scripts/split-tox-gh-actions/templates/check_permissions.jinja index a14234ef2c..32cc9ee41b 100644 --- a/scripts/split-tox-gh-actions/templates/check_permissions.jinja +++ b/scripts/split-tox-gh-actions/templates/check_permissions.jinja @@ -1,5 +1,4 @@ check-permissions: - if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: tests'" name: permissions check runs-on: ubuntu-20.04 steps: From 862a367b1e23e4b9e4ce360fa31d57c6f059b065 Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 12:24:53 +0100 Subject: [PATCH 08/12] attempt --- .github/workflows/test-integration-aws_lambda.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 52f22c4065..682afc5136 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -7,7 +7,7 @@ on: # XXX: We are using `pull_request_target` instead of `pull_request` because we want # this to run on forks with access to the secrets necessary to run the test suite. # Prefer to use `pull_request` when possible. - pull_request_target: + pull_request: types: [labeled, opened, reopened, synchronize] # Cancel in progress workflows on pull_requests. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value From 77545ffe73352bc53b371de92486061f00d4173c Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Tue, 28 Nov 2023 12:38:12 +0100 Subject: [PATCH 09/12] change back to pull_request_target --- .github/workflows/test-integration-aws_lambda.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 682afc5136..52f22c4065 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -7,7 +7,7 @@ on: # XXX: We are using `pull_request_target` instead of `pull_request` because we want # this to run on forks with access to the secrets necessary to run the test suite. # Prefer to use `pull_request` when possible. - pull_request: + pull_request_target: types: [labeled, opened, reopened, synchronize] # Cancel in progress workflows on pull_requests. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-a-fallback-value From f4469374b0cb8f47a655620fb126f43d0c7b9b4c Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Wed, 29 Nov 2023 15:16:53 +0100 Subject: [PATCH 10/12] Better label name --- .github/workflows/scripts/trigger_tests_on_label.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/trigger_tests_on_label.py b/.github/workflows/scripts/trigger_tests_on_label.py index 3f95f3865f..f6039fd16a 100644 --- a/.github/workflows/scripts/trigger_tests_on_label.py +++ b/.github/workflows/scripts/trigger_tests_on_label.py @@ -5,7 +5,7 @@ from urllib.parse import quote from urllib.request import Request, urlopen -LABEL = "Trigger: tests" +LABEL = "Trigger: tests using secrets" def _has_write(repo_id: int, username: str, *, token: str) -> bool: From 56dbea2e4bc79339987516f6e22ed5792294504f Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Wed, 29 Nov 2023 15:57:48 +0100 Subject: [PATCH 11/12] Update scripts/split-tox-gh-actions/templates/base.jinja Co-authored-by: Anton Pirker --- scripts/split-tox-gh-actions/templates/base.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/split-tox-gh-actions/templates/base.jinja b/scripts/split-tox-gh-actions/templates/base.jinja index 50357e5d20..efa61b1f8b 100644 --- a/scripts/split-tox-gh-actions/templates/base.jinja +++ b/scripts/split-tox-gh-actions/templates/base.jinja @@ -25,7 +25,7 @@ concurrency: permissions: contents: read {% if needs_github_secrets %} - # `write` is needed to remove the `Trigger: tests` label + # `write` is needed to remove the `Trigger: tests using secrets` label pull-requests: write {% endif %} From abf4554790f78f806f9436c5ca867c6e1ec743fa Mon Sep 17 00:00:00 2001 From: Ivana Kellyerova Date: Wed, 29 Nov 2023 15:59:14 +0100 Subject: [PATCH 12/12] Regenerate yamls --- .github/workflows/test-integration-aws_lambda.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-integration-aws_lambda.yml b/.github/workflows/test-integration-aws_lambda.yml index 52f22c4065..e026919c74 100644 --- a/.github/workflows/test-integration-aws_lambda.yml +++ b/.github/workflows/test-integration-aws_lambda.yml @@ -16,7 +16,7 @@ concurrency: cancel-in-progress: true permissions: contents: read - # `write` is needed to remove the `Trigger: tests` label + # `write` is needed to remove the `Trigger: tests using secrets` label pull-requests: write env: SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID: ${{ secrets.SENTRY_PYTHON_TEST_AWS_ACCESS_KEY_ID }}