ci: fix conditional skip and add safeguard

hashicorp · Sep 24, 2024 · d44213c · d44213c
1 parent 5e3b6e9
commit d44213c
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 10 deletions.
diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh
@@ -6,14 +6,27 @@ set -euo pipefail
 
 # Get the list of changed files
 # Using `git merge-base` ensures that we're always comparing against the correct branch point.
-#For example, given the commits:
+# For example, given the commits:
 #
 # A---B---C---D---W---X---Y---Z # origin/main
 #             \---E---F         # feature/branch
 #
-# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D`
-# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD)..
-files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
+# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD~` would return commit `D` for a `pull_request` event.
+#
+# `HEAD~` means that:
+#   - For `push` events to a protected branch, the merge base is the commit before HEAD (the latest commit
+#     before the push). The diff will come from the pushed changes, assuming the repo requires squash-merge.
+#   - For `pull_request` events, the merge base is the last common commit between the base ref
+#     (`origin/$skip_check_branch`) and the last "real" commit on the PR branch, before the PR branch
+#     merge commit added by GH. The diff will come from the changes in the PR branch.
+skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required}
+merge_base=$(git merge-base origin/$skip_check_branch HEAD~)
+echo "merge_base: $merge_base"
+
+# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).
+echo "diff commits:"
+git log "$merge_base...HEAD" --oneline
+files_to_check=$(git diff --name-only $merge_base...HEAD)
 
 # Define the directories to check
 skipped_directories=("_doc/" ".changelog/")

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,15 +1,23 @@
 name: build
 
-# We now default to running this workflow on every push to every branch.
+# We now default to running this workflow on every pull_request push
+# in addition to protected branch push.
+#
 # This provides fast feedback when build issues occur, so they can be
-# fixed prior to being merged to the main branch.
+# fixed prior to being merged.
 #
 # If you want to opt out of this, and only run the build on certain branches
 # please refer to the documentation on branch filtering here:
 #
 #   https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore
 #
-on: [workflow_dispatch, push]
+on:
+  push:
+  #  branches:
+  #    - main
+  #    - release/**
+  # pull_request:
+  workflow_dispatch:
 
 env:
   PKG_NAME: "consul-dataplane"

diff --git a/.github/workflows/consul-dataplane-checks.yaml b/.github/workflows/consul-dataplane-checks.yaml
@@ -3,8 +3,8 @@ name: consul-dataplane-checks
 on:
   push:
     branches:
-    - main
-    - 'release/*.*.x'
+      - main
+      - release/**
   pull_request:
 
 jobs:

diff --git a/.github/workflows/reusable-conditional-skip.yml b/.github/workflows/reusable-conditional-skip.yml
@@ -14,8 +14,18 @@ jobs:
     outputs:
       skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
     env:
-      SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
+      # Use the base branch for PR, or the head of the current branch for push.
+      SKIP_CHECK_BRANCH: ${{ github.base_ref || github.ref_name }}
     steps:
+      - name: Ensure conditional check is allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with 'base_ref' or 'push' to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,6 +11,8 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
     paths-ignore:
       - '_doc/**'
       - '.changelog/**'