67506595ac
Once we start running similar jobs in the PR and Merge Queue workflows, the Test workflow will run into a problem: Both nested workflows will try to upload the same artifacts, which errors out. By providing a prefix to use for artifact names, this will be a non-issue when we later run more of Eval in the merge queue or when we add the build jobs to the queue as well.
179 lines
6.6 KiB
YAML
179 lines
6.6 KiB
YAML
# This workflow will request reviews from the maintainers of each package
|
|
# listed in the PR's most recent eval comparison artifact.
|
|
|
|
name: Reviewers
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [ready_for_review]
|
|
workflow_call:
|
|
inputs:
|
|
artifact-prefix:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
OWNER_APP_PRIVATE_KEY:
|
|
required: true
|
|
|
|
concurrency:
|
|
group: reviewers-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
request:
|
|
runs-on: ubuntu-24.04-arm
|
|
timeout-minutes: 20
|
|
steps:
|
|
- name: Check out the PR at the base commit
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
persist-credentials: false
|
|
path: trusted
|
|
sparse-checkout: ci
|
|
|
|
- name: Install Nix
|
|
uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31
|
|
|
|
- name: Build the requestReviews derivation
|
|
run: nix-build trusted/ci -A requestReviews
|
|
|
|
# For requesting reviewers, this job depends on a GitHub App with the following permissions:
|
|
# - Permissions:
|
|
# - Repository > Administration: read-only
|
|
# - Organization > Members: read-only
|
|
# - Repository > Pull Requests: read-write
|
|
# - Install App on this repository, setting these variables:
|
|
# - OWNER_APP_ID (variable)
|
|
# - OWNER_APP_PRIVATE_KEY (secret)
|
|
#
|
|
# Can't use the token received from permissions above, because it can't get enough permissions.
|
|
- uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
|
|
if: github.event_name == 'pull_request_target' && vars.OWNER_APP_ID
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ vars.OWNER_APP_ID }}
|
|
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
|
|
permission-administration: read
|
|
permission-members: read
|
|
permission-pull-requests: write
|
|
|
|
- name: Log current API rate limits (app-token)
|
|
if: ${{ steps.app-token.outputs.token }}
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Requesting code owner reviews
|
|
if: steps.app-token.outputs.token
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
REPOSITORY: ${{ github.repository }}
|
|
NUMBER: ${{ github.event.number }}
|
|
# Don't do anything on draft PRs
|
|
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
|
|
run: result/bin/request-code-owner-reviews.sh "$REPOSITORY" "$NUMBER" ci/OWNERS
|
|
|
|
- name: Log current API rate limits (app-token)
|
|
if: ${{ steps.app-token.outputs.token }}
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Log current API rate limits (github.token)
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
# In the regular case, this workflow is called via workflow_call from the eval workflow directly.
|
|
# In the more special case, when a PR is undrafted an eval run will have started already.
|
|
- name: Wait for comparison to be done
|
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
|
id: eval
|
|
env:
|
|
ARTIFACT: ${{ inputs.artifact-prefix }}comparison
|
|
with:
|
|
script: |
|
|
const run_id = (await github.rest.actions.listWorkflowRuns({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
workflow_id: context.eventName === 'pull_request' ? 'test.yml' : 'pr.yml',
|
|
event: context.eventName,
|
|
head_sha: context.payload.pull_request.head.sha
|
|
})).data.workflow_runs[0].id
|
|
|
|
core.setOutput('run-id', run_id)
|
|
|
|
// Waiting 120 * 5 sec = 10 min. max.
|
|
// The extreme case is an Eval run that just started when the PR is undrafted.
|
|
// Eval takes max 5-6 minutes, normally.
|
|
for (let i = 0; i < 120; i++) {
|
|
const result = await github.rest.actions.listWorkflowRunArtifacts({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
run_id,
|
|
name: process.env.ARTIFACT,
|
|
})
|
|
if (result.data.total_count > 0) return
|
|
await new Promise(resolve => setTimeout(resolve, 5000))
|
|
}
|
|
throw new Error("No comparison artifact found.")
|
|
|
|
- name: Log current API rate limits (github.token)
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Download the comparison results
|
|
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
|
|
with:
|
|
run-id: ${{ steps.eval.outputs.run-id }}
|
|
github-token: ${{ github.token }}
|
|
pattern: ${{ inputs.artifact-prefix }}comparison
|
|
path: comparison
|
|
merge-multiple: true
|
|
|
|
- name: Log current API rate limits (app-token)
|
|
if: ${{ steps.app-token.outputs.token }}
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Log current API rate limits (github.token)
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Requesting maintainer reviews
|
|
if: ${{ steps.app-token.outputs.token }}
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
APP_GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
REPOSITORY: ${{ github.repository }}
|
|
NUMBER: ${{ github.event.number }}
|
|
AUTHOR: ${{ github.event.pull_request.user.login }}
|
|
# Don't request reviewers on draft PRs
|
|
DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
|
|
run: |
|
|
# maintainers.json contains GitHub IDs. Look up handles to request reviews from.
|
|
# There appears to be no API to request reviews based on GitHub IDs
|
|
jq -r 'keys[]' comparison/maintainers.json \
|
|
| while read -r id; do gh api /user/"$id" --jq .login; done \
|
|
| GH_TOKEN="$APP_GH_TOKEN" result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
|
|
|
|
- name: Log current API rate limits (app-token)
|
|
if: ${{ steps.app-token.outputs.token }}
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
run: gh api /rate_limit | jq
|
|
|
|
- name: Log current API rate limits (github.token)
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: gh api /rate_limit | jq
|