From 856b5cb816af48ca8bdfb9a576d09c22c63805dd Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Wed, 11 Mar 2026 05:26:24 -0700 Subject: [PATCH 1/5] added workflow to automatically execute prs in texera --- .github/workflows/github-action-build.yml | 45 ++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index af2a60920d5..f810ec91f3d 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -26,6 +26,7 @@ on: - 'ci-enable/**' - 'main' pull_request: + types: [opened, synchronize, reopened] workflow_dispatch: concurrency: @@ -33,7 +34,48 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: + check-permissions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Get changed files + id: changed-files + run: | + if [ "${{ github.event_name }}" == "pull_request" ]; then + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + echo "any_changed=true" >> $GITHUB_OUTPUT + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + - name: Check if actor is a committer + id: check-committer + if: steps.changed-files.outputs.any_changed == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then + echo "is_committer=true" >> $GITHUB_OUTPUT + else + echo "is_committer=false" >> $GITHUB_OUTPUT + fi + - name: Require approval if workflow changed + if: | + steps.changed-files.outputs.any_changed == 'true' && + steps.check-committer.outputs.is_committer == 'false' + run: | + echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." + exit 1 + frontend: + needs: check-permissions runs-on: ${{ matrix.os }} strategy: matrix: @@ -81,6 +123,7 @@ jobs: run: yarn --cwd frontend run build:ci scala: + needs: check-permissions strategy: matrix: os: [ ubuntu-22.04 ] @@ -97,7 +140,6 @@ jobs: POSTGRES_PASSWORD: postgres ports: - 5432:5432 - # Add a health check so steps wait until Postgres is ready options: >- --health-cmd="pg_isready -U postgres" --health-interval=10s @@ -145,6 +187,7 @@ jobs: run: sbt test python: + needs: check-permissions strategy: matrix: os: [ ubuntu-latest ] From b1a0cf027aaa559a0f4ff00bab0126082ce49e90 Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Wed, 11 Mar 2026 05:32:53 -0700 Subject: [PATCH 2/5] removed comment added back in --- .github/workflows/github-action-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index f810ec91f3d..a24adf7c4c6 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -140,6 +140,7 @@ jobs: POSTGRES_PASSWORD: postgres ports: - 5432:5432 + # Add a health check so steps wait until Postgres is ready options: >- --health-cmd="pg_isready -U postgres" --health-interval=10s From a84a97afbf933bcade336c935b04a47e7a9866b1 Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 01:35:28 -0700 Subject: [PATCH 3/5] separated the check-permissions to have run workflow run button to show --- .github/workflows/check-permisions.yml | 59 +++++++++++++++++++++++ .github/workflows/github-action-build.yml | 51 +++----------------- 2 files changed, 65 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/check-permisions.yml diff --git a/.github/workflows/check-permisions.yml b/.github/workflows/check-permisions.yml new file mode 100644 index 00000000000..ea47e68cd7c --- /dev/null +++ b/.github/workflows/check-permisions.yml @@ -0,0 +1,59 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Check Permissions + +on: + pull_request: + types: [opened, edited, synchronize, reopened] + +jobs: + check-permissions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Get changed files + id: changed-files + run: | + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + echo "any_changed=true" >> $GITHUB_OUTPUT + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + - name: Check if actor is a committer + id: check-committer + if: steps.changed-files.outputs.any_changed == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then + echo "is_committer=true" >> $GITHUB_OUTPUT + else + echo "is_committer=false" >> $GITHUB_OUTPUT + fi + - name: Require approval if workflow changed + if: | + steps.changed-files.outputs.any_changed == 'true' && + steps.check-committer.outputs.is_committer == 'false' + run: | + echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." + exit 1 \ No newline at end of file diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index a24adf7c4c6..af3313d9b6f 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -25,8 +25,9 @@ on: branches: - 'ci-enable/**' - 'main' - pull_request: - types: [opened, synchronize, reopened] + workflow_run: + workflows: ["Check Permissions"] + types: [completed] workflow_dispatch: concurrency: @@ -34,48 +35,8 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: - check-permissions: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) - if [ "$CHANGED" -gt "0" ]; then - echo "any_changed=true" >> $GITHUB_OUTPUT - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - - name: Check if actor is a committer - id: check-committer - if: steps.changed-files.outputs.any_changed == 'true' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") - if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then - echo "is_committer=true" >> $GITHUB_OUTPUT - else - echo "is_committer=false" >> $GITHUB_OUTPUT - fi - - name: Require approval if workflow changed - if: | - steps.changed-files.outputs.any_changed == 'true' && - steps.check-committer.outputs.is_committer == 'false' - run: | - echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." - exit 1 - frontend: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} runs-on: ${{ matrix.os }} strategy: matrix: @@ -123,7 +84,7 @@ jobs: run: yarn --cwd frontend run build:ci scala: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} strategy: matrix: os: [ ubuntu-22.04 ] @@ -188,7 +149,7 @@ jobs: run: sbt test python: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} strategy: matrix: os: [ ubuntu-latest ] From 883ead3283bb2efd7c1ce5f89776ba3f8f210f6d Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 01:49:01 -0700 Subject: [PATCH 4/5] Add /safe-to-test comment trigger to allow committers to approve PRs that modify the build workflow --- .github/workflows/check-permisions.yml | 59 ----------------- .github/workflows/github-action-build.yml | 79 +++++++++++++++++++++-- 2 files changed, 73 insertions(+), 65 deletions(-) delete mode 100644 .github/workflows/check-permisions.yml diff --git a/.github/workflows/check-permisions.yml b/.github/workflows/check-permisions.yml deleted file mode 100644 index ea47e68cd7c..00000000000 --- a/.github/workflows/check-permisions.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -name: Check Permissions - -on: - pull_request: - types: [opened, edited, synchronize, reopened] - -jobs: - check-permissions: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - run: | - CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) - if [ "$CHANGED" -gt "0" ]; then - echo "any_changed=true" >> $GITHUB_OUTPUT - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - - name: Check if actor is a committer - id: check-committer - if: steps.changed-files.outputs.any_changed == 'true' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") - if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then - echo "is_committer=true" >> $GITHUB_OUTPUT - else - echo "is_committer=false" >> $GITHUB_OUTPUT - fi - - name: Require approval if workflow changed - if: | - steps.changed-files.outputs.any_changed == 'true' && - steps.check-committer.outputs.is_committer == 'false' - run: | - echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." - exit 1 \ No newline at end of file diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index af3313d9b6f..c4fd3e94555 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -25,9 +25,10 @@ on: branches: - 'ci-enable/**' - 'main' - workflow_run: - workflows: ["Check Permissions"] - types: [completed] + pull_request: + types: [opened, edited, synchronize, reopened] + issue_comment: + types: [created] workflow_dispatch: concurrency: @@ -35,8 +36,66 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: + check-permissions: + if: | + github.event_name == 'push' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + ( + github.event_name == 'issue_comment' && + github.event.issue.pull_request != null && + contains(github.event.comment.body, '/safe-to-test') + ) + runs-on: ubuntu-latest + outputs: + sha: ${{ steps.resolve.outputs.sha }} + steps: + - name: Resolve SHA + id: resolve + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ github.event_name }}" == "issue_comment" ]; then + SHA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} --jq '.head.sha') + echo "sha=$SHA" >> $GITHUB_OUTPUT + else + echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v5 + with: + ref: ${{ steps.resolve.outputs.sha }} + fetch-depth: 0 + + - name: Check committer permission for /safe-to-test + if: github.event_name == 'issue_comment' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" && "$PERMISSION" != "write" ]]; then + echo "::error::Only committers can approve /safe-to-test." + exit 1 + fi + + - name: Check if build workflow was modified by non-committer + if: github.event_name == 'pull_request' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" && "$PERMISSION" != "write" ]]; then + echo "::error::This PR modifies the build workflow. A committer must comment '/safe-to-test' on this PR to approve it." + exit 1 + fi + fi + frontend: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' runs-on: ${{ matrix.os }} strategy: matrix: @@ -53,6 +112,8 @@ jobs: steps: - name: Checkout Texera uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Setup node uses: actions/setup-node@v5 with: @@ -84,7 +145,8 @@ jobs: run: yarn --cwd frontend run build:ci scala: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' strategy: matrix: os: [ ubuntu-22.04 ] @@ -110,6 +172,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Setup JDK uses: actions/setup-java@v5 with: @@ -149,7 +213,8 @@ jobs: run: sbt test python: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' strategy: matrix: os: [ ubuntu-latest ] @@ -158,6 +223,8 @@ jobs: steps: - name: Checkout Texera uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: From 4e54a7dc9b06e778e119e6f6bf43b6b514a935df Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 02:40:39 -0700 Subject: [PATCH 5/5] removed edtied tag --- .github/workflows/github-action-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index c4fd3e94555..6a9041b5c63 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -26,7 +26,7 @@ on: - 'ci-enable/**' - 'main' pull_request: - types: [opened, edited, synchronize, reopened] + types: [opened, synchronize, reopened] issue_comment: types: [created] workflow_dispatch: