From e0a359f659d5a9b88ddcd7756f1d2f6cf185f8ab Mon Sep 17 00:00:00 2001 From: ali Date: Tue, 24 Feb 2026 13:58:14 -0800 Subject: [PATCH 1/9] fix: Postgres image tag --- bin/postgres17-pgroonga.dockerfile | 37 +++++++++--------------------- 1 file changed, 11 insertions(+), 26 deletions(-) diff --git a/bin/postgres17-pgroonga.dockerfile b/bin/postgres17-pgroonga.dockerfile index 04369728a68..f799c69e8ec 100644 --- a/bin/postgres17-pgroonga.dockerfile +++ b/bin/postgres17-pgroonga.dockerfile @@ -15,36 +15,21 @@ # specific language governing permissions and limitations # under the License. -FROM bitnami/postgresql:17.4.0-debian-12-r11 +FROM postgres:17-bookworm -USER root - -# Install build tools and Groonga APT repo -RUN install_packages \ - build-essential \ - git \ +# 1. Install prerequisites for adding the Groonga repository +RUN apt-get update && apt-get install -y --no-install-recommends \ wget \ - curl \ ca-certificates \ - pkg-config \ - libmecab-dev \ - mecab \ - gnupg \ - libpq-dev + && rm -rf /var/lib/apt/lists/* -# Add Groonga official APT repo +# 2. Add Groonga official APT repo and install pre-compiled PGroonga for PGDG RUN wget https://packages.groonga.org/debian/groonga-apt-source-latest-bookworm.deb && \ dpkg -i groonga-apt-source-latest-bookworm.deb && \ apt-get update && \ - apt-get install -y \ - libgroonga-dev \ - groonga-tokenizer-mecab - -# Clone PGroonga with submodules and build it using Bitnami's pg_config -RUN git clone --recursive https://github.com/pgroonga/pgroonga.git /tmp/pgroonga && \ - cd /tmp/pgroonga && \ - PG_CONFIG=/opt/bitnami/postgresql/bin/pg_config make && \ - PG_CONFIG=/opt/bitnami/postgresql/bin/pg_config make install && \ - rm -rf /tmp/pgroonga - -USER 1001 + apt-get install -y --no-install-recommends \ + postgresql-17-pgdg-pgroonga \ + groonga-tokenizer-mecab \ + mecab \ + && rm -rf /var/lib/apt/lists/* \ + && rm groonga-apt-source-latest-bookworm.deb \ No newline at end of file From 85a18f38dbb26f0690d720ffa8da1fc9ba7aa835 Mon Sep 17 00:00:00 2001 From: ali Date: Wed, 25 Feb 2026 12:23:47 -0800 Subject: [PATCH 2/9] fix: Postgres image tag and registry --- .../access-control-service-deployment.yaml | 2 +- .../templates/config-service-deployment.yaml | 2 +- .../templates/example-data-loader-job.yaml | 2 +- .../templates/file-service-deployment.yaml | 2 +- bin/k8s/templates/webserver-deployment.yaml | 2 +- ...workflow-compiling-service-deployment.yaml | 2 +- ...low-computing-unit-manager-deployment.yaml | 4 +-- ...mputing-unit-master-prepull-daemonset.yaml | 2 +- bin/k8s/values.yaml | 12 +++++-- bin/postgres17-pgroonga.dockerfile | 35 ------------------- 10 files changed, 18 insertions(+), 47 deletions(-) delete mode 100644 bin/postgres17-pgroonga.dockerfile diff --git a/bin/k8s/templates/access-control-service-deployment.yaml b/bin/k8s/templates/access-control-service-deployment.yaml index adeca0b8bbf..1d6739e0349 100644 --- a/bin/k8s/templates/access-control-service-deployment.yaml +++ b/bin/k8s/templates/access-control-service-deployment.yaml @@ -34,7 +34,7 @@ spec: spec: containers: - name: {{ .Values.accessControlService.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.accessControlService.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.accessControlService.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.accessControlService.service.port }} diff --git a/bin/k8s/templates/config-service-deployment.yaml b/bin/k8s/templates/config-service-deployment.yaml index 45f081b11d7..f0748785c3a 100644 --- a/bin/k8s/templates/config-service-deployment.yaml +++ b/bin/k8s/templates/config-service-deployment.yaml @@ -34,7 +34,7 @@ spec: spec: containers: - name: {{ .Values.configService.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.configService.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.configService.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.configService.service.port }} diff --git a/bin/k8s/templates/example-data-loader-job.yaml b/bin/k8s/templates/example-data-loader-job.yaml index 9c5e0491389..15759be4097 100644 --- a/bin/k8s/templates/example-data-loader-job.yaml +++ b/bin/k8s/templates/example-data-loader-job.yaml @@ -30,7 +30,7 @@ spec: restartPolicy: Never containers: - name: example-data-loader - image: {{ .Values.global.imageRegistry }}/{{ .Values.exampleDataLoader.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.exampleDataLoader.imageName }}:{{ .Values.texera.imageTag }} env: - name: TEXERA_EXAMPLE_USERNAME value: {{ .Values.exampleDataLoader.username }} diff --git a/bin/k8s/templates/file-service-deployment.yaml b/bin/k8s/templates/file-service-deployment.yaml index d7cfb7c1995..6c9a4041f98 100644 --- a/bin/k8s/templates/file-service-deployment.yaml +++ b/bin/k8s/templates/file-service-deployment.yaml @@ -34,7 +34,7 @@ spec: spec: containers: - name: {{ .Values.fileService.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.fileService.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.fileService.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.fileService.service.port }} diff --git a/bin/k8s/templates/webserver-deployment.yaml b/bin/k8s/templates/webserver-deployment.yaml index 0c8656bfe8f..56642c54785 100644 --- a/bin/k8s/templates/webserver-deployment.yaml +++ b/bin/k8s/templates/webserver-deployment.yaml @@ -34,7 +34,7 @@ spec: spec: containers: - name: {{ .Values.webserver.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.webserver.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.webserver.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.webserver.service.port }} diff --git a/bin/k8s/templates/workflow-compiling-service-deployment.yaml b/bin/k8s/templates/workflow-compiling-service-deployment.yaml index 4ab10e3f9bc..50a0a04e1b7 100644 --- a/bin/k8s/templates/workflow-compiling-service-deployment.yaml +++ b/bin/k8s/templates/workflow-compiling-service-deployment.yaml @@ -34,7 +34,7 @@ spec: spec: containers: - name: {{ .Values.workflowCompilingService.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.workflowCompilingService.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.workflowCompilingService.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.workflowCompilingService.service.port }} diff --git a/bin/k8s/templates/workflow-computing-unit-manager-deployment.yaml b/bin/k8s/templates/workflow-computing-unit-manager-deployment.yaml index 75e5e76b30a..5241d9160a3 100644 --- a/bin/k8s/templates/workflow-computing-unit-manager-deployment.yaml +++ b/bin/k8s/templates/workflow-computing-unit-manager-deployment.yaml @@ -35,7 +35,7 @@ spec: serviceAccountName: {{ .Values.workflowComputingUnitManager.serviceAccountName }} containers: - name: {{ .Values.workflowComputingUnitManager.name }} - image: {{ .Values.global.imageRegistry }}/{{ .Values.workflowComputingUnitManager.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.workflowComputingUnitManager.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: {{ .Values.texeraImages.pullPolicy }} ports: - containerPort: {{ .Values.workflowComputingUnitManager.service.port }} @@ -46,7 +46,7 @@ spec: - name: KUBERNETES_COMPUTE_UNIT_SERVICE_NAME value: {{ .Values.workflowComputingUnitPool.name }}-svc - name: KUBERNETES_IMAGE_NAME - value: {{ .Values.global.imageRegistry }}/{{ .Values.workflowComputingUnitPool.imageName }}:{{ .Values.global.imageTag }} + value: {{ .Values.texera.imageRegistry }}/{{ .Values.workflowComputingUnitPool.imageName }}:{{ .Values.texera.imageTag }} # TexeraDB Access - name: STORAGE_JDBC_URL value: jdbc:postgresql://{{ .Release.Name }}-postgresql:5432/texera_db?currentSchema=texera_db,public diff --git a/bin/k8s/templates/workflow-computing-unit-master-prepull-daemonset.yaml b/bin/k8s/templates/workflow-computing-unit-master-prepull-daemonset.yaml index b4a8d6634db..4edc0104a89 100644 --- a/bin/k8s/templates/workflow-computing-unit-master-prepull-daemonset.yaml +++ b/bin/k8s/templates/workflow-computing-unit-master-prepull-daemonset.yaml @@ -36,7 +36,7 @@ spec: - operator: "Exists" initContainers: - name: prepuller - image: {{ .Values.global.imageRegistry }}/{{ .Values.workflowComputingUnitPool.imageName }}:{{ .Values.global.imageTag }} + image: {{ .Values.texera.imageRegistry }}/{{ .Values.workflowComputingUnitPool.imageName }}:{{ .Values.texera.imageTag }} imagePullPolicy: Always command: ["sh", "-c", "true"] containers: diff --git a/bin/k8s/values.yaml b/bin/k8s/values.yaml index 3e612ef40f5..7558591c4dd 100644 --- a/bin/k8s/values.yaml +++ b/bin/k8s/values.yaml @@ -15,13 +15,16 @@ # specific language governing permissions and limitations # under the License. -global: +texera: # Container image registry and tag for all Texera services # Override these to use a different registry or version imageRegistry: ghcr.io/apache imageTag: latest + +global: + # Required by Bitnami sub-charts (postgresql, minio) to allow custom images security: - allowInsecureImages: true # for custom postgres image + allowInsecureImages: true # Persistence Configuration # This controls how Persistent Volumes (PVs) and Persistent Volume Claims (PVCs) are managed @@ -37,12 +40,15 @@ persistence: # Part 1: the configuration of Postgres, Minio and LakeFS postgresql: image: - repository: texera/postgres17-pgroonga + repository: groonga/pgroonga tag: latest debug: true auth: postgresPassword: root_password # for executing init script with superuser primary: + containerSecurityContext: + # Disabled because groonga/pgroonga needs to write a lock/socket file to /var/run/postgresql + readOnlyRootFilesystem: false livenessProbe: initialDelaySeconds: 30 # increase this if the launching of postgresql is slow on the cluster readinessProbe: diff --git a/bin/postgres17-pgroonga.dockerfile b/bin/postgres17-pgroonga.dockerfile deleted file mode 100644 index f799c69e8ec..00000000000 --- a/bin/postgres17-pgroonga.dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -FROM postgres:17-bookworm - -# 1. Install prerequisites for adding the Groonga repository -RUN apt-get update && apt-get install -y --no-install-recommends \ - wget \ - ca-certificates \ - && rm -rf /var/lib/apt/lists/* - -# 2. Add Groonga official APT repo and install pre-compiled PGroonga for PGDG -RUN wget https://packages.groonga.org/debian/groonga-apt-source-latest-bookworm.deb && \ - dpkg -i groonga-apt-source-latest-bookworm.deb && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - postgresql-17-pgdg-pgroonga \ - groonga-tokenizer-mecab \ - mecab \ - && rm -rf /var/lib/apt/lists/* \ - && rm groonga-apt-source-latest-bookworm.deb \ No newline at end of file From e4a844f027a05c8dc59cf7a9febf4e17e80ec664 Mon Sep 17 00:00:00 2001 From: ali Date: Tue, 3 Mar 2026 12:13:28 -0800 Subject: [PATCH 3/9] fix: header name --- bin/k8s/templates/gateway-security-policy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/k8s/templates/gateway-security-policy.yaml b/bin/k8s/templates/gateway-security-policy.yaml index ad2f5684e58..4128b5f3d89 100644 --- a/bin/k8s/templates/gateway-security-policy.yaml +++ b/bin/k8s/templates/gateway-security-policy.yaml @@ -32,7 +32,7 @@ spec: port: {{ .Values.accessControlService.service.port }} path: /api/auth headersToBackend: - - x-user-cu-access + - x-user-computing-unit-access - x-user-id - x-user-name - x-user-email From 856b5cb816af48ca8bdfb9a576d09c22c63805dd Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Wed, 11 Mar 2026 05:26:24 -0700 Subject: [PATCH 4/9] added workflow to automatically execute prs in texera --- .github/workflows/github-action-build.yml | 45 ++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index af2a60920d5..f810ec91f3d 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -26,6 +26,7 @@ on: - 'ci-enable/**' - 'main' pull_request: + types: [opened, synchronize, reopened] workflow_dispatch: concurrency: @@ -33,7 +34,48 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: + check-permissions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Get changed files + id: changed-files + run: | + if [ "${{ github.event_name }}" == "pull_request" ]; then + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + echo "any_changed=true" >> $GITHUB_OUTPUT + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + - name: Check if actor is a committer + id: check-committer + if: steps.changed-files.outputs.any_changed == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then + echo "is_committer=true" >> $GITHUB_OUTPUT + else + echo "is_committer=false" >> $GITHUB_OUTPUT + fi + - name: Require approval if workflow changed + if: | + steps.changed-files.outputs.any_changed == 'true' && + steps.check-committer.outputs.is_committer == 'false' + run: | + echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." + exit 1 + frontend: + needs: check-permissions runs-on: ${{ matrix.os }} strategy: matrix: @@ -81,6 +123,7 @@ jobs: run: yarn --cwd frontend run build:ci scala: + needs: check-permissions strategy: matrix: os: [ ubuntu-22.04 ] @@ -97,7 +140,6 @@ jobs: POSTGRES_PASSWORD: postgres ports: - 5432:5432 - # Add a health check so steps wait until Postgres is ready options: >- --health-cmd="pg_isready -U postgres" --health-interval=10s @@ -145,6 +187,7 @@ jobs: run: sbt test python: + needs: check-permissions strategy: matrix: os: [ ubuntu-latest ] From b1a0cf027aaa559a0f4ff00bab0126082ce49e90 Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Wed, 11 Mar 2026 05:32:53 -0700 Subject: [PATCH 5/9] removed comment added back in --- .github/workflows/github-action-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index f810ec91f3d..a24adf7c4c6 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -140,6 +140,7 @@ jobs: POSTGRES_PASSWORD: postgres ports: - 5432:5432 + # Add a health check so steps wait until Postgres is ready options: >- --health-cmd="pg_isready -U postgres" --health-interval=10s From b5e902481795ea8a5da94ce82c49adc48c01a2c4 Mon Sep 17 00:00:00 2001 From: ali Date: Wed, 11 Mar 2026 13:50:54 -0700 Subject: [PATCH 6/9] fix: image tags --- bin/k8s/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/k8s/values.yaml b/bin/k8s/values.yaml index 7558591c4dd..ef46dfbef43 100644 --- a/bin/k8s/values.yaml +++ b/bin/k8s/values.yaml @@ -19,7 +19,7 @@ texera: # Container image registry and tag for all Texera services # Override these to use a different registry or version imageRegistry: ghcr.io/apache - imageTag: latest + imageTag: nightly global: # Required by Bitnami sub-charts (postgresql, minio) to allow custom images From a84a97afbf933bcade336c935b04a47e7a9866b1 Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 01:35:28 -0700 Subject: [PATCH 7/9] separated the check-permissions to have run workflow run button to show --- .github/workflows/check-permisions.yml | 59 +++++++++++++++++++++++ .github/workflows/github-action-build.yml | 51 +++----------------- 2 files changed, 65 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/check-permisions.yml diff --git a/.github/workflows/check-permisions.yml b/.github/workflows/check-permisions.yml new file mode 100644 index 00000000000..ea47e68cd7c --- /dev/null +++ b/.github/workflows/check-permisions.yml @@ -0,0 +1,59 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Check Permissions + +on: + pull_request: + types: [opened, edited, synchronize, reopened] + +jobs: + check-permissions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Get changed files + id: changed-files + run: | + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + echo "any_changed=true" >> $GITHUB_OUTPUT + else + echo "any_changed=false" >> $GITHUB_OUTPUT + fi + - name: Check if actor is a committer + id: check-committer + if: steps.changed-files.outputs.any_changed == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then + echo "is_committer=true" >> $GITHUB_OUTPUT + else + echo "is_committer=false" >> $GITHUB_OUTPUT + fi + - name: Require approval if workflow changed + if: | + steps.changed-files.outputs.any_changed == 'true' && + steps.check-committer.outputs.is_committer == 'false' + run: | + echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." + exit 1 \ No newline at end of file diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index a24adf7c4c6..af3313d9b6f 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -25,8 +25,9 @@ on: branches: - 'ci-enable/**' - 'main' - pull_request: - types: [opened, synchronize, reopened] + workflow_run: + workflows: ["Check Permissions"] + types: [completed] workflow_dispatch: concurrency: @@ -34,48 +35,8 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: - check-permissions: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - run: | - if [ "${{ github.event_name }}" == "pull_request" ]; then - CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) - if [ "$CHANGED" -gt "0" ]; then - echo "any_changed=true" >> $GITHUB_OUTPUT - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - - name: Check if actor is a committer - id: check-committer - if: steps.changed-files.outputs.any_changed == 'true' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") - if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then - echo "is_committer=true" >> $GITHUB_OUTPUT - else - echo "is_committer=false" >> $GITHUB_OUTPUT - fi - - name: Require approval if workflow changed - if: | - steps.changed-files.outputs.any_changed == 'true' && - steps.check-committer.outputs.is_committer == 'false' - run: | - echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." - exit 1 - frontend: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} runs-on: ${{ matrix.os }} strategy: matrix: @@ -123,7 +84,7 @@ jobs: run: yarn --cwd frontend run build:ci scala: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} strategy: matrix: os: [ ubuntu-22.04 ] @@ -188,7 +149,7 @@ jobs: run: sbt test python: - needs: check-permissions + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} strategy: matrix: os: [ ubuntu-latest ] From 883ead3283bb2efd7c1ce5f89776ba3f8f210f6d Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 01:49:01 -0700 Subject: [PATCH 8/9] Add /safe-to-test comment trigger to allow committers to approve PRs that modify the build workflow --- .github/workflows/check-permisions.yml | 59 ----------------- .github/workflows/github-action-build.yml | 79 +++++++++++++++++++++-- 2 files changed, 73 insertions(+), 65 deletions(-) delete mode 100644 .github/workflows/check-permisions.yml diff --git a/.github/workflows/check-permisions.yml b/.github/workflows/check-permisions.yml deleted file mode 100644 index ea47e68cd7c..00000000000 --- a/.github/workflows/check-permisions.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -name: Check Permissions - -on: - pull_request: - types: [opened, edited, synchronize, reopened] - -jobs: - check-permissions: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - name: Get changed files - id: changed-files - run: | - CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) - if [ "$CHANGED" -gt "0" ]; then - echo "any_changed=true" >> $GITHUB_OUTPUT - else - echo "any_changed=false" >> $GITHUB_OUTPUT - fi - - name: Check if actor is a committer - id: check-committer - if: steps.changed-files.outputs.any_changed == 'true' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") - if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then - echo "is_committer=true" >> $GITHUB_OUTPUT - else - echo "is_committer=false" >> $GITHUB_OUTPUT - fi - - name: Require approval if workflow changed - if: | - steps.changed-files.outputs.any_changed == 'true' && - steps.check-committer.outputs.is_committer == 'false' - run: | - echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." - exit 1 \ No newline at end of file diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index af3313d9b6f..c4fd3e94555 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -25,9 +25,10 @@ on: branches: - 'ci-enable/**' - 'main' - workflow_run: - workflows: ["Check Permissions"] - types: [completed] + pull_request: + types: [opened, edited, synchronize, reopened] + issue_comment: + types: [created] workflow_dispatch: concurrency: @@ -35,8 +36,66 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} jobs: + check-permissions: + if: | + github.event_name == 'push' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + ( + github.event_name == 'issue_comment' && + github.event.issue.pull_request != null && + contains(github.event.comment.body, '/safe-to-test') + ) + runs-on: ubuntu-latest + outputs: + sha: ${{ steps.resolve.outputs.sha }} + steps: + - name: Resolve SHA + id: resolve + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ github.event_name }}" == "issue_comment" ]; then + SHA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} --jq '.head.sha') + echo "sha=$SHA" >> $GITHUB_OUTPUT + else + echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT + fi + + - name: Checkout + uses: actions/checkout@v5 + with: + ref: ${{ steps.resolve.outputs.sha }} + fetch-depth: 0 + + - name: Check committer permission for /safe-to-test + if: github.event_name == 'issue_comment' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" && "$PERMISSION" != "write" ]]; then + echo "::error::Only committers can approve /safe-to-test." + exit 1 + fi + + - name: Check if build workflow was modified by non-committer + if: github.event_name == 'pull_request' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) + if [ "$CHANGED" -gt "0" ]; then + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") + if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" && "$PERMISSION" != "write" ]]; then + echo "::error::This PR modifies the build workflow. A committer must comment '/safe-to-test' on this PR to approve it." + exit 1 + fi + fi + frontend: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' runs-on: ${{ matrix.os }} strategy: matrix: @@ -53,6 +112,8 @@ jobs: steps: - name: Checkout Texera uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Setup node uses: actions/setup-node@v5 with: @@ -84,7 +145,8 @@ jobs: run: yarn --cwd frontend run build:ci scala: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' strategy: matrix: os: [ ubuntu-22.04 ] @@ -110,6 +172,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Setup JDK uses: actions/setup-java@v5 with: @@ -149,7 +213,8 @@ jobs: run: sbt test python: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} + needs: check-permissions + if: always() && needs.check-permissions.result == 'success' strategy: matrix: os: [ ubuntu-latest ] @@ -158,6 +223,8 @@ jobs: steps: - name: Checkout Texera uses: actions/checkout@v5 + with: + ref: ${{ needs.check-permissions.outputs.sha }} - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: From 4e54a7dc9b06e778e119e6f6bf43b6b514a935df Mon Sep 17 00:00:00 2001 From: Matthew Ball Date: Thu, 12 Mar 2026 02:40:39 -0700 Subject: [PATCH 9/9] removed edtied tag --- .github/workflows/github-action-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github-action-build.yml b/.github/workflows/github-action-build.yml index c4fd3e94555..6a9041b5c63 100644 --- a/.github/workflows/github-action-build.yml +++ b/.github/workflows/github-action-build.yml @@ -26,7 +26,7 @@ on: - 'ci-enable/**' - 'main' pull_request: - types: [opened, edited, synchronize, reopened] + types: [opened, synchronize, reopened] issue_comment: types: [created] workflow_dispatch: