Skip to content

PS-11254: Build arm64 on fork PRs from percona org members#5994

Merged
nogueiraanderson merged 2 commits into
8.0from
PS-11254-fork-pr-arm64
Jun 5, 2026
Merged

PS-11254: Build arm64 on fork PRs from percona org members#5994
nogueiraanderson merged 2 commits into
8.0from
PS-11254-fork-pr-arm64

Conversation

@nogueiraanderson
Copy link
Copy Markdown
Contributor

@nogueiraanderson nogueiraanderson commented Jun 5, 2026
edited by atlassian Bot
Loading

Feature

  • Fork PRs to 8.0 build arm64 via pull_request_target, gated to percona org members.
  • Hetzner capacity sweeps cut 9 to 4, so the AWS Graviton fallback takes over in ~17m (was ~3h7m).

Why

  • GitHub withholds secrets from fork pull_request runs, so fork PRs could not provision the runner (Hetzner 401, empty AWS OIDC role).
  • MySQL devs work from forks with frequently-updated PRs, so the gate is org membership (author_association), not per-run approval.
  • Secret-bearing jobs do no checkout; build-arm64 checks out the fork head and holds no secrets, preserving the trust split.

Tickets

@nogueiraanderson
ci(build): cut Hetzner capacity sweeps 9 to 4 for faster AWS fallback
f65b3a3 
- pick-target: MAX_SWEEPS 9->4, BACKOFF_MIN (2 5 10 15 20 30 45 60)->(2 5 10)
- AWS Graviton EC2 fallback now fires after ~17m instead of ~3h7m
- pick-target timeout-minutes 240->30 to match the shorter sweep budget
- refresh stale ~3h7m and 9-sweep comments and step-summary strings

PS-11254
@nogueiraanderson
ci(build): gate fork-PR arm64 builds to percona org members
eb672de 
- add pull_request_target trigger so fork PRs resolve secrets in base-repo
  context (same-repo PRs stay on pull_request, no double-run)
- dispatch gate authorizes fork PRs only when the author is a percona org
  member (author_association MEMBER/OWNER/COLLABORATOR); no per-run approval
- build-arm64 checks out the fork head sha and holds no secrets, preserving
  the trust split (workflow + job permissions stay contents: read)
- scope concurrency group by event_name and make pull_request_target cancellable

PS-11254
inikep
inikep approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@inikep inikep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nogueiraanderson nogueiraanderson merged commit 63ef4e6 into 8.0 Jun 5, 2026
25 checks passed
@nogueiraanderson nogueiraanderson deleted the PS-11254-fork-pr-arm64 branch June 5, 2026 13:49
@nogueiraanderson nogueiraanderson mentioned this pull request Jun 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@inikep inikep inikep approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nogueiraanderson @inikep