Closed teor2345 closed 10 months ago
We're getting closer to the release candidate series, so this is a medium priority now.
Attracting external developers is not one of the goals of the release candidate, so this is a low priority.
Is it just as simple as skipping the CI Docker workflow or are there others that would need to be skipped?
How will this change affect the complexity of our CI rules and/or setup?
Is it just as simple as skipping the CI Docker workflow or are there others that would need to be skipped?
We'll also need to skip other workflows that write to our GitHub or Docker:
And avoid sending our GitHub access token to the protoc installer, by doing one of these things:
If we decide we really want one of these workflows to run, we can do the more complicated thing for it later.
How will this change affect the complexity of our CI rules and/or setup?
If we choose the simplest option, it is:
If we change the patch workflows, I don't think we even need to change Mergify at all. Which keeps things a lot simpler.
I'll be taking this into account for the redesign as we should really solve this for contributors.
Let's try to do this in 2023 Sprint 13 if we have time
This is a higher priority now we know QEDIT is going to start building on Zebra.
We don't want external PRs running on our Google Cloud, so we need to skip all those jobs. We want to skip release and deployment jobs as well, because they use secret keys.
All other jobs should be fixed if they don't work for external PRs.
While researching this (as I previously made changes to allow this behavior, by removing most secrets) I recently realized there's an open discussion as GitHub variables are impeding this from happening. And reverting from variables to fix values is a no-go: https://github.com/orgs/community/discussions/44322
In the meanwhile, the "best" approach is to request reviewers to trigger the actions after validating the proposed code, which would use the reviewer permissions.
I made this change as a workaround, and I'll be closing this ticket as not-planned for now.
What does this look like? Is there a test PR somewhere?
I've seen this in other open-source repos were I've contribute to. It's basically a button around here, asking for permissions to run the workflows
This fix does not work completely. Most CI runs successfully, but anything that uses Google Cloud doesn't work due to authentication issues. Let's test the next fix either before or after making it?
Here's a quick solution to this issue:
ZcashFoundation/zebra
, and add patch jobs (or change their run conditions)
Motivation
Currently, Zebra's CI fails on PRs from external contributors. This can be a really confusing and negative experience for a first-time contributor.
Example: (recent examples first) https://github.com/ZcashFoundation/zebra/pull/7516 https://github.com/ZcashFoundation/zebra/pull/4527
Jobs that need to be skipped
We don't want external PRs running on our Google Cloud, so we need to skip all those jobs. We want to skip release and deployment jobs as well, because they use secret keys.
See the full list here: https://github.com/ZcashFoundation/zebra/issues/4529#issuecomment-1396055038
Jobs that need to be fixed
All other jobs should be fixed if they don't work for external PRs.
Designs
We can skip some tests that would otherwise fail, because Mergify will catch them when it does a full test run. But we need to disable in-place merges to make sure Mergify does a separate run.
This is more secure, because we review code, approve it, then run Mergify on it.
Related Work
Our previous attempts to fix this issue didn't work:
3419