Tanish-NI
commented
2 weeks ago @Mattjet27 I think we should not remove the existing Pre Build and Pre Test workflows right away in this PR. Because still, some more testing needs to be done using these new workflows after this PR gets in. Once we test this new way of calling Azure pipelines, after that it seems more promising to remove the existing workflows.
What does this Pull Request accomplish?
The current GitHub workflow implementation is not capable of supporting contributions from outside contributors (externally forked repositories). However, this is unintended and outside contributions should be fully supported, as is outlined in CONTRIBUTING.md.
The Pre-Build and Pre-Test workflows on GitHub use Azure Token to call internal Azure Pipelines. This token is stored as a repository secret which cannot be accessed by PRs from forked repositories. When an external contributor raises a PR from their fork, these workflows will fail, blocking the necessary checks from running against their code.
Why should this Pull Request be merged?
Added 3 new workflows:-
The idea is to separate the PR Intake workflow from the PR Build workflow, as suggested in the GitHub Security Lab Article using the
workflow-runevent along withpull_request. But as in this caseworkflow_runevent will be triggered out of the context of thepull_requestworkflow to access the AzDo token, to communicate between these workflows, GitHub APIs are used.pr-intakeworkflow will be triggered when a PR is raised andpr-build&pr-testworkflow will be triggered whenpr-intakeworkflow is approved manually (as usinggh-action-testingenvironment) and starts running.pr-buildandpr-testwill call Azure pipelines. Andpr-intakeuses GitHub APIs to check status and conclusion of both runs.What testing has been done?
Pending, because of the Note mentioned in workflow_run GitHub documentation, the pr-build and pr-test workflows need to be in main to trigger them via workflow_run event. Hence, in this case, testing will be done after the PR went in the main (default branch).