Open matttrach opened 1 year ago
The dependabot PRs are running on both drone-pr and drone-publish, since they’re using branches on the main repo. We should update the drone config to not run publish CI on branches other than master and release-*
RKE2 Repos:
To implement this we need to add a when clause to the steps which points to the main/master and release-* branch. example:
when:
ref:
include:
- "refs/heads/master"
- "refs/heads/release-*"
The when
clause's main objects must all evaluate to true for the CI to run, but sub objects are OR
, so in the above example ref
must be true for the CI to run, but ref
= true if any of the include
items are true. This means that the CI will run if the ref
path includes refs/heads/master
OR refs/heads/release-*
.
The ref
object is not compatible with the event
tag
sub-object because tags are not associated with a branch. This means that if the when
clause includes and event
tag
object we should not add a ref
object, these carry the assumption that they are only on the master/main branch.
Most steps carry either the event
tag
or ref
objects already, so we can safely exclude those.
https://docs.drone.io/yaml/exec/#the-when-section https://docs.drone.io/yaml/exec/#the-conditions-object https://docs.drone.io/yaml/exec/#the-include-attribute https://docs.drone.io/yaml/exec/#the-ref-attribute https://docs.drone.io/yaml/exec/#the-event-enum https://docs.drone.io/pipeline/conditions/#by-branch
ref
is where the object comes from
branch
is where a pull
or push
wants to go to
The context of ref
is where the CI is pulling from, this is sent to Drone via the webhook.
The ref
will therefore be one of these three paths:
refs/heads/*
infers a push/merge event and the ref is a commit on the branch that accepted the mergerefs/tags/*
infers a tag event and the ref is to the tagrefs/pull/*
infers a pull_request event and the ref is to the special GitHub branch that contains the PR in your repoEvents (tag, push, pull_request) to Instances (PR, Publish)
tag
= Publish
, tag
!= PR
push
= Publish
, push
!= PR
pull_request
!= Publish
, pull_request
= PR
Publish
= tag
&& push
PR
= pull_request
Steps to Events:
tag
and push
events are sent to only the Publish
instancepull_request
events are sent to only the PR
instance
Refs to Events and Instances:
ref
is where (in Git history) the CI will pull from to run stepsrefs
: head
, tag
, and pull
ref
relates directly to the corresponding event type
push
event will have a head
ref
tag
event will have a tag
ref
pull_request
event will have a pull
ref
ref
type directly relates to event type then we can relate instance to ref
Steps to Refs:
tag
, pull
, and head
refs, but only for main/master and release branches (ex. build, test)tag
refs (ex. verify release)head
and pull
refs (ex. skip files)We can infer events and instances by ref, there is only one ref for a pipeline, so we can control any step by ref.
When Dependabot generates PRs they are running in both drone-publish and drone-pr. They should only be running on drone-publish.