diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 97e590c..9448f25 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,13 +2,10 @@ name: CI on: - workflow_run: - workflows: ["gate"] - types: [requested, completed] - # push: - # branches: [ "main", "dev/robgruen/workflow_updates" ] - # pull_request_target: - # branches: [ "main" ] + push: + branches: [ "main" ] + pull_request_target: + branches: [ "main" ] workflow_dispatch: # manual run concurrency: @@ -23,25 +20,8 @@ permissions: jobs: - ci: - environment: - name: build-pipeline - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, windows-latest] - python-version: ['3.12', '3.13', '3.14'] - task: [check, test, format] - exclude: - - os: windows-latest - python-version: '3.13' - - os: windows-latest - python-version: '3.14' - runs-on: ${{ matrix.os }} - name: ${{ matrix.os }} ${{ matrix.task }} (py ${{ matrix.python-version }}) - - # Only run this job if the Gate workflow succeeded or if manually triggered - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + permissions-check: + runs-on: ubuntu-latest steps: # The following two steps (permissions checks) ensure that only users with write access can run this workflow on a PR (except the merge queue bot) @@ -66,6 +46,25 @@ jobs: echo "Job originally triggered by ${{ github.actor }}" exit 1 + ci: + needs: permissions-check + environment: + name: build-pipeline + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest] + python-version: ['3.12', '3.13', '3.14'] + task: [check, test, format] + exclude: + - os: windows-latest + python-version: '3.13' + - os: windows-latest + python-version: '3.14' + runs-on: ${{ matrix.os }} + name: ${{ matrix.os }} ${{ matrix.task }} (py ${{ matrix.python-version }}) + + steps: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha || github.ref }} diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml deleted file mode 100644 index 359e1af..0000000 --- a/.github/workflows/gate.yml +++ /dev/null @@ -1,45 +0,0 @@ -# .github/workflows/gate.yml -name: gate - -on: - pull_request_target: - branches: [ "main" ] - workflow_dispatch: # manual run - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - pull-requests: read - contents: read - id-token: write - -jobs: - gate: - name: gate - runs-on: ubuntu-latest - steps: - - # The following two steps (permissions checks) ensure that only users with write access can run this workflow on a PR (except the merge queue bot) - # PRs from forks we check the permissions of the user that triggered the workflow (github.triggering_actor) - # This means that if a user without write access opens a PR from a fork, they cannot run this workflow - # Users with write access can still run this workflow on a PR from a fork - # For PRs from the same repo, we allow the workflow to run as normal - - name: Get User Permission - if: ${{ github.event_name == 'pull_request_target' || github.triggering_actor != 'github-merge-queue[bot]' }} - id: checkAccess - uses: actions-cool/check-user-permission@v2 - with: - require: write - username: ${{ github.triggering_actor }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Check User Permission - if: ${{ (github.event_name == 'pull_request_target' || github.triggering_actor != 'github-merge-queue[bot]') && steps.checkAccess.outputs.require-result == 'false' }} - run: | - echo "${{ github.triggering_actor }} does not have permissions on this repo." - echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" - echo "Job originally triggered by ${{ github.actor }}" - exit 1 -