[GHA] Fix e2e workflow for forks

kbenzie · kbenzie · commit 27d934c787a6 · 2024-06-10T10:27:07.000+01:00
This follows on from #1722 which set the `pull-request: write` permission on for the e2e workflows. However, this did not fully resolve the 403 issue, see [1], [2], and [3]. Those jobs have the following token permissions: ``` GITHUB_TOKEN Permissions Contents: read Metadata: read PullRequests: read ``` After some digging, I found a [post](https://stackoverflow.com/a/78444521) which notes that using the `pull_request` workflow trigger will never grant write permissions when the pull request comes from a public fork. The solution is to instead use the `pull_request_target` trigger, I found this [post](https://stackoverflow.com/a/74959635) helpful reading on the trade-offs of using this trigger. The main difference, other than allowing write permissions, is that the workflow config used comes from the pull request's base branch so does not include any workflow changes from the pull request. As such, in this patch I've split out the e2e workflows from our main build & test workflow to restrict the scope of jobs which may be granted write permissions. [1]: https://github.com/oneapi-src/unified-runtime/actions/runs/9417159892/job/25942801242?pr=1639 [2]: https://github.com/oneapi-src/unified-runtime/actions/runs/9417159892/job/25942802400?pr=1639 [3]: https://github.com/oneapi-src/unified-runtime/actions/runs/9417159892/job/25942803189?pr=1639
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -8,7 +8,6 @@ concurrency:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   ubuntu-build:
@@ -192,30 +191,6 @@ jobs:
     with:
       name: NATIVE_CPU
 
-  e2e-level-zero:
-    name: E2E L0
-    permissions:
-      contents: read
-      pull-requests: write
-    needs: [ubuntu-build, level-zero]
-    uses: ./.github/workflows/e2e_level_zero.yml
-
-  e2e-opencl:
-    name: E2E OpenCL
-    permissions:
-      contents: read
-      pull-requests: write
-    needs: [ubuntu-build, opencl]
-    uses: ./.github/workflows/e2e_opencl.yml
-
-  e2e-cuda:
-    name: E2E CUDA
-    permissions:
-      contents: read
-      pull-requests: write
-    needs: [ubuntu-build, cuda]
-    uses: ./.github/workflows/e2e_cuda.yml
-
   windows-build:
     name: Build - Windows
     strategy:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -0,0 +1,39 @@
+---
+name: SYCL E2E
+
+# The e2e workflow adds a comment to the pull request in the final step which
+# requires the pull-request: write permission.
+# When a pull request originates from a fork using the pull_request trigger
+# will never grant write permissions due to security concerns.
+# Instead, the pull_request_target trigger is necessary to be granted the
+# pull-request: write permission.
+on: [push, pull_request_target]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  e2e-level-zero:
+    name: E2E L0
+    permissions:
+      contents: read
+      pull-requests: write
+    needs: [ubuntu-build, level-zero]
+    uses: ./.github/workflows/e2e_level_zero.yml
+
+  e2e-opencl:
+    name: E2E OpenCL
+    permissions:
+      contents: read
+      pull-requests: write
+    needs: [ubuntu-build, opencl]
+    uses: ./.github/workflows/e2e_opencl.yml
+
+  e2e-cuda:
+    name: E2E CUDA
+    permissions:
+      contents: read
+      pull-requests: write
+    needs: [ubuntu-build, cuda]
+    uses: ./.github/workflows/e2e_cuda.yml
