|
1 | 1 | name: CI |
2 | 2 |
|
3 | | -on: [ push, pull_request ] |
| 3 | +on: |
| 4 | + pull_request: |
| 5 | + merge_group: |
4 | 6 |
|
5 | 7 | jobs: |
6 | | - ci: |
7 | | - name: CI |
| 8 | + test: |
| 9 | + name: Test |
8 | 10 | runs-on: ubuntu-latest |
9 | 11 | if: github.repository == 'rust-lang/team' |
10 | | - permissions: |
11 | | - id-token: write |
12 | | - pages: write |
13 | 12 | steps: |
14 | | - |
15 | | - - uses: actions/checkout@main |
| 13 | + - uses: actions/checkout@v4 |
16 | 14 | with: |
17 | 15 | fetch-depth: 50 |
18 | 16 |
|
|
23 | 21 | rustup default stable |
24 | 22 | rustc -vV |
25 | 23 |
|
26 | | - - uses: Swatinem/rust-cache@v2 |
| 24 | + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 |
27 | 25 |
|
28 | 26 | - name: Build the validation tool |
29 | 27 | run: cargo build |
@@ -52,36 +50,151 @@ jobs: |
52 | 50 | run: echo "${{ github.event.pull_request.number }}" > build/pr.txt |
53 | 51 |
|
54 | 52 | - name: Upload the built JSON as a GitHub artifact |
55 | | - if: ${{ github.event_name == 'pull_request' }} |
56 | 53 | uses: actions/upload-artifact@v4 |
57 | 54 | with: |
58 | 55 | name: team-api-output |
59 | 56 | path: build |
| 57 | + deploy: |
| 58 | + name: Deploy |
| 59 | + needs: [ test ] |
| 60 | + runs-on: ubuntu-latest |
| 61 | + environment: deploy |
| 62 | + concurrency: deploy |
| 63 | + permissions: |
| 64 | + id-token: write |
| 65 | + pages: write |
| 66 | + if: github.event_name == 'merge_group' |
| 67 | + steps: |
| 68 | + - name: Download built JSON API and sync-team |
| 69 | + uses: actions/download-artifact@v4 |
| 70 | + with: |
| 71 | + name: team-api-output |
| 72 | + path: build |
60 | 73 |
|
61 | 74 | - name: Disable Jekyll |
62 | 75 | run: touch build/.nojekyll |
63 | 76 |
|
64 | 77 | - name: Upload GitHub pages artifact |
65 | | - if: github.event_name == 'push' && github.ref == 'refs/heads/master' |
66 | 78 | uses: actions/upload-pages-artifact@v3 |
67 | 79 | with: |
68 | 80 | path: build |
69 | 81 |
|
70 | 82 | - name: Deploy to GitHub Pages |
71 | | - if: github.event_name == 'push' && github.ref == 'refs/heads/master' |
72 | 83 | uses: actions/deploy-pages@v4 |
73 | 84 |
|
74 | 85 | - name: Configure AWS credentials |
75 | | - if: github.event_name == 'push' && github.ref == 'refs/heads/master' |
76 | 86 | uses: aws-actions/configure-aws-credentials@v1 |
77 | 87 | with: |
78 | 88 | role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--team |
79 | 89 | aws-region: us-west-1 |
80 | 90 |
|
81 | 91 | - name: Start the synchronization tool |
82 | | - if: github.event_name == 'push' && github.ref == 'refs/heads/master' |
83 | 92 | run: | |
84 | 93 | # Introduce some artificial delay to help github pages propagate. |
85 | 94 | sleep 60 |
86 | 95 | aws --region us-west-1 lambda invoke --function-name start-sync-team output.json |
87 | 96 | cat output.json | python3 -m json.tool |
| 97 | +
|
| 98 | + # GitHub tokens generated from GitHub Apps can access resources from one organization, |
| 99 | + # so we need to generate a token for each organization. |
| 100 | + - name: Generate GitHub token (rust-lang) |
| 101 | + uses: actions/create-github-app-token@v1 |
| 102 | + id: rust-lang-token |
| 103 | + with: |
| 104 | + # GitHub App ID secret name |
| 105 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 106 | + # GitHub App private key secret name |
| 107 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 108 | + # Set the owner, so the token can be used in all repositories |
| 109 | + owner: rust-lang |
| 110 | + |
| 111 | + - name: Generate GitHub token (rust-lang-ci) |
| 112 | + uses: actions/create-github-app-token@v1 |
| 113 | + id: rust-lang-ci-token |
| 114 | + with: |
| 115 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 116 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 117 | + owner: rust-lang-ci |
| 118 | + |
| 119 | + - name: Generate GitHub token (rust-lang-deprecated) |
| 120 | + uses: actions/create-github-app-token@v1 |
| 121 | + id: rust-lang-deprecated-token |
| 122 | + with: |
| 123 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 124 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 125 | + owner: rust-lang-deprecated |
| 126 | + |
| 127 | + - name: Generate GitHub token (rust-lang-nursery) |
| 128 | + uses: actions/create-github-app-token@v1 |
| 129 | + id: rust-lang-nursery-token |
| 130 | + with: |
| 131 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 132 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 133 | + owner: rust-lang-nursery |
| 134 | + |
| 135 | + - name: Generate GitHub token (bors-rs) |
| 136 | + uses: actions/create-github-app-token@v1 |
| 137 | + id: bors-rs-token |
| 138 | + with: |
| 139 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 140 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 141 | + owner: bors-rs |
| 142 | + |
| 143 | + - name: Generate GitHub token (rust-analyzer) |
| 144 | + uses: actions/create-github-app-token@v1 |
| 145 | + id: rust-analyzer-token |
| 146 | + with: |
| 147 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 148 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 149 | + owner: rust-analyzer |
| 150 | + |
| 151 | + - name: Generate GitHub token (rust-embedded) |
| 152 | + uses: actions/create-github-app-token@v1 |
| 153 | + id: rust-embedded-token |
| 154 | + with: |
| 155 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 156 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 157 | + owner: rust-embedded |
| 158 | + |
| 159 | + - name: Generate GitHub token (rust-dev-tools) |
| 160 | + uses: actions/create-github-app-token@v1 |
| 161 | + id: rust-dev-tools-token |
| 162 | + with: |
| 163 | + app-id: ${{ secrets.SYNC_TEAM_GH_APP_READ_ID }} |
| 164 | + private-key: ${{ secrets.SYNC_TEAM_GH_APP_READ_PRIVATE_KEY }} |
| 165 | + owner: rust-dev-tools |
| 166 | + |
| 167 | + - uses: actions/checkout@v4 |
| 168 | + |
| 169 | + - name: Run sync-team (dry-run) |
| 170 | + env: |
| 171 | + GITHUB_TOKEN_RUST_LANG: ${{ steps.rust-lang-token.outputs.token }} |
| 172 | + GITHUB_TOKEN_RUST_LANG_CI: ${{ steps.rust-lang-ci-token.outputs.token }} |
| 173 | + GITHUB_TOKEN_RUST_LANG_DEPRECATED: ${{ steps.rust-lang-deprecated-token.outputs.token }} |
| 174 | + GITHUB_TOKEN_RUST_LANG_NURSERY: ${{ steps.rust-lang-nursery-token.outputs.token }} |
| 175 | + GITHUB_TOKEN_BORS_RS: ${{ steps.bors-rs-token.outputs.token }} |
| 176 | + GITHUB_TOKEN_RUST_ANALYZER: ${{ steps.rust-analyzer-token.outputs.token }} |
| 177 | + GITHUB_TOKEN_RUST_EMBEDDED: ${{ steps.rust-embedded-token.outputs.token }} |
| 178 | + GITHUB_TOKEN_RUST_DEV_TOOLS: ${{ steps.rust-dev-tools-token.outputs.token }} |
| 179 | + run: | |
| 180 | + cargo run --manifest-path sync-team/Cargo.toml \ |
| 181 | + print-plan --team-json build |
| 182 | +
|
| 183 | + # Summary job for the merge queue. |
| 184 | + # ALL THE PREVIOUS JOBS NEED TO BE ADDED TO THE `needs` SECTION OF THIS JOB! |
| 185 | + CI: |
| 186 | + needs: [ test, deploy ] |
| 187 | + # We need to ensure this job does *not* get skipped if its dependencies fail, |
| 188 | + # because a skipped job is considered a success by GitHub. So we have to |
| 189 | + # overwrite `if:`. We use `!cancelled()` to ensure the job does still not get run |
| 190 | + # when the workflow is canceled manually. |
| 191 | + if: ${{ !cancelled() }} |
| 192 | + runs-on: ubuntu-latest |
| 193 | + steps: |
| 194 | + # Manually check the status of all dependencies. `if: failure()` does not work. |
| 195 | + - name: Conclusion |
| 196 | + run: | |
| 197 | + # Print the dependent jobs to see them in the CI log |
| 198 | + jq -C <<< '${{ toJson(needs) }}' |
| 199 | + # Check if all jobs that we depend on (in the needs array) were successful. |
| 200 | + jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< '${{ toJson(needs) }}' |
0 commit comments