feat: add contributor CI workflow for fork-friendly testing#192
feat: add contributor CI workflow for fork-friendly testing#192abtreece wants to merge 1 commit into
Conversation
Add a credentialless CI workflow that runs on contributor forks and PRs, enabling third-party contributors to validate their changes without access to project infrastructure. - Contributor CI workflow (ci-cd-contributor) builds Ruby packages for two representative distributions (Ubuntu 24.04 and EL 9) with applicable variants and runs smoke tests - ok-to-test label gate lets maintainers trigger the full CI pipeline; a label guard workflow removes the label on new pushes, requiring re-review before re-triggering - Main CI/CD workflow restricted to upstream repository only - Respects variant_exclusions from config.yml (skips malloctrim for Ruby >= 3.3) - Test script fixes: createrepo -> createrepo_c, added adduser package - Updated CONTRIBUTING.md with fork CI and local build/test docs
abtreece
force-pushed
the
feat/contributor-ci
branch
from
b39e09f to
c5c0ec4
Compare
noahssarcastic
left a comment
noahssarcastic
left a comment
There was a problem hiding this comment.
Looks good, reviewed with respect to pull_request and pull_request_target and all actions are safe from "pwn request" PR's. Added a couple of nitpick type things, we may want to call out the use of pull_request and pull_request_target and other guard-rails in comment to ensure they are not accidentally removed or modified.
| end | ||
|
|
||
| def latest_ruby_package_version | ||
| ruby_package_versions.first |
There was a problem hiding this comment.
This is not explicitly enforced in the config, we could add a sort function on the list to enforce, or at least leave a comment in the config file stating that we expect this ordering.
| @contributor_distributions ||= begin | ||
| names = config[:contributor_distributions] | ||
| return [] if names.nil? | ||
| names.map do |name| |
There was a problem hiding this comment.
Suggest refactoring this mapping code and the instance above to a single helper function to prevent drift in case the object structure changes.
| @@ -0,0 +1,34 @@ | |||
| name: 'CI/CD: label guard' | |||
2 participants
Summary
Adds a credentialless CI workflow that runs on contributor forks and PRs, enabling third-party contributors to validate their changes without access to project infrastructure.
ci-cd-contributor): Builds Ruby packages for two representative distributions (Ubuntu 24.04 and EL 9) with applicable variants and runs smoke tests. No cloud credentials or special setup needed.ok-to-testlabel gate: Maintainers can add theok-to-testlabel to trigger the full CI pipeline (all distros, test publishing) against a PR. A label guard workflow automatically removes the label when new commits are pushed, requiring re-review before re-triggering.github.repositoryto avoid running on forks.variant_exclusionsfrom config.yml (e.g., skips malloctrim for Ruby >= 3.3).createrepo→createrepo_cin RPM test prep, addedadduserpackage for DEB tests.Closes #54
Test plan
ok-to-testlabel triggers full pipeline on PRok-to-teston new push to PR./internal-scripts/generate-ci-cd-yaml.rb)