GitHub Actions : How to deny a PR/merge based on Source Branch - github

My use case is this, I want to 'protect' main by denying all PRs that come from branches other than 'dev'. I am trying to build this functionality into a yaml file in GitHub actions. I tried to use the GitHub context ${{github.ref}} to isolate the source branch of the PR. While the value provided works for merge requests, github.ref on PRs stores an entirely different value (the PR number, instead of the branch name).
Is there a way to isolate the source branch of a PR, in a yaml script? The goal is to have my script check the source branch, and error if the source branch is not 'dev'.

Related

Keeping main branches between fork and upstream repos different

I want to keep certain GitHub workflows only in my fork.
For instance, I don't want to have .github/workflows/syncFork.yml file to be present in the upstream repo.
Is this possible in the long run?
I'm afraid ultimately, when I make PR to the original repo, it will contains this file anyway... so the best is to keep main branch between upstream and fork repos exactly the same. Right?
PS. I know I can disable workflow in the original repo:
jobs:
sync:
if
github.repository == 'my-organization/repo'
This is actually requested in discussion 9098 "Extend "on" with possibility to ignore forks (run only for the original repo) and vice versa", but not yet implemented.
The general idea would to have that workflow file in both repositories, but with a condition which test the repository name ("github.event.repository.name").
If said name if the original repository, the workflow would do nothing.

How to Automatically merge a branch into another in Github?

I want to automatically merge commits from master into another parallel branch which is used for different deployment strategy. So essentially whenever there is a change in master I want that change to be merged into one more branch automatically.
Is there a way in Github UI to do so?
Github does support automerge, but only for Pull Request.
You might check out a GitHub Action like action-automerge
GitHub action to automatically merge the source branch into a target branch every time a change is made.
You can add a GitHub Action workflow to your project in order to enable that "action-automerge".
That being said, maybe you have other approaches which would be simpler than merging master/main. Using the same branch but with a deployment script able to detect its execution environment would be easier.

How to test github workflow without merging into master/main branch

I am creating a new git workflow. And just like any other piece of code, I want to test it separately without having to merge it into master first.
This will also help if I have to make few corrections if something doesn't work in the workflow yaml.
Here is the mechanism that I am looking for:
main branch has .github folder which contains all workflows
I create a branch and add my workflow to .github folder
Now I should be able to see(somewhere on Github) workflows from my branch running
When I know that workflows are working fine, I merge my branch in master
Now under github 'Action' tab, new workflows will reflect
Is there a way to do this?
I am actually doing workflow testing all the name, as you can see this test workflow workflow-level-notification is not merged into master branch (ie default branch), and I can still see the workflows in the UI.
Like GuiFalourd said, you can also use act to do the local testing as well. But working directly in the github repo is not that bad. (you can delete the workflow after)
If you would like to test non PR triggerd actions you can simply update your default branch temporarially, run the actions for test, then when you are done switch back.

Github Actions which branch used on PR

I am just getting started with Github actions. In my test workflow I am firing the workflow on PRs to the develop branch.
on:
pull_request:
branches:
- develop
This works fine, but my question is what branch is being built when this runs. Because this action runs before the merge is actually complete (on PR creation) is it just building the source branch? If so, how is that helpful since it isn't taking the changes the PRs code will make to the target branch.
If it is building the target branch it doesnt make sense because the code isn't actually merged yet.
If you check the documentation for the pull_request event it tells you what the environment variables GITHUB_SHA and GITHUB_REF will be for this event.
GITHUB_SHA: Last merge commit on the GITHUB_REF branch
GITHUB_REF: PR merge branch refs/pull/:prNumber/merge
ref: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request
When you use the official actions/checkout action, these are the settings it uses by default if you don't supply any inputs.
What that means is that by default, pull_request events will checkout a merge commit from the pull request head to the base. This allows you to test against what the source would look like if it was already merged.

How to configure Travis-CI to build pull requests & merges to master w/o redundancy

To put it in "BDD" terms:
Background:
Given I'm contributing to a GH repo
When I create a pull request
Then Travis should build the latest commit
When I push to an existing pull request
Then Travis should build the latest commit
When I merge a pull request to master
Then Travis should build master
I was confused by Travis-CI's "build pushes" and "build PRs" settings, as:
Enabling both causes each Pull Request to be build twice by Travis
once for the commit on that branch
and once again for the merge commit of that branch into its destination
Enabling just "build PRs" causes PRs to be built, but doesn't result in post-merge builds (i.e. on master).
Enabling "pushes" brute-force satisfies the above criteria by building all pushes to the repo. You can try to finagle things by white- & black-listing branches, but that will probably bite you unless you're rigorously disciplined with branch names.
This is explained more in Travis-CI docs and GH issue #3241.
Anyone know a configuration that satisfies the above criteria?
I eventually found another GH issue (#2111) which gave me the idea to try enabling both PRs & pushes, but with a whitelist to restrict pushes to a specific branch. This seems to satisfy the criteria for my workflow. Here's what I did:
Enable both PRs & branch pushes in the Travis settings for the repo:
Change .travis.yml to white-list master branch (i.e. only build pushes to master):
branches:
only:
- master
Test it by creating a PR with the .travis.yml change, and another PR with some empty commits to verify it works for forks too.
Verify successful merge commit build from master.
Just found in travis docs
Add to .travis.yml
if: type = push
alternatively:
if: type = pull_request
Assuming you want to build all PRs, something like the following will do the trick. Enable both branch and PR builds on the settings page, and put this line as the first line in your travis.yml:
if: (type = push AND branch IN (master, dev)) OR (type = pull_request AND NOT branch =~ /no-ci/)
This will attempt a push build on all pushes and a PR build on all pushes to an open PR, but will filter out any that don't meet the condition. You might need to modify this a bit - the clause about not building branches with no-ci somewhere in their name is obviously optional, and you may not have two branches that you always want to run builds on.
You can read more on conditions and conditional builds on Travis's site.
The whitelist approach described in the accepted answer has some significant limitations. In particular, it doesn't support non-redundantly building arbitrary branches without opening a PR.
I opened an issue asking for a better solution.
You can use next workflow if you want to test not only master branch but some others branches too:
Keep both "Build pushes" and "Build pull requests" ON
Add branches:except directive to your .travis.yml:
branches:
except:
- /^pr\..*/
In this configuration:
any commit to branch feature-A will trigger the build
any commit to branch pr.feature-A will not trigger the build
if branch pr.feature-A is used in opened pull request then build will be triggered
Workflow example
temporary WIP branch shared between several developers: wip.feature-A, any commit to this branch will trigger the build
when branch is ready to be merged to master you can rename it from wip.feature-A to pr.feature-A and open pull request
if while reviewing pull request you want to apply new fixes, just push to pr.feature-A
On all the steps above only one build will be triggered.
For one of the repositories, I was working with, here is what I wanted:
There is an origin repo which is the main repo which does all the releases.
I wanted that all the pull requests coming to master branch of origin should be built with Travis only once irrespective of the fact that it comes from a forked repo or any other branch of the origin itself.
For this case, this works like a charm
if: (type == push) OR (type == pull_request AND fork == true)