From 2869b491cd06d7ec0183114293f5a3aabc40e514 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:13:03 -0800 Subject: [PATCH 1/6] Condition labeling workflows to only run on dotnet/runtime. --- .github/workflows/check-no-merge-label.yml | 1 + .github/workflows/check-service-labels.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml index 37cc7adf20596b..55154410c2c09d 100644 --- a/.github/workflows/check-no-merge-label.yml +++ b/.github/workflows/check-no-merge-label.yml @@ -12,6 +12,7 @@ on: jobs: check-labels: + if: github.repository == 'dotnet/runtime' runs-on: ubuntu-latest steps: - name: Check 'NO-MERGE' label diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml index 9726087abbf4dc..6cc9bfddd5c6b2 100644 --- a/.github/workflows/check-service-labels.yml +++ b/.github/workflows/check-service-labels.yml @@ -11,6 +11,7 @@ on: jobs: check-labels: + if: github.repository == 'dotnet/runtime' runs-on: ubuntu-latest steps: - name: Check 'Servicing-approved' label From 42d959c26c290499609259af7fe81716aa049da9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:13:09 -0800 Subject: [PATCH 2/6] Improve readme --- .github/workflows/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 308cb2d1a85b6b..819d423c47b70b 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -2,5 +2,8 @@ General guidance: -- Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. -- Do not use the `pull_request` event. Use `pull_request_target` instead, as documented in [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target). +Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. + +For workflows that are triggered by pull requests, refer to GitHub's documentation for the pull_request and pull_request_target events. The pull_request_target event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the pull_request event. There are security considerations with each of the events though. + +Refer to GitHub's Workflows in forked repositories and pull_request_target documentation for more information. From 6243df4de24d36da7b31aca35915dcbe89a95bb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:13:21 -0800 Subject: [PATCH 3/6] Add jeffhandley as explicit workflow owner --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0e3ca2191814ee..34e18599e5beaf 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -112,4 +112,4 @@ /docs/area-owners.* @jeffhandley /docs/issue*.md @jeffhandley /.github/policies/ @jeffhandley @mkArtakMSFT -/.github/workflows/ @dotnet/runtime-infrastructure +/.github/workflows/ @jeffhandley @dotnet/runtime-infrastructure From cb3ec5f3370af6e13c91a5b680172ae2133d4f41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:15:33 -0800 Subject: [PATCH 4/6] Proper readme hyperlinks --- .github/workflows/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 819d423c47b70b..9deeb21aa974d1 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -6,4 +6,4 @@ Please make sure to include the @dotnet/runtime-infrastructure group as a review For workflows that are triggered by pull requests, refer to GitHub's documentation for the pull_request and pull_request_target events. The pull_request_target event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the pull_request event. There are security considerations with each of the events though. -Refer to GitHub's Workflows in forked repositories and pull_request_target documentation for more information. +Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information. From 47e688234f6db08285dcfe60de07d889837fffb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Wed, 5 Feb 2025 09:59:21 -0800 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Jeff Handley --- .github/workflows/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 9deeb21aa974d1..647c9a5376cd63 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -4,6 +4,6 @@ General guidance: Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs. -For workflows that are triggered by pull requests, refer to GitHub's documentation for the pull_request and pull_request_target events. The pull_request_target event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the pull_request event. There are security considerations with each of the events though. +For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though. Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information. From 3f82aef3eefe7978d33cefa86930d12a57a8f14f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20S=C3=A1nchez=20L=C3=B3pez?= <1175054+carlossanlop@users.noreply.github.com> Date: Wed, 5 Feb 2025 10:01:47 -0800 Subject: [PATCH 6/6] Apply readme suggestion --- .github/workflows/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 647c9a5376cd63..f5e7799b30e2a2 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -6,4 +6,17 @@ Please make sure to include the @dotnet/runtime-infrastructure group as a review For workflows that are triggered by pull requests, refer to GitHub's documentation for the `pull_request` and `pull_request_target` events. The `pull_request_target` event is the more common use case in this repository as it runs the workflow in the context of the target branch instead of in the context of the pull request's fork or branch. However, workflows that need to consume the contents of the pull request need to use the `pull_request` event. There are security considerations with each of the events though. +Most workflows are intended to run only in the `dotnet/runtime` repository and not in forks. To force workflow jobs to be skipped in forks, each job should apply an `if` statement that checks the repository name or owner. Either approach works, but checking only the repository owner allows the workflow to run in copies or forks withing the dotnet org. + +```yaml +jobs: + job-1: + # Do not run this job in forks + if: github.repository == 'dotnet/runtime' + + job-2: + # Do not run this job in forks outside the dotnet org + if: github.repository_owner == 'dotnet' +``` + Refer to GitHub's [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) documentation for more information.