diff --git a/.github/workflows/abc.yml b/.github/workflows/abc.yml new file mode 100644 index 0000000000..2508922324 --- /dev/null +++ b/.github/workflows/abc.yml @@ -0,0 +1,50 @@ +name: 'Approved Fork Execution' + +on: + pull_request: + pull_request_target: + +jobs: + run-tests: + name: 'Run Tests' + # This condition prevents duplicate runs for forks. + # It runs for all pull_request_target events (forks) + # and for pull_request events that are NOT from a fork. + if: "github.event_name == 'pull_request_target' || github.event.pull_request.head.repo.full_name == github.repository" + runs-on: 'ubuntu-latest' + + # For PRs from forks (pull_request_target), require approval via an environment. + # For internal PRs (pull_request), run without approval. + environment: "${{ github.event_name == 'pull_request_target' && 'e2e-on-fork' || null }}" + + steps: + # For PRs from forks, we need to checkout the head of the PR from the fork's repo. + - name: 'Checkout (fork)' + if: "github.event_name == 'pull_request_target'" + uses: 'actions/checkout@v4' + with: + ref: '${{ github.event.pull_request.head.sha }}' + repository: '${{ github.event.pull_request.head.repo.full_name }}' + + # For internal PRs, the default checkout is sufficient. + - name: 'Checkout (internal)' + if: "github.event_name == 'pull_request'" + uses: 'actions/checkout@v4' + + - name: 'Run test with secret' + env: + GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}' + run: | + echo "This step demonstrates using a secret." + if [ -n "$GEMINI_API_KEY" ]; then + echo "GEMINI_API_KEY is available." + else + echo "GEMINI_API_KEY is not available." + # On pull_request from a fork, this would fail without pull_request_target + if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then + echo "This is a fork PR on a pull_request trigger, secrets are not available." + else + # This should not happen for internal PRs or approved fork PRs + exit 1 + fi + fi