tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Run PR workflow only when code changes

Open NDStrahilevitz opened this issue 3 years ago • 4 comments

Currently, every PR, including ones that only change documentations or add docs, will trigger the PR workflow which checks for unit tests, integration and smoke tests. We can easily filter out those PRs from running the workflow through a path filter as documented here.

I'm opening this issue to ask if this should be done, and if so, which paths should be included and/or excluded.

NDStrahilevitz avatar Mar 29 '22 09:03 NDStrahilevitz

I think it's a good idea, but implementing it with GitHub may be tricky. We have enabled branch protection rule that Require status checks to pass before merging PR. However, AFAIK branch protection rules cannot be skipped on the same paths you wanted to add to the GitHub Actions workflow config. Therefore, you'll end up skipped GitHub Actions workflow, but status check won't be updated. Only repository admins will be able to merge such PR.

Here's a screenshot from another project where I used exclude paths:

exclude_and_checks_github

As you can see the Squash and merge button in disabled because the PR is somehow stuck in the Waiting for status to be reported state.

danielpacak avatar Mar 29 '22 10:03 danielpacak

So if I understand correctly, if we have a PR for something like documentation, where the PR workflow wouldn't work, that PR would be affected by this behavior, where one of the admins would have to confirm the PR status in addition to marking as approved for review? I can see how that would be inconvenient. Perhaps we could implement a separate stub PR workflow for the non code paths. Maybe there are even jobs we would like to run there (spell checking for example).

NDStrahilevitz avatar Mar 29 '22 12:03 NDStrahilevitz

Correct. No matter how many workflows we have, with or without exclusion rules, they are not respected by branch protection rules that you configure at GitHub repository level (under Settings tab). I think it's kind of the limitation of GitHub itself. Maybe we can dig into the documentation and find out solution, but at the time I read it it wasn't possible.

danielpacak avatar Mar 29 '22 12:03 danielpacak

BTW, this has also to include the "eBPF code change" will trigger new CO-RE tests (https://github.com/aquasecurity/tracee-test-kernels/tree/main/tester) being integrated into PR workflow.

rafaeldtinoco avatar Apr 18 '22 12:04 rafaeldtinoco