Enable artifacts creation at pull request (#5804)

* Add action for artifacts creation at pull request * Run at PR comment /build and improve security
2025-09-24 19:47:06 +07:00 · 2023-11-08 16:54:04 +01:00
parent ce1bb71db7
commit 47f8065d49
3 changed files with 55 additions and 0 deletions
--- a/.github/workflows/build-artifacts-pr.yml
+++ b/.github/workflows/build-artifacts-pr.yml
@@ -0,0 +1,47 @@
+name: Generate artifacts on PR
+#
+# If you comment "/build" to the PR comment this action will run compilation on PR
+# but only if you are a member of "Release manager" team. As additional security feature
+#
+
+on:
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+
+concurrency:
+  group: pipeline-pr-${{github.event.pull_request.number}}
+  cancel-in-progress: true
+
+jobs:
+
+  Check:
+    permissions:
+      pull-requests: read
+
+    name: "Permission to run compilation"
+    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/build')
+    runs-on: Linux
+    outputs:
+      member: ${{ steps.checkUserMember.outputs.isTeamMember }}
+    steps:
+
+      -  uses: tspascoal/get-user-teams-membership@v2
+         id: checkUserMember
+         with:
+           username: ${{ github.actor }}
+           organization: armbian
+           team: "Release manager"
+           GITHUB_TOKEN: ${{ secrets.ORG_MEMBERS }}
+
+  Compile:
+
+    needs: Check
+    name: "Update artifacts"
+    if: ${{ github.repository_owner == 'Armbian' && needs.Check.outputs.member == 'true' }}
+    uses: armbian/os/.github/workflows/complete-artifact-matrix-all.yml@main
+    secrets:
+      ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }}
+    with:
+      extraParamsAllBuilds: "UPLOAD_TO_OCI_ONLY=no"
+      ref: ${{ github.event.pull_request.head.sha }}
--- a/.github/workflows/kernel-security-analysis-pr.yml
+++ b/.github/workflows/kernel-security-analysis-pr.yml
@@ -15,6 +15,10 @@ on:
 permissions:
  contents: read

+concurrency:
+  group: pipeline-security-${{github.event.pull_request.number}}
+  cancel-in-progress: true
+
 jobs:

  Analysis:
--- a/.github/workflows/lint-scripts-pr.yml
+++ b/.github/workflows/lint-scripts-pr.yml
@@ -11,6 +11,10 @@ on:
 permissions:
  contents: read

+concurrency:
+  group: pipeline-lint-${{github.event.pull_request.number}}
+  cancel-in-progress: true
+
 jobs:

  Shellcheck: