.github/workflows/test_runner.yml - third_party/protobuf - Git at Google

 name: Tests

 # This file implements the protection strategy laid out in
 # go/protobuf-gha-protected-resources.  Pull requests from branches within this
 # repository are considered safe and will immediately start running tests on
 # every commit.  Pull requests from forked repositories are unsafe, and leave
 # us vulnerable to PWN requests and stolen resources.  In these cases, we
 # require a special "safe for tests" tag to be added to the pull request before
 # we start testing.  This will be immediately removed, so that further commits
 # require their own stamp to test.

 on:
   # continuous
   schedule:
     # TODO(mkruskal) Run daily at 10 AM UTC (2 AM PDT)
     # Run every hour for now to gather statistics
     - cron: 0 * * * *

   # postsubmit
   push:
     branches:
       - main
       - '[0-9]+.x'
       # The 21.x and 22.x branches still use Kokoro
       - '!2[12].x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha

   # safe presubmit
   pull_request:
     branches:
       - main
       - '[0-9]+.x'
       # The 21.x and 22.x branches still use Kokoro
       - '!2[12].x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha

   # unsafe presubmit
   pull_request_target:
     branches:
       - main
       - '[0-9]+.x'
       # The 21.x branch still use Kokoro
       - '!21.x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha
     types: [labeled, opened, reopened, synchronize]

   # manual
   workflow_dispatch:

 jobs:
   check-tag:
     name: Check for Safety

     # Avoid running tests twice on PR updates.  If the PR is coming from our
     # repository, it's safe and we can use `pull_request`.  Otherwise, we should
     # use `pull_request_target`.
     if: |
       (github.event_name != 'pull_request' &&
        github.event_name != 'pull_request_target' &&
        github.event.repository.full_name == 'protocolbuffers/protobuf') ||
       (github.event_name == 'pull_request' &&
        github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') ||
       (github.event_name == 'pull_request_target' &&
        github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf')

     runs-on: ubuntu-latest
     outputs:
       # Store the sha for checkout so we can easily use it later.  For safe
       # events, this will be blank and use the defaults.
       checkout-sha: ${{ steps.safe-checkout.outputs.sha }}
     steps:
       - name: Check
         # Trivially pass for safe PRs, and explicitly error for unsafe ones
         # unless this is specifically an event for adding the safe label.
         run: >
           ${{ github.event_name != 'pull_request_target' || github.event.label.name == ':a: safe for tests' }} ||
           (echo "This pull request is from an unsafe fork and hasn't been approved to run tests!" && exit 1)

       - name: Cache safe commit
         id: safe-checkout
         run: >
           ${{ github.event_name != 'pull_request_target' }} ||
           echo "sha=${{ github.event.pull_request.head.sha  }}"  >> $GITHUB_OUTPUT

   remove-tag:
     name: Remove safety tag
     needs: [check-tag]
     if: github.event.action == 'labeled'
     runs-on: ubuntu-latest
     steps:
       - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
         with:
           labels: ':a: safe for tests'

   # Note: this pattern of passing the head sha is vulnerable to PWN requests for
   # pull_request_target events. We carefully limit those workflows to require a
   # human stamp before continuing.
   cpp:
     name: C++
     needs: [check-tag]
     uses: ./.github/workflows/test_cpp.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   java:
     name: Java
     needs: [check-tag]
     uses: ./.github/workflows/test_java.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   python:
     name: Python
     needs: [check-tag]
     uses: ./.github/workflows/test_python.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   ruby:
     name: Ruby
     needs: [check-tag]
     uses: ./.github/workflows/test_ruby.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   php:
     name: PHP
     needs: [check-tag]
     uses: ./.github/workflows/test_php.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   php-ext:
     name: PHP Extension
     needs: [check-tag]
     uses: ./.github/workflows/test_php_ext.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   csharp:
     name: C#
     needs: [check-tag]
     uses: ./.github/workflows/test_csharp.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit

   objectivec:
     name: Objective-C
     needs: [check-tag]
     uses: ./.github/workflows/test_objectivec.yml
     with:
       safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
     secrets: inherit
	name: Tests

	# This file implements the protection strategy laid out in
	# go/protobuf-gha-protected-resources. Pull requests from branches within this
	# repository are considered safe and will immediately start running tests on
	# every commit. Pull requests from forked repositories are unsafe, and leave
	# us vulnerable to PWN requests and stolen resources. In these cases, we
	# require a special "safe for tests" tag to be added to the pull request before
	# we start testing. This will be immediately removed, so that further commits
	# require their own stamp to test.

	on:
	# continuous
	schedule:
	# TODO(mkruskal) Run daily at 10 AM UTC (2 AM PDT)
	# Run every hour for now to gather statistics
	- cron: 0 * * * *

	# postsubmit
	push:
	branches:
	- main
	- '[0-9]+.x'
	# The 21.x and 22.x branches still use Kokoro
	- '!2[12].x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha

	# safe presubmit
	pull_request:
	branches:
	- main
	- '[0-9]+.x'
	# The 21.x and 22.x branches still use Kokoro
	- '!2[12].x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha

	# unsafe presubmit
	pull_request_target:
	branches:
	- main
	- '[0-9]+.x'
	# The 21.x branch still use Kokoro
	- '!21.x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha
	types: [labeled, opened, reopened, synchronize]

	# manual
	workflow_dispatch:

	jobs:
	check-tag:
	name: Check for Safety

	# Avoid running tests twice on PR updates. If the PR is coming from our
	# repository, it's safe and we can use `pull_request`. Otherwise, we should
	# use `pull_request_target`.
	if: \|
	(github.event_name != 'pull_request' &&
	github.event_name != 'pull_request_target' &&
	github.event.repository.full_name == 'protocolbuffers/protobuf') \|\|
	(github.event_name == 'pull_request' &&
	github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') \|\|
	(github.event_name == 'pull_request_target' &&
	github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf')

	runs-on: ubuntu-latest
	outputs:
	# Store the sha for checkout so we can easily use it later. For safe
	# events, this will be blank and use the defaults.
	checkout-sha: ${{ steps.safe-checkout.outputs.sha }}
	steps:
	- name: Check
	# Trivially pass for safe PRs, and explicitly error for unsafe ones
	# unless this is specifically an event for adding the safe label.
	run: >
	${{ github.event_name != 'pull_request_target' \|\| github.event.label.name == ':a: safe for tests' }} \|\|
	(echo "This pull request is from an unsafe fork and hasn't been approved to run tests!" && exit 1)

	- name: Cache safe commit
	id: safe-checkout
	run: >
	${{ github.event_name != 'pull_request_target' }} \|\|
	echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT

	remove-tag:
	name: Remove safety tag
	needs: [check-tag]
	if: github.event.action == 'labeled'
	runs-on: ubuntu-latest
	steps:
	- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
	with:
	labels: ':a: safe for tests'

	# Note: this pattern of passing the head sha is vulnerable to PWN requests for
	# pull_request_target events. We carefully limit those workflows to require a
	# human stamp before continuing.
	cpp:
	name: C++
	needs: [check-tag]
	uses: ./.github/workflows/test_cpp.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	java:
	name: Java
	needs: [check-tag]
	uses: ./.github/workflows/test_java.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	python:
	name: Python
	needs: [check-tag]
	uses: ./.github/workflows/test_python.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	ruby:
	name: Ruby
	needs: [check-tag]
	uses: ./.github/workflows/test_ruby.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	php:
	name: PHP
	needs: [check-tag]
	uses: ./.github/workflows/test_php.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	php-ext:
	name: PHP Extension
	needs: [check-tag]
	uses: ./.github/workflows/test_php_ext.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	csharp:
	name: C#
	needs: [check-tag]
	uses: ./.github/workflows/test_csharp.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit

	objectivec:
	name: Objective-C
	needs: [check-tag]
	uses: ./.github/workflows/test_objectivec.yml
	with:
	safe-checkout: ${{ needs.check-tag.outputs.checkout-sha }}
	secrets: inherit