.github/workflows/test_runner.yml - third_party/protobuf - Git at Google

 name: Tests

 # This file implements the protection strategy laid out in
 # go/protobuf-gha-protected-resources.  Pull requests from branches within this
 # repository are considered safe and will immediately start running tests on
 # every commit.  Pull requests from forked repositories are unsafe, and leave
 # us vulnerable to PWN requests and stolen resources.  In these cases, we
 # require a special "safe for tests" tag to be added to the pull request before
 # we start testing.  This will be immediately removed, so that further commits
 # require their own stamp to test.

 on:
   # continuous
   schedule:
     # Run every hour
     - cron: "0 * * * *"

   # postsubmit
   push:
     branches:
       - main
       - '[0-9]+.x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha

   # safe presubmit
   pull_request:
     branches:
       - main
       - '[0-9]+.x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha

   # unsafe presubmit
   pull_request_target:
     branches:
       - main
       - '[0-9]+.x'
       # For testing purposes so we can stage this on the `gha` branch.
       - gha
     types: [labeled, opened, reopened, synchronize]

   # manual
   workflow_dispatch:

 permissions:
   contents: read

 concurrency:
   group: ${{ github.event_name }}-${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: ${{ contains(fromJSON('["pull_request", "pull_request_target", "workflow_dispatch", "schedule"]'), github.event_name) }}

 jobs:
   set-vars:
     name: Set Variables

     # Avoid running tests twice on PR updates.  If the PR is coming from our
     # repository, it's safe and we can use `pull_request`.  Otherwise, we should
     # use `pull_request_target`.
     if: |
       (github.event_name != 'pull_request' &&
        github.event_name != 'pull_request_target' &&
        github.event.repository.full_name == 'protocolbuffers/protobuf') ||
       (github.event_name == 'pull_request' &&
        github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') ||
       (github.event_name == 'pull_request_target' &&
        github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf')

     runs-on: ubuntu-latest
     outputs:
       # Store the sha for checkout so we can easily use it later.  For safe
       # events, this will be blank and use the defaults.
       checkout-sha: ${{ steps.safe-checkout.outputs.sha }}
       # Stores a string to be used as a boolean denoting whether this is a
       # continuous run. An empty string denotes that the run is on presubmit,
       # otherwise we are in a continuous run. This helps us determine which
       # tests to block on.
       continuous-run: ${{ steps.set-test-type-vars.outputs.continuous-run }}
       # Stores a string that will serve as the prefix for all continuous tests.
       # Either way we prepend "(Continuous)" but in the case that we are in
       # a presubmit run, we should also mark them "[SKIPPED]"
       continuous-prefix: ${{ steps.set-test-type-vars.outputs.continuous-prefix }}
     steps:
       - name: Check
         # Trivially pass for safe PRs, and explicitly error for unsafe ones
         # unless this is specifically an event for adding the safe label.
         run: >
           ${{ github.event_name != 'pull_request_target' || github.event.label.name == ':a: safe for tests' }} ||
           (echo "This pull request is from an unsafe fork and hasn't been approved to run tests." &&
            echo "A protobuf team member will need to review the PR and add the 'safe for tests' tag." &&
            exit 1)

       - name: Cache safe commit
         id: safe-checkout
         run: >
           ${{ github.event_name != 'pull_request_target' }} ||
           echo "sha=${{ github.event.pull_request.head.sha  }}"  >> $GITHUB_OUTPUT

       - name: Set Test Type Variables
         id: set-test-type-vars
         run: |
           if ([ "${{ github.event_name }}" == 'pull_request' ] || [ "${{ github.event_name }}" == 'pull_request_target' ]) && ${{ !contains(toJson(github.event.pull_request.body), '\n#test-continuous') }}; then
             echo "continuous-run=" >> "$GITHUB_OUTPUT"
             echo "continuous-prefix=[SKIPPED] (Continuous)" >> "$GITHUB_OUTPUT"
           else
             echo "continuous-run=continuous" >> "$GITHUB_OUTPUT"
             echo "continuous-prefix=(Continuous)" >> "$GITHUB_OUTPUT"
           fi

   remove-tag:
     name: Remove safety tag
     needs: [set-vars]
     if: github.event.action == 'labeled'
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
       - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
         with:
           fail_on_error: true
           labels: ':a: safe for tests'

   validate-yaml:
     name: Validate YAML
     needs: [set-vars]
     uses: ./.github/workflows/test_yaml.yml
     with:
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}

   # Note: this pattern of passing the head sha is vulnerable to PWN requests for
   # pull_request_target events. We carefully limit those workflows to require a
   # human stamp before continuing.
   bazel:
     name: Bazel
     needs: [set-vars]
     uses: ./.github/workflows/test_bazel.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   cpp:
     name: C++
     needs: [set-vars]
     uses: ./.github/workflows/test_cpp.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   java:
     name: Java
     needs: [set-vars]
     uses: ./.github/workflows/test_java.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   python:
     name: Python
     needs: [set-vars]
     uses: ./.github/workflows/test_python.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   ruby:
     name: Ruby
     needs: [set-vars]
     uses: ./.github/workflows/test_ruby.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   php:
     name: PHP
     needs: [set-vars]
     uses: ./.github/workflows/test_php.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   php-ext:
     name: PHP Extension
     needs: [set-vars]
     uses: ./.github/workflows/test_php_ext.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   csharp:
     name: C#
     needs: [set-vars]
     uses: ./.github/workflows/test_csharp.yml
     with:
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
     secrets: inherit

   objectivec:
     name: Objective-C
     needs: [set-vars]
     uses: ./.github/workflows/test_objectivec.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   rust:
     name: Rust
     needs: [set-vars]
     uses: ./.github/workflows/test_rust.yml
     with:
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
     secrets: inherit

   upb:
     name: μpb
     needs: [set-vars]
     uses: ./.github/workflows/test_upb.yml
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
       continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
     secrets: inherit

   staleness:
     name: Staleness
     needs: [set-vars]
     uses: ./.github/workflows/staleness_check.yml
     # Staleness tests have scheduled runs during off-hours to avoid race conditions.
     if: ${{ github.event_name != 'schedule' }}
     with:
       continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
       safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
     secrets: inherit

   # This test depends on all blocking tests and indicates whether they all suceeded.
   all-blocking-tests:
     name: All Blocking Tests${{ github.event_name == 'pull_request_target' && ' (fork)' || ''}}
     needs: [set-vars, validate-yaml, bazel, cpp, java, python, ruby, php, php-ext, csharp, objectivec, rust, upb, staleness]
     runs-on: ubuntu-latest
     steps:
       - name: Check test results
         run: "${{ !contains(join(needs.*.result, ' '), 'failure') && !contains(join(needs.*.result, ' '), 'cancelled') }}"
     # This workflow must run even if one or more of the dependent workflows
     # failed.
     if: always()
	name: Tests

	# This file implements the protection strategy laid out in
	# go/protobuf-gha-protected-resources. Pull requests from branches within this
	# repository are considered safe and will immediately start running tests on
	# every commit. Pull requests from forked repositories are unsafe, and leave
	# us vulnerable to PWN requests and stolen resources. In these cases, we
	# require a special "safe for tests" tag to be added to the pull request before
	# we start testing. This will be immediately removed, so that further commits
	# require their own stamp to test.

	on:
	# continuous
	schedule:
	# Run every hour
	- cron: "0 * * * *"

	# postsubmit
	push:
	branches:
	- main
	- '[0-9]+.x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha

	# safe presubmit
	pull_request:
	branches:
	- main
	- '[0-9]+.x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha

	# unsafe presubmit
	pull_request_target:
	branches:
	- main
	- '[0-9]+.x'
	# For testing purposes so we can stage this on the `gha` branch.
	- gha
	types: [labeled, opened, reopened, synchronize]

	# manual
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: ${{ github.event_name }}-${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}
	cancel-in-progress: ${{ contains(fromJSON('["pull_request", "pull_request_target", "workflow_dispatch", "schedule"]'), github.event_name) }}

	jobs:
	set-vars:
	name: Set Variables

	# Avoid running tests twice on PR updates. If the PR is coming from our
	# repository, it's safe and we can use `pull_request`. Otherwise, we should
	# use `pull_request_target`.
	if: \|
	(github.event_name != 'pull_request' &&
	github.event_name != 'pull_request_target' &&
	github.event.repository.full_name == 'protocolbuffers/protobuf') \|\|
	(github.event_name == 'pull_request' &&
	github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf') \|\|
	(github.event_name == 'pull_request_target' &&
	github.event.pull_request.head.repo.full_name != 'protocolbuffers/protobuf')

	runs-on: ubuntu-latest
	outputs:
	# Store the sha for checkout so we can easily use it later. For safe
	# events, this will be blank and use the defaults.
	checkout-sha: ${{ steps.safe-checkout.outputs.sha }}
	# Stores a string to be used as a boolean denoting whether this is a
	# continuous run. An empty string denotes that the run is on presubmit,
	# otherwise we are in a continuous run. This helps us determine which
	# tests to block on.
	continuous-run: ${{ steps.set-test-type-vars.outputs.continuous-run }}
	# Stores a string that will serve as the prefix for all continuous tests.
	# Either way we prepend "(Continuous)" but in the case that we are in
	# a presubmit run, we should also mark them "[SKIPPED]"
	continuous-prefix: ${{ steps.set-test-type-vars.outputs.continuous-prefix }}
	steps:
	- name: Check
	# Trivially pass for safe PRs, and explicitly error for unsafe ones
	# unless this is specifically an event for adding the safe label.
	run: >
	${{ github.event_name != 'pull_request_target' \|\| github.event.label.name == ':a: safe for tests' }} \|\|
	(echo "This pull request is from an unsafe fork and hasn't been approved to run tests." &&
	echo "A protobuf team member will need to review the PR and add the 'safe for tests' tag." &&
	exit 1)

	- name: Cache safe commit
	id: safe-checkout
	run: >
	${{ github.event_name != 'pull_request_target' }} \|\|
	echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT

	- name: Set Test Type Variables
	id: set-test-type-vars
	run: \|
	if ([ "${{ github.event_name }}" == 'pull_request' ] \|\| [ "${{ github.event_name }}" == 'pull_request_target' ]) && ${{ !contains(toJson(github.event.pull_request.body), '\n#test-continuous') }}; then
	echo "continuous-run=" >> "$GITHUB_OUTPUT"
	echo "continuous-prefix=[SKIPPED] (Continuous)" >> "$GITHUB_OUTPUT"
	else
	echo "continuous-run=continuous" >> "$GITHUB_OUTPUT"
	echo "continuous-prefix=(Continuous)" >> "$GITHUB_OUTPUT"
	fi

	remove-tag:
	name: Remove safety tag
	needs: [set-vars]
	if: github.event.action == 'labeled'
	runs-on: ubuntu-latest
	permissions:
	pull-requests: write
	steps:
	- uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
	with:
	fail_on_error: true
	labels: ':a: safe for tests'

	validate-yaml:
	name: Validate YAML
	needs: [set-vars]
	uses: ./.github/workflows/test_yaml.yml
	with:
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}

	# Note: this pattern of passing the head sha is vulnerable to PWN requests for
	# pull_request_target events. We carefully limit those workflows to require a
	# human stamp before continuing.
	bazel:
	name: Bazel
	needs: [set-vars]
	uses: ./.github/workflows/test_bazel.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	cpp:
	name: C++
	needs: [set-vars]
	uses: ./.github/workflows/test_cpp.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	java:
	name: Java
	needs: [set-vars]
	uses: ./.github/workflows/test_java.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	python:
	name: Python
	needs: [set-vars]
	uses: ./.github/workflows/test_python.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	ruby:
	name: Ruby
	needs: [set-vars]
	uses: ./.github/workflows/test_ruby.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	php:
	name: PHP
	needs: [set-vars]
	uses: ./.github/workflows/test_php.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	php-ext:
	name: PHP Extension
	needs: [set-vars]
	uses: ./.github/workflows/test_php_ext.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	csharp:
	name: C#
	needs: [set-vars]
	uses: ./.github/workflows/test_csharp.yml
	with:
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	secrets: inherit

	objectivec:
	name: Objective-C
	needs: [set-vars]
	uses: ./.github/workflows/test_objectivec.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	rust:
	name: Rust
	needs: [set-vars]
	uses: ./.github/workflows/test_rust.yml
	with:
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	secrets: inherit

	upb:
	name: μpb
	needs: [set-vars]
	uses: ./.github/workflows/test_upb.yml
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	continuous-prefix: ${{ needs.set-vars.outputs.continuous-prefix }}
	secrets: inherit

	staleness:
	name: Staleness
	needs: [set-vars]
	uses: ./.github/workflows/staleness_check.yml
	# Staleness tests have scheduled runs during off-hours to avoid race conditions.
	if: ${{ github.event_name != 'schedule' }}
	with:
	continuous-run: ${{ needs.set-vars.outputs.continuous-run }}
	safe-checkout: ${{ needs.set-vars.outputs.checkout-sha }}
	secrets: inherit

	# This test depends on all blocking tests and indicates whether they all suceeded.
	all-blocking-tests:
	name: All Blocking Tests${{ github.event_name == 'pull_request_target' && ' (fork)' \|\| ''}}
	needs: [set-vars, validate-yaml, bazel, cpp, java, python, ruby, php, php-ext, csharp, objectivec, rust, upb, staleness]
	runs-on: ubuntu-latest
	steps:
	- name: Check test results
	run: "${{ !contains(join(needs..result, ' '), 'failure') && !contains(join(needs..result, ' '), 'cancelled') }}"
	# This workflow must run even if one or more of the dependent workflows
	# failed.
	if: always()