perforator/.github/workflows/precommit.yaml at main · workflow-security-testing/perforator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
on:
  - pull_request_target
permissions: {} # disable all by default
jobs:
  run-build:
    permissions:
      id-token: write
      contents: read
    runs-on: [self-hosted, auto-provisioned]
    name: Precommit checks
    steps:
      - uses: actions/checkout@v4
        with:
          path: configs
      - uses: actions/checkout@v4
        with:
          path: code
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Create code tarball
        run: |
          # Make sure we only use git main version of sensitive configs
          rm -r code/.github
          rm -r code/perforator/internal/ci-tools
          (cd code && git archive --output=../code.tar.gz HEAD)
      - name: Login to YC
        id: login
        uses: yc-actions/yc-iam-token@v1
        with:
          yc-key-id: ${{ secrets.YC_KEY_ID }}
          yc-service-account-id: ${{ secrets.CLOUD_SERVICE_ACCOUNT_ID }}
          yc-private-key: ${{ secrets.YC_SA_PRIVATE_KEY }}
      - name: Prepare inputs
        run: |
          echo "BAZEL_URI=http://bazel-cache.ci-private.internal.perforator.tech:8080" > ${{ github.workspace }}/job-env
      - name: Run tests
        uses: ./configs/.github/actions/remote-run
        with:
          target_checkout: ${{ github.workspace }}/code
          script: build
          start_function_url: ${{ secrets.START_BUILD_FUNCTION_URL }}
          poll_function_url: ${{ secrets.POLL_BUILD_FUNCTION_URL }}
          iam_token: ${{ steps.login.outputs.token }}
          env_file_path: ${{ github.workspace }}/job-env
          local_out_path: ${{ github.workspace }}/out
          remote_out_path: /home/builder/.ya/logs