marketing-shibata50/cmux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove fork PR guards from CI workflows (#2092)

Browse source 
* Remove fork PR guards from CI workflows

Fork PRs are already gated by GitHub's "Require approval for outside
collaborators" setting. The workflow-level guards were redundant and
prevented WarpBuild jobs from running even after maintainer approval.

* Address review feedback: extend guard test, skip upload on fork PRs

- Guard test now covers build-ghosttykit.yml and ci-macos-compat.yml
  (not just ci.yml)
- Skip xcframework upload when GHOSTTY_RELEASE_TOKEN is unavailable
  (fork PRs), so the build still validates without failing at publish

* Check GHOSTTY_RELEASE_TOKEN at runtime instead of step if

secrets context can't be reliably used in step if: conditions.
Check the env var inside the script instead.

---------

Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>
This commit is contained in:
Lawrence Chen 2026-03-24 21:08:06 -07:00 committed by GitHub
parent bc5b6442eb
commit 3a44889906
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 32 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/build-ghosttykit.yml vendored
View file

@ -12,8 +12,6 @@ concurrency:
jobs: jobs:
build-ghosttykit: build-ghosttykit:
# Never run WarpBuild jobs for fork pull requests (avoid billing on external PRs).
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on: warp-macos-15-arm64-6x runs-on: warp-macos-15-arm64-6x
timeout-minutes: 20 timeout-minutes: 20
steps: steps:
@ -95,6 +93,10 @@ jobs:
GH_TOKEN: ${{ secrets.GHOSTTY_RELEASE_TOKEN }} GH_TOKEN: ${{ secrets.GHOSTTY_RELEASE_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
if [ -z "${GH_TOKEN:-}" ]; then
echo "GHOSTTY_RELEASE_TOKEN not available (fork PR), skipping upload"
exit 0
fi
TAG="xcframework-${{ steps.ghostty-sha.outputs.sha }}" TAG="xcframework-${{ steps.ghostty-sha.outputs.sha }}"
gh release create "$TAG" \ gh release create "$TAG" \
--repo manaflow-ai/ghostty \ --repo manaflow-ai/ghostty \

2
.github/workflows/ci-macos-compat.yml vendored
View file

@ -8,8 +8,6 @@ on:
jobs: jobs:
compat-tests: compat-tests:
# Only run for the repo itself, not forks (GhosttyKit download needs repo access).
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:

4
.github/workflows/ci.yml vendored
View file

@ -75,8 +75,6 @@ jobs:
run: bun tsc --noEmit run: bun tsc --noEmit
tests: tests:
# Never run WarpBuild jobs for fork pull requests (avoid billing on external PRs).
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on: warp-macos-15-arm64-6x runs-on: warp-macos-15-arm64-6x
timeout-minutes: 30 timeout-minutes: 30
steps: steps:
@ -241,7 +239,6 @@ jobs:
# Keep lag validation separate from UI regressions so functional UI failures # Keep lag validation separate from UI regressions so functional UI failures
# and performance regressions stay isolated. Broader interactive UI suites # and performance regressions stay isolated. Broader interactive UI suites
# still run via test-e2e.yml on GitHub-hosted runners. # still run via test-e2e.yml on GitHub-hosted runners.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on: warp-macos-15-arm64-6x runs-on: warp-macos-15-arm64-6x
timeout-minutes: 20 timeout-minutes: 20
steps: steps:
@ -404,7 +401,6 @@ jobs:
rm -f /tmp/create-virtual-display rm -f /tmp/create-virtual-display
ui-regressions: ui-regressions:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on: warp-macos-15-arm64-6x runs-on: warp-macos-15-arm64-6x
timeout-minutes: 25 timeout-minutes: 25
steps: steps:

73
tests/test_ci_self_hosted_guard.sh
View file

@ -1,56 +1,37 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Regression test for https://github.com/manaflow-ai/cmux/issues/385. # Regression test for https://github.com/manaflow-ai/cmux/issues/385.
# Ensures paid/gated CI jobs are never run for fork pull requests. # Ensures paid CI jobs use WarpBuild runners.
# Fork PRs are gated by GitHub's built-in "Require approval for outside
# collaborators" setting, so workflow-level fork guards are not needed.
set -euo pipefail set -euo pipefail
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)" ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
WORKFLOW_FILE="$ROOT_DIR/.github/workflows/ci.yml" CI_FILE="$ROOT_DIR/.github/workflows/ci.yml"
GHOSTTYKIT_FILE="$ROOT_DIR/.github/workflows/build-ghosttykit.yml"
COMPAT_FILE="$ROOT_DIR/.github/workflows/ci-macos-compat.yml"
EXPECTED_IF="if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository" check_warp_runner() {
local file="$1" job="$2"
if ! grep -Fq "$EXPECTED_IF" "$WORKFLOW_FILE"; then if ! awk -v job="$job" '
echo "FAIL: Missing fork pull_request guard in $WORKFLOW_FILE" $0 ~ "^ "job":" { in_job=1; next }
echo "Expected line:" in_job && /^ [^[:space:]]/ { in_job=0 }
echo " $EXPECTED_IF" in_job && /runs-on:.*warp-macos-.*-arm64/ { saw_warp=1 }
in_job && /os: warp-macos-.*-arm64/ { saw_warp=1 }
END { exit !(saw_warp) }
' "$file"; then
echo "FAIL: $job in $(basename "$file") must use a WarpBuild runner"
exit 1 exit 1
fi fi
echo "PASS: $job WarpBuild runner is present"
}
# tests: must use WarpBuild runner with fork guard (paid runner) # ci.yml jobs
if ! awk ' check_warp_runner "$CI_FILE" "tests"
/^ tests:/ { in_tests=1; next } check_warp_runner "$CI_FILE" "tests-build-and-lag"
in_tests && /^ [^[:space:]]/ { in_tests=0 } check_warp_runner "$CI_FILE" "ui-regressions"
in_tests && /runs-on: warp-macos-15-arm64-6x/ { saw_warp=1 }
in_tests && /github.event.pull_request.head.repo.full_name == github.repository/ { saw_guard=1 }
END { exit !(saw_warp && saw_guard) }
' "$WORKFLOW_FILE"; then
echo "FAIL: tests block must keep both warp-macos-15-arm64-6x runner and fork guard"
exit 1
fi
# tests-build-and-lag: must use WarpBuild runner with fork guard (paid runner) # build-ghosttykit.yml
if ! awk ' check_warp_runner "$GHOSTTYKIT_FILE" "build-ghosttykit"
/^ tests-build-and-lag:/ { in_tests=1; next }
in_tests && /^ [^[:space:]]/ { in_tests=0 }
in_tests && /runs-on: warp-macos-15-arm64-6x/ { saw_warp=1 }
in_tests && /github.event.pull_request.head.repo.full_name == github.repository/ { saw_guard=1 }
END { exit !(saw_warp && saw_guard) }
' "$WORKFLOW_FILE"; then
echo "FAIL: tests-build-and-lag block must keep both warp-macos-15-arm64-6x runner and fork guard"
exit 1
fi
# ui-regressions: must use WarpBuild runner with fork guard (paid runner) # ci-macos-compat.yml (uses matrix.os with WarpBuild runners)
if ! awk ' check_warp_runner "$COMPAT_FILE" "compat-tests"
/^ ui-regressions:/ { in_tests=1; next }
in_tests && /^ [^[:space:]]/ { in_tests=0 }
in_tests && /runs-on: warp-macos-15-arm64-6x/ { saw_warp=1 }
in_tests && /github.event.pull_request.head.repo.full_name == github.repository/ { saw_guard=1 }
END { exit !(saw_warp && saw_guard) }
' "$WORKFLOW_FILE"; then
echo "FAIL: ui-regressions block must keep both warp-macos-15-arm64-6x runner and fork guard"
exit 1
fi
echo "PASS: tests WarpBuild runner fork guard is present"
echo "PASS: tests-build-and-lag WarpBuild runner fork guard is present"
echo "PASS: ui-regressions WarpBuild runner fork guard is present"