Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Expensify Shared GitHub Actions workflows 🔄
# Expensify Shared GitHub Actions workflows 🔄

## What is the repository used for?

Expand All @@ -18,7 +18,7 @@ jobs:
with:
# Repository name with owner. For example, Expensify/eslint-config-expensify
# Required, String, default: ${{ github.repository }}
repository: ''
repository: ""

# True if we should run npm run build for the package
# Optional, Boolean, default: false
Expand All @@ -37,13 +37,25 @@ jobs:
secrets: inherit
```

### `setup-packages`

Installs the Expensify aptly GPG key, configures internal apt-mirror sources, and runs `apt-get update`. See [setup-packages/README.md](./setup-packages/README.md) for details.

```yml
- name: Provision and use our internal apt-mirror
uses: Expensify/GitHub-Actions/setup-packages@main
with:
APT_PASSWORD: ${{ secrets.TRAVIS_APT_PASSWORD }}
```

## Rulesets

GitHub [org-level rulesets](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-workflows-to-pass-before-merging) can be configured to run a workflow check against pull requests in all repos in the org. This is a very powerful feature, but there are some caveats and best practices to be aware of when enabling a ruleset.

- Supported Event Triggers are documented [here](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#supported-event-triggers). However:
- When a workflow runs in response to a ruleset, some configs such as `branches`, `paths`, `paths-ignore`, that would normally be valid in a workflow are ignored.
- The default activity types for each event will be used. This means that something like `pull_request:comment` will not work - the `pull_request` event will always be triggered for the default activity types listed in the documentation.
- If you need to target or exclude specific branches, that can be configured in the ruleset settings.
- If you need to target or exclude specific paths, that must be implemented manually in the workflow itself.
- When a workflow runs in response to a ruleset, some configs such as `branches`, `paths`, `paths-ignore`, that would normally be valid in a workflow are ignored.
- The default activity types for each event will be used. This means that something like `pull_request:comment` will not work - the `pull_request` event will always be triggered for the default activity types listed in the documentation.
- If you need to target or exclude specific branches, that can be configured in the ruleset settings.
- If you need to target or exclude specific paths, that must be implemented manually in the workflow itself.
- Due to a GitHub :bug:, PRs that are open when the rule is enabled will get stuck with a pending check that will never get picked up. The easiest way to fix that is to close and reopen the PR. Consider writing a script to close and reopen all open PRs across the org after the check is enabled.
- It is less disruptive to [configure the ruleset to `Evaluate` first](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#using-evaluate-mode-for-ruleset-workflows), then `Active` once the kinks are worked out.
24 changes: 24 additions & 0 deletions setup-packages/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# setup-packages

Composite action that installs the Expensify aptly GPG key, configures internal apt-mirror sources, and runs `apt-get update`.

## Usage

```yaml
- name: Provision and use our internal apt-mirror
uses: Expensify/GitHub-Actions/setup-packages@main
with:
APT_PASSWORD: ${{ secrets.TRAVIS_APT_PASSWORD }}
```

## Inputs

| Input | Required | Description |
| -------------- | -------- | ------------------------------------------------------------------- |
| `APT_PASSWORD` | Yes | Password for the internal apt-mirror (`TRAVIS_APT_PASSWORD` secret) |

## What it does

1. Installs `aptly-public.gpg` from the action directory into `/etc/apt/trusted.gpg.d/aptly.gpg`.
2. Adds Expensify apt-mirror sources for `ubuntu-toolchain-noble` and `php-ppa-noble`.
3. Runs `apt-get update` to refresh package indexes.
21 changes: 21 additions & 0 deletions setup-packages/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Set up Apt Mirror + Packages
description: Set up Apt Mirror + Packages

inputs:
APT_PASSWORD:
description: "The mirror password"
required: true

runs:
using: composite
steps:
- name: Sets package mirrors to the sources
run: |
sudo install -o root -g root -m 644 "${{ github.action_path }}/aptly-public.gpg" /etc/apt/trusted.gpg.d/aptly.gpg
echo "deb [arch=amd64] https://travis:${{ inputs.APT_PASSWORD }}@apt-mirror.expensify.com:843/apt/production ubuntu-toolchain-noble main" | sudo tee -a /etc/apt/sources.list
echo "deb [arch=amd64] https://travis:${{ inputs.APT_PASSWORD }}@apt-mirror.expensify.com:843/apt/production php-ppa-noble main" | sudo tee -a /etc/apt/sources.list
shell: bash

- name: Install latest packages from our mirror
run: sudo apt-get update -y
shell: bash
Binary file added setup-packages/aptly-public.gpg
Binary file not shown.
Loading