Skip to content

Commit

Permalink
Restrict push CI to main, fix permissions (#363)
Browse files Browse the repository at this point in the history
This patch makes two primary changes to the CI config. It restricts the CI running on push events to only run on the main branch. This prevents the CI from running twice on PRs from branches in the main repository, which are needed for stacked PRs.

Additionally, this PR sets the permissions at the top of the file, which is a general best practice for Github workflows for security reasons.

Additionally, bump a couple of the actions that were using deprecated NodeJS versions so we do not get the warning anymore.
  • Loading branch information
boomanaiden154 authored Sep 13, 2024
1 parent 39369d3 commit a6859d6
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,21 @@

name: MLGO CI

on: [push, repository_dispatch, pull_request]
permissions:
contents: read

on:
push:
branches:
- 'main'
repository_dispatch:
pull_request:

jobs:
LicenseCheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- run: ./check-license.sh
Envvars:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -46,17 +54,17 @@ jobs:
- task: Test
cmd: pytest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Install Python With Cached pip Packages
if: needs.Envvars.outputs.do_cache == '1'
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: 'pipenv'
cache-dependency-path: Pipfile.lock
- name: Install Python, no cache
if: needs.Envvars.outputs.do_cache == '0'
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Pipenv
Expand Down

0 comments on commit a6859d6

Please sign in to comment.