# This workflow file tests PRs made from forks. Disable this if it is considered too much of a security risk (although many efforts have been taken to reduce risk) # If workflow enabled, make sure to set the environment used to need a specific team (admin-devs), and default GITHUB_TOKEN perms to read! # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more information! # Actions taken to reduce risk: # This workflow is only started when the workflow run is approved (GitHub Settings), and when the deployment to `forkprbuildpack` is approved (by admin-devs) # Only the CFCORE_API_TOKEN secret is accessed, meaning it is the only one revealed, meaning that the other secrets cannot be used by nodejs tools # GITHUB_TOKEN permissions are set to read name: "[NOT CALLABLE] Fork PR Build Pack" on: pull_request_target: paths-ignore: - "README.md" # if a second commit is pushed quickly after the first, cancel the first one's build concurrency: group: ${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true permissions: contents: read jobs: setup: # Only continue if we are in base Nomi-CEu Repo and pull request is from fork if: "${{ github.repository_owner == 'Nomi-CEu' && github.event.pull_request.head.repo.owner.login != 'Nomi-CEu' }}" name: Setup (${{ github.event.pull_request.head.sha }}) runs-on: ubuntu-latest environment: fork-pr-build-pack env: GITHUB_HEAD_REF: ${{ github.head_ref }} TRUE_SHA: ${{ github.event.pull_request.head.sha }} outputs: client: ${{ steps.artifactNames.outputs.client }} server: ${{ steps.artifactNames.outputs.server }} lang: ${{ steps.artifactNames.outputs.lang }} mmc: ${{ steps.artifactNames.outputs.mmc }} steps: - name: Checkout Ref uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false # Don't use cache to prevent cache poisoning - name: Setup NodeJS v16 uses: actions/setup-node@v4 with: node-version: 20 check-latest: true - name: Setup NPM Packages working-directory: ./tools run: npm ci - name: Make Artifact Names id: artifactNames working-directory: ./tools run: npx gulp makeArtifactNames buildClient: # Only continue if we are in base Nomi-CEu Repo and pull request is from fork if: "${{ github.repository_owner == 'Nomi-CEu' && github.event.pull_request.head.repo.owner.login != 'Nomi-CEu' }}" name: Build Fork PR Client (${{ github.event.pull_request.head.sha }}) runs-on: ubuntu-latest needs: setup env: GITHUB_HEAD_REF: ${{ github.head_ref }} TRUE_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout Ref uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false # Don't use cache to prevent cache poisoning - name: Setup NodeJS v16 uses: actions/setup-node@v4 with: node-version: 20 check-latest: true - name: Setup NPM Packages working-directory: ./tools run: npm ci - name: Build Client working-directory: ./tools run: npx gulp buildClient env: CFCORE_API_TOKEN: ${{ secrets.CFCORE_API_TOKEN }} - name: Upload Client Zip uses: actions/upload-artifact@v4 with: name: ${{ needs.setup.outputs.client }} path: ./build/client/**/* if-no-files-found: error compression-level: 9 buildServer: # Only continue if we are in base Nomi-CEu Repo and pull request is from fork if: "${{ github.repository_owner == 'Nomi-CEu' && github.event.pull_request.head.repo.owner.login != 'Nomi-CEu' }}" name: Build Fork PR Server (${{ github.event.pull_request.head.sha }}) runs-on: ubuntu-latest needs: setup env: GITHUB_HEAD_REF: ${{ github.head_ref }} TRUE_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout Ref uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false # Don't use cache to prevent cache poisoning - name: Setup NodeJS v16 uses: actions/setup-node@v4 with: node-version: 20 check-latest: true - name: Setup NPM Packages working-directory: ./tools run: npm ci - name: Build Server working-directory: ./tools run: npx gulp buildServer env: CFCORE_API_TOKEN: ${{ secrets.CFCORE_API_TOKEN }} - name: Upload Server Zip uses: actions/upload-artifact@v4 with: name: ${{ needs.setup.outputs.server }} path: ./build/server/**/* if-no-files-found: error compression-level: 9 buildLang: # Only continue if we are in base Nomi-CEu Repo and pull request is from fork if: "${{ github.repository_owner == 'Nomi-CEu' && github.event.pull_request.head.repo.owner.login != 'Nomi-CEu' }}" name: Build Fork PR Lang and Changelogs (${{ github.event.pull_request.head.sha }}) runs-on: ubuntu-latest needs: setup env: GITHUB_HEAD_REF: ${{ github.head_ref }} TRUE_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout Ref uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} persist-credentials: false # Don't use cache to prevent cache poisoning - name: Setup NodeJS v16 uses: actions/setup-node@v4 with: node-version: 20 check-latest: true - name: Setup NPM Packages working-directory: ./tools run: npm ci - name: Build Lang and Changelogs working-directory: ./tools run: npx gulp buildLang env: CFCORE_API_TOKEN: ${{ secrets.CFCORE_API_TOKEN }} - name: Upload Lang Zip uses: actions/upload-artifact@v4 with: name: ${{ needs.setup.outputs.lang }} path: ./build/lang/**/* if-no-files-found: error compression-level: 9 - name: Upload Changelogs uses: actions/upload-artifact@v4 with: name: Changelogs path: ./build/*.md if-no-files-found: error compression-level: 9