Skip to content

chore: fork CI #4051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
turip wants to merge 3 commits into
base: main
Choose a base branch
from
+43 −2
Open

chore: fork CI #4051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9b3172d
chore: fork CI
turip Apr 1, 2026
51f51c3
feat: allow docker builds in forks
turip Apr 1, 2026
5270d88
chore: forks build more
turip Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/artifacts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
default: false
required: false
type: boolean
untrusted_source:
description: Whether the source is untrusted (e.g. running from a fork)
required: true
type: boolean
Comment on lines +11 to +14
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all workflow files that call artifacts.yaml to verify they pass untrusted_source
rg -n 'uses:.*artifacts\.yaml' .github/workflows/ -A 10 | rg -v 'artifacts\.yaml' | head -50

Repository: openmeterio/openmeter

Length of output: 1185

Update all workflow callers or make untrusted_source optional.

The release.yaml workflow calls artifacts.yaml but doesn't pass the new untrusted_source input. Since it's marked as required: true, this will break the release.yaml workflow. Either make it optional with a default value, or update release.yaml (and any other callers) to pass it.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/artifacts.yaml around lines 11 - 14, The new required
workflow input "untrusted_source" causes callers like release.yaml to fail;
either make the input optional by changing the artifacts.yaml input
"untrusted_source" to include a default (e.g., default: false) and remove
required: true, or update every caller (e.g., release.yaml) that uses the
artifacts workflow to pass the input (add inputs: untrusted_source: ${{
<appropriate expression> }} when calling the reusable workflow); ensure you
update all callers consistently so no workflow call is left without the input.

outputs:
container-image-name:
description: Container image name
Expand Down Expand Up @@ -92,7 +96,7 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: ${{ inputs.publish }}
save: true
save: ${{ not inputs.untrusted_source }}
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Invalid expression syntax – use ! not not for negation.

GitHub Actions expressions use ! for boolean negation. The not keyword isn't valid here, which is why actionlint is reporting a parse error. Same issue appears at lines 111, 207, and 219.

🐛 Proposed fix 
-          save: ${{ not inputs.untrusted_source }}
+          save: ${{ ! inputs.untrusted_source }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
save: ${{ not inputs.untrusted_source }}
save: ${{ ! inputs.untrusted_source }}
🧰 Tools
🪛 actionlint (1.7.11)

[error] 99-99: parser did not reach end of input after parsing the expression. 3 remaining token(s) in the input: "IDENT", ".", "IDENT"

(expression)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/artifacts.yaml at line 99, The workflow uses invalid
GitHub Actions expression syntax by using "not" for negation (e.g., the save
entry currently written as "save: ${{ not inputs.untrusted_source }}"); replace
"not" with the "!" operator inside the expression so it becomes "save: ${{ !
inputs.untrusted_source }}" and apply the same fix to the other occurrences
noted (the similar expressions at the other save/condition locations referenced
in the comment).

project: ${{ vars.DEPOT_PROJECT }}

- name: Set image ref
Expand All @@ -104,6 +108,7 @@ jobs:

- name: Retrieve pull token
id: pull-token
if: not inputs.untrusted_source
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix if condition syntax.

Two issues here: not should be !, and if: without ${{ }} wrapper for expressions with operators won't work as expected.

🐛 Proposed fix 
-        if: not inputs.untrusted_source
+        if: ${{ ! inputs.untrusted_source }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: not inputs.untrusted_source
if: ${{ ! inputs.untrusted_source }}
🧰 Tools
🪛 actionlint (1.7.11)

[error] 111-111: parser did not reach end of input after parsing the expression. 3 remaining token(s) in the input: "IDENT", ".", "IDENT"

(expression)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/artifacts.yaml at line 111, Replace the invalid GitHub
Actions conditional "if: not inputs.untrusted_source" with a proper expression
wrapper and operator; change it to use the expression syntax and negation like:
if: ${{ ! inputs.untrusted_source }} so the workflow evaluates the condition
correctly (update the conditional where "if: not inputs.untrusted_source"
appears).

run: |
PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -199,7 +204,7 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: ${{ inputs.publish }}
save: true
save: ${{ not inputs.untrusted_source }}
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Same syntax fix needed here.

🐛 Proposed fix 
-          save: ${{ not inputs.untrusted_source }}
+          save: ${{ ! inputs.untrusted_source }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
save: ${{ not inputs.untrusted_source }}
save: ${{ ! inputs.untrusted_source }}
🧰 Tools
🪛 actionlint (1.7.11)

[error] 207-207: parser did not reach end of input after parsing the expression. 3 remaining token(s) in the input: "IDENT", ".", "IDENT"

(expression)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/artifacts.yaml at line 207, The "save" workflow input uses
the wrong expression syntax for the not operator; update the expression so the
not operator wraps the operand in parentheses (i.e., use
not(inputs.untrusted_source)) so the "save" key evaluates correctly; locate the
"save" entry referencing inputs.untrusted_source and replace the current
expression with the corrected not(...) form.

project: ${{ vars.DEPOT_PROJECT }}

- name: Set image ref
Expand All @@ -211,6 +216,7 @@ jobs:

- name: Retrieve pull token
id: pull-token
if: not inputs.untrusted_source
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Same syntax fix needed here.

🐛 Proposed fix 
-        if: not inputs.untrusted_source
+        if: ${{ ! inputs.untrusted_source }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: not inputs.untrusted_source
if: ${{ ! inputs.untrusted_source }}
🧰 Tools
🪛 actionlint (1.7.11)

[error] 219-219: parser did not reach end of input after parsing the expression. 3 remaining token(s) in the input: "IDENT", ".", "IDENT"

(expression)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/artifacts.yaml at line 219, The workflow step uses raw
YAML boolean syntax ("if: not inputs.untrusted_source") which is invalid for
GitHub Actions; update the step so the if uses a GitHub Actions expression by
wrapping the condition in the expression delimiters and applying the unary not
operator to inputs.untrusted_source (i.e., convert the plain condition into a
proper Actions expression referencing inputs.untrusted_source). Ensure the line
remains an if: key and references inputs.untrusted_source so the runner
evaluates it as an expression.

run: |
PULL_TOKEN="$(depot pull-token --project ${VARS_DEPOT_PROJECT})"
echo "token=$PULL_TOKEN" >> "$GITHUB_OUTPUT"
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,8 @@ jobs:
uses: ./.github/workflows/artifacts.yaml
with:
publish: ${{ github.event_name == 'push' }}
# detect if the source is a fork
untrusted_source: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
Comment on lines +373 to +374
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Push events will be incorrectly marked as untrusted.

On push events (like pushes to main), github.event.pull_request is undefined, so head.repo.full_name evaluates to empty. Comparing empty to github.repository results in true for !=, marking all pushes as untrusted sources.

This likely isn't intended – pushes to main should be trusted. Consider handling the push case explicitly:

🛠️ Suggested fix 
       # detect if the source is a fork
-      untrusted_source: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+      untrusted_source: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# detect if the source is a fork
untrusted_source: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
# detect if the source is a fork
untrusted_source: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 373 - 374, The untrusted_source
assignment incorrectly treats push events as untrusted because
github.event.pull_request is undefined; update the expression for
untrusted_source to only perform the pull-request comparison when the event is a
pull_request (use github.event_name or github.event_name == 'pull_request') and
otherwise mark pushes as trusted (false), referencing the existing
untrusted_source variable and the github.event.pull_request.head.repo.full_name
comparison so only PRs are checked.

permissions:
contents: read
packages: write
Expand Down Expand Up @@ -420,6 +422,7 @@ jobs:
persist-credentials: false

- name: Create override files for quickstart
if: github.event.pull_request.head.repo.full_name == github.repository
env:
DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
run: |
Expand All @@ -441,6 +444,24 @@ jobs:

cat quickstart/docker-compose.override.yaml

- name: Build as part of quickstart
if: github.event.pull_request.head.repo.full_name != github.repository
run: |
cat > quickstart/docker-compose.override.yaml <<EOF
services:
openmeter:
build: ..
sink-worker:
build: ..
balance-worker:
build: ..
notification-service:
build: ..
billing-worker:
build: ..
openmeter-jobs:
build: ..
EOF
- name: Launch Docker Compose
run: docker compose -f docker-compose.yaml -f docker-compose.override.yaml up -d
working-directory: quickstart
Expand Down Expand Up @@ -512,6 +533,7 @@ jobs:
- name: Create override files for e2e
env:
DEPOT_IMAGE_URL: ${{ needs.artifacts.outputs.container-image-url-depot }}
if: github.event.pull_request.head.repo.full_name == github.repository
run: |
cat > e2e/docker-compose.override.yaml <<EOF
services:
Expand All @@ -523,6 +545,19 @@ jobs:

cat e2e/docker-compose.override.yaml

- name: Build as part of e2e
if: github.event.pull_request.head.repo.full_name != github.repository
run: |
cat > e2e/docker-compose.override.yaml <<EOF
services:
openmeter:
build: ..
sink-worker:
build: ..
EOF

cat e2e/docker-compose.override.yaml

- name: Launch Docker Compose infra
run: docker compose -f docker-compose.infra.yaml -f docker-compose.openmeter.yaml -f docker-compose.override.yaml up -d
working-directory: e2e
Expand Down
Loading