chore(auth): remove max scope for partners #143253
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Dispatch a request to getsentry to run getsentry test suites | |
name: getsentry dispatcher | |
on: | |
# XXX: We are using `pull_request_target` instead of `pull_request` because we want | |
# this to run on forks. It allows forks to access secrets safely by | |
# only running workflows from the main branch. Prefer to use `pull_request` when possible. | |
# | |
# See https://github.com/getsentry/sentry/pull/21600 for more details | |
pull_request_target: | |
types: [labeled, opened, reopened, synchronize] | |
# disable all other special privileges | |
permissions: | |
# needed for `actions/checkout` to clone the code | |
contents: read | |
# needed to remove the pull-request label | |
pull-requests: write | |
jobs: | |
dispatch: | |
if: "github.event.action != 'labeled' || github.event.label.name == 'Trigger: getsentry tests'" | |
name: getsentry dispatch | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
persist-credentials: false | |
- name: permissions | |
run: | | |
python3 -uS .github/workflows/scripts/getsentry-dispatch-setup \ | |
--repo-id ${{ github.event.repository.id }} \ | |
--pr ${{ github.event.number }} \ | |
--event ${{ github.event.action }} \ | |
--username "$ARG_USERNAME" \ | |
--label-names "$ARG_LABEL_NAMES" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# these can contain special characters | |
ARG_USERNAME: ${{ github.event.pull_request.user.login }} | |
ARG_LABEL_NAMES: ${{ toJSON(github.event.pull_request.labels.*.name) }} | |
- name: Check for file changes | |
uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 | |
id: changes | |
with: | |
token: ${{ github.token }} | |
filters: .github/file-filters.yml | |
- name: getsentry token | |
uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3.0.0 | |
id: getsentry | |
with: | |
app_id: ${{ vars.SENTRY_INTERNAL_APP_ID }} | |
private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }} | |
- name: Wait for PR merge commit | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
id: mergecommit | |
with: | |
github-token: ${{ steps.getsentry.outputs.token }} | |
script: | | |
require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/scripts/wait-for-merge-commit`).waitForMergeCommit({ | |
github, | |
context, | |
core, | |
}); | |
- name: Dispatch getsentry tests | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
github-token: ${{ steps.getsentry.outputs.token }} | |
script: | | |
require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/scripts/getsentry-dispatch`).dispatch({ | |
github, | |
context, | |
core, | |
mergeCommitSha: '${{ steps.mergecommit.outputs.mergeCommitSha }}', | |
fileChanges: ${{ toJson(steps.changes.outputs) }}, | |
}); |