Skip to content

Enable dependency-submission on same-repo pull requests #882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
antoniojimeneznieto wants to merge 2 commits into
base: main
Choose a base branch
from
+33 −4
Draft

Enable dependency-submission on same-repo pull requests #882

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d41db99
Enable dependency-submission on same-repo pull requests
antoniojimeneznieto Apr 8, 2026
c2a1902
docs: simplify wording
antoniojimeneznieto Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,12 +394,25 @@ jobs:

dependency-submission:
name: Submit Dependencies
if: github.event.repository.fork == false && github.event_name != 'pull_request'
if: github.event.repository.fork == false && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
strategy:
matrix:
os: [ubuntu-22.04]
java: [temurin@8]
runs-on: ${{ matrix.os }}
permissions:
actions: none
checks: none
contents: write
deployments: none
id-token: none
issues: none
packages: read
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
steps:
- name: Ignore line ending differences in git
if: contains(runner.os, 'windows')
Expand Down
21 changes: 18 additions & 3 deletions ci/src/main/scala/org/typelevel/sbt/TypelevelCiPlugin.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import org.typelevel.sbt.NoPublishGlobalPlugin.noPublishModulesIgnore
import org.typelevel.sbt.gha.GenerativePlugin
import org.typelevel.sbt.gha.GenerativePlugin.autoImport._
import org.typelevel.sbt.gha.GitHubActionsPlugin
import org.typelevel.sbt.gha.PermissionValue
import org.typelevel.sbt.gha.Permissions
import org.typelevel.sbt.gha.WorkflowStep
import sbt._

Expand Down Expand Up @@ -49,6 +51,10 @@ object TypelevelCiPlugin extends AutoPlugin {
lazy val tlCiDependencyGraphJob =
settingKey[Boolean]("Whether to add a job to submit dependencies to GH (default: true)")

lazy val tlCiDependencyGraphOnPullRequest =
settingKey[Boolean](
"Whether to run the dependency-submission job on same-repo pull requests (default: true)")

lazy val tlCiStewardValidateConfig = settingKey[Option[File]](
"The location of the Scala Steward config to validate (default: `.scala-steward.conf`, if exists)")

Expand All @@ -68,6 +74,7 @@ object TypelevelCiPlugin extends AutoPlugin {
tlCiMimaBinaryIssueCheck := false,
tlCiDocCheck := false,
tlCiDependencyGraphJob := true,
tlCiDependencyGraphOnPullRequest := true,
tlCiForkCondition := "github.event.repository.fork == false",
githubWorkflowTargetBranches ++= Seq(
"!update/**", // ignore steward branches
Expand Down Expand Up @@ -144,8 +151,14 @@ object TypelevelCiPlugin extends AutoPlugin {
},
githubWorkflowJavaVersions := Seq(JavaSpec.temurin("8")),
githubWorkflowAddedJobs ++= {
val ghEventCond = "github.event_name != 'pull_request'"
val jobCond = s"${tlCiForkCondition.value} && $ghEventCond"
val sameRepoPrCond =
"github.event.pull_request.head.repo.full_name == github.repository"
Comment on lines +154 to +155
Copy link
Copy Markdown
Member

@armanbilge armanbilge Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use tlCiForkCondition for this, or is it checking something different? 🤔

Copy link
Copy Markdown
Member

@armanbilge armanbilge Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh sorry, dumb question, i see it's something different 🤔

Copy link
Copy Markdown
Member Author

@antoniojimeneznieto antoniojimeneznieto Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I've got all of this right (which might not be the case 😅), the idea is to run the vulnerability detection job on PRs from the same repo so Scala Steward or a maintainer's branch which works because those PRs run with a token that can be granted contents: write.

However, it won't work for PRs from a contributor's fork, because the Submission API requires contents: write, and PRs from forks always run with a read-only token.

The sameRepoPrCond condition is checking this.

Copy link
Copy Markdown
Member

@armanbilge armanbilge Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm still confused 😅

the idea is to run the vulnerability detection job on PRs from the same repo

However, it won't work for PRs from a contributor's fork

That makes sense. Isn't this equivalent to checking if CI is running on a fork? Which is what tlCiForkCondition represents.

Copy link
Copy Markdown
Member Author

@antoniojimeneznieto antoniojimeneznieto Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that tlCiForkCondition doesn't cover the case where a fork PR runs on the original repo's CI 🤔

Copy link
Copy Markdown
Member

@armanbilge armanbilge Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see, I think you are right! PR runs CI in the original repo, but without the write permissions. So confusing 😅 thanks for clarifying :)

val ghEventCond =
if (tlCiDependencyGraphOnPullRequest.value)
s"github.event_name != 'pull_request' || $sameRepoPrCond"
else
"github.event_name != 'pull_request'"
val jobCond = s"${tlCiForkCondition.value} && ($ghEventCond)"

val dependencySubmission =
if (tlCiDependencyGraphJob.value)
Expand All @@ -163,7 +176,9 @@ object TypelevelCiPlugin extends AutoPlugin {
Some(List("test", "scala-tool", "scala-doc-tool", "test-internal")),
None
),
cond = Some(jobCond)
cond = Some(jobCond),
permissions =
Some(Permissions.Specify.defaultRestrictive.withContents(PermissionValue.Write))
))
else Nil

Expand Down
1 change: 1 addition & 0 deletions docs/customization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ Both plugins are documented in [**sbt-typelevel-github-actions**](gha.md).
- `tlCiMimaBinaryIssueCheck` (setting): Whether to do MiMa binary issues check in CI (default: `false`).
- `tlCiDocCheck` (setting): Whether to build API docs in CI (default: `false`).
- `tlCiDependencyGraphJob` (setting): Whether to add a job to submit dependencies to GH (default: `true`).
- `tlCiDependencyGraphOnPullRequest` (setting): Whether to run the dependency-submission job on same-repo pull requests (default: `true`).
- `tlCiForkCondition` (setting): Condition for checking on CI whether this project is a fork of another (default: `github.event.repository.fork == false`).
- `tlCiStewardValidateConfig` (setting): The location of the Scala Steward config to validate (default: `.scala-steward.conf`, if exists).
- `tlCrossRootProject` (method): helper to create a `root` project that can aggregate both `Project`s and `CrossProject`s. Automatically creates separate jobs in the CI matrix for each platform (JVM, JS, etc.).
Expand Down
Loading