chore(ci): allow external forks to run our ci if approved (#3207)

.github/workflows/android-actions.yml

@@ -11,6 +11,10 @@ on:
         default: mapbox
         required: false
         type: string
+      REF_FORK:
+        description: "If build from fork repo or not"
+        required: false
+        type: string
       NEW_ARCH:
         description: "If build with new architecture or not"
         default: false
@@ -24,10 +28,18 @@ on:
 
 jobs:
   build_example:
+    name: Android Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        if: ${{ github.event.inputs.REF_FORK == false }}
+
+      - name: Checkout fork
+        uses: actions/checkout@v4
+        if: ${{ github.event.inputs.REF_FORK == true }}
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup node ${{ inputs.NVMRC }}
         uses: actions/[email protected]

.github/workflows/ci-for-fored-repos.yml

@@ -0,0 +1,23 @@
+on:
+  pull_request_target:
+    branches: [ main ]
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Approve
+      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+
+  call_ci_requiring_tokens:
+    name: "CI requiring tokens"
+    enivoronment:
+      name: CI with Mapbox Tokens
+    needs: [approve]
+    uses: ./.github/workflows/ci-requiring-tokens.yml
+    with:
+      NVMRC: v18.18.0
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.ENV_MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.ENV_MAPBOX_DOWNLOAD_TOKEN }}
+

.github/workflows/ci-requiring-tokens.yml

@@ -0,0 +1,81 @@
+name: CI Builds requiring mapbox tokens
+
+on:
+  workflow_call:
+    inputs:
+      NVMRC:
+        required: true
+        type: string
+    secrets:
+      MAPBOX_ACCESS_TOKEN:
+        required: true
+      MAPBOX_DOWNLOAD_TOKEN:
+        required: true
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-ci-with-tokens
+  cancel-in-progress: true
+
+jobs:
+  call_android_workflow:
+    name: "Android/Mapbox"
+    uses: ./.github/workflows/android-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+
+  call_android_workflow_fabric:
+    name: "Android/Mapbox/Fabric"
+    uses: ./.github/workflows/android-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox
+      NEW_ARCH: true
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+
+
+  call_android_workflow_11:
+    name: "Android/Mapbox11"
+    uses: ./.github/workflows/android-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox11
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+
+  call_ios_workflow:
+    name: "iOS/Mapbox"
+    uses: ./.github/workflows/ios-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+
+  call_ios_workflow_fabric:
+    name: "iOS/Mapbox/Fabric"
+    uses: ./.github/workflows/ios-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox
+      NEW_ARCH: true
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+
+  call_ios_workflow_11:
+    name: "iOS/Mapbox11"
+    uses: ./.github/workflows/ios-actions.yml
+    with:
+      NVMRC: ${{ inputs.NVMRC }}
+      MAP_IMPL: mapbox11
+    secrets:
+      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}

.github/workflows/ios-actions.yml

@@ -24,6 +24,7 @@ on:
 
 jobs:
   build:
+    name: iOS Example Build ${{ inputs.NEW_ARCH && 'Fabric' || 'Paper' }} ${{ inputs.MAP_IMPL }}
     runs-on: macos-12
     timeout-minutes: 55
 
@@ -33,7 +34,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Access Token
         run: echo $MAPBOX_ACCESS_TOKEN > ./accesstoken

.github/workflows/on-push.yml

@@ -65,80 +65,16 @@ jobs:
         if: "${{ env.MAPBOX_ACCESS_TOKEN != '' }}"
         run: echo "::set-output name=defined::true"
 
-  call_android_workflow:
-    name: "Android/Mapbox"
+  call_ci_requiring_tokens:
+    name: "CI requiring tokens"
     needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/android-actions.yml
+    uses: ./.github/workflows/ci-requiring-tokens.yml
     with:
       NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox
     if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
     secrets:
       MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
-
-  call_android_workflow_fabric:
-    name: "Android/Mapbox/Fabric"
-    needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/android-actions.yml
-    with:
-      NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox
-      NEW_ARCH: true
-    if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
-    secrets:
-      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
-
-
-  call_android_workflow_11:
-    name: "Android/Mapbox11"
-    needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/android-actions.yml
-    with:
-      NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox11
-    if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
-    secrets:
-      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
-
-  call_ios_workflow:
-    name: "iOS/Mapbox"
-    needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/ios-actions.yml
-    if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
-    with:
-      NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox
-    secrets:
-      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
-
-  call_ios_workflow_fabric:
-    name: "iOS/Mapbox/Fabric"
-    needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/ios-actions.yml
-    if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
-    with:
-      NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox
-      NEW_ARCH: true
-    secrets:
-      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
-
-  call_ios_workflow_11:
-    name: "iOS/Mapbox11"
-    needs: [lint_test_generate,has_mapbox_token]
-    uses: ./.github/workflows/ios-actions.yml
-    if: needs.has_mapbox_token.outputs.has-mapbox-token == 'true'
-    with:
-      NVMRC: ${{ needs.lint_test_generate.outputs.NVMRC }}
-      MAP_IMPL: mapbox11
-    secrets:
-      MAPBOX_ACCESS_TOKEN: ${{ secrets.MAPBOX_ACCESS_TOKEN }}
-      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }}
+      MAPBOX_DOWNLOAD_TOKEN: ${{ secrets.MAPBOX_DOWNLOAD_TOKEN }} 
 
   publish:
     if: startsWith(github.ref, 'refs/tags/') && (github.event_name == 'push')