From 78f589f5eb4a5bb9ea132dfc6f56a5c8b02ea7d7 Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Fri, 3 May 2024 13:42:53 +0200
Subject: [PATCH] ci(ci): Skip unused build steps in PRs (#3529)

PRs by default do no longer publish artifacts to gocd and gcr and only
build the relay docker image for the `linux/amd64` platform (required
for Sentry integration tests).

All steps still run on master, a PR can opt in to run the full CI by
setting the `Trigger: Full-CI` label, it will re-run CI will all steps.
---
 .github/workflows/ci.yml | 61 ++++++++++++++++++++++++++++++++--------
 1 file changed, 49 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8554e7bd32..79950d99f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ on:
       - release-library/**
 
   pull_request:
+    types: [opened, synchronize, reopened, labeled]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -179,12 +180,48 @@ jobs:
       - name: Run Python Tests
         run: pytest -v py
 
+  build-setup:
+    name: Setup build metadata
+    runs-on: ubuntu-latest
+
+    if: "!startsWith(github.ref, 'refs/heads/release-library/')"
+
+    env:
+      FULL_CI: "${{
+        github.ref == 'refs/heads/master'
+        || contains(github.event.pull_request.labels.*.name, 'Trigger: Full-CI')
+      }}"
+
+    steps:
+      - id: set-outputs
+        run: |
+          echo "full_ci=$FULL_CI" >> $GITHUB_OUTPUT
+
+          if [[ "$FULL_CI" == "true" ]]; then
+            echo "Running full CI"
+            echo 'image_names=["relay", "relay-pop"]' >> $GITHUB_OUTPUT
+            echo 'targets=["x86_64-unknown-linux-gnu", "aarch64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT
+            echo 'platforms=["linux/amd64","linux/arm64"]' >> $GITHUB_OUTPUT
+          else
+            echo "Skipping some CI steps"
+            echo 'image_names=["relay"]' >> $GITHUB_OUTPUT
+            echo 'targets=["x86_64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT
+            echo 'platforms=["linux/amd64"]' >> $GITHUB_OUTPUT
+          fi
+    outputs:
+      image_names: "${{ steps.set-outputs.outputs.image_names }}"
+      targets: "${{ steps.set-outputs.outputs.targets }}"
+      platforms: "${{ steps.set-outputs.outputs.platforms }}"
+      full_ci: "${{ steps.set-outputs.outputs.full_ci }}"
+
   build:
+    needs: build-setup
     timeout-minutes: 30
+
     strategy:
       matrix:
-        image_name: [relay, relay-pop]
-        target: [x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu]
+        image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }}
+        target: ${{ fromJson(needs.build-setup.outputs.targets) }}
 
     name: Build Relay Binary
     runs-on: ubuntu-latest
@@ -253,17 +290,17 @@ jobs:
 
   build-docker:
     timeout-minutes: 5
-    needs: build
+    needs: [build-setup, build]
 
     name: Build Docker Image
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        image_name: [relay, relay-pop]
+        image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }}
 
     env:
-      PLATFORMS: "linux/amd64,linux/arm64"
+      PLATFORMS: "${{ join(fromJSON(needs.build-setup.outputs.platforms), ',') }}"
       DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
       REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
 
@@ -291,7 +328,7 @@ jobs:
             --push .
 
   publish-to-dockerhub:
-    needs: build-docker
+    needs: [build-setup, build-docker]
 
     runs-on: ubuntu-20.04
     name: Publish Relay to DockerHub
@@ -332,14 +369,14 @@ jobs:
 
   publish-to-gcr:
     timeout-minutes: 5
-    needs: build-docker
+    needs: [build-setup, build-docker]
 
     name: Publish Relay to GCR
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        image_name: [relay, relay-pop]
+        image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }}
 
     # required for google auth
     permissions:
@@ -353,7 +390,7 @@ jobs:
 
     # Skip redundant checks for library releases
     # Skip for dependabot and if run on a fork
-    if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'"
+    if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'"
 
     steps:
       - name: Install cosign
@@ -389,14 +426,14 @@ jobs:
 
   gocd-artifacts:
     timeout-minutes: 5
-    needs: build-docker
+    needs: [build-setup, build-docker]
 
     name: Upload build artifacts to gocd
     runs-on: ubuntu-latest
 
     strategy:
       matrix:
-        image_name: [relay, relay-pop]
+        image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }}
 
     # required for google auth
     permissions:
@@ -407,7 +444,7 @@ jobs:
       GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
       REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
 
-    if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'"
+    if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'"
 
     steps:
       - name: Google Auth