Required Workflows

[jimafisk]

Feature Description

Feature Request: As a Gitea Site Administrator I'd love to be able to universally enforce an Action on all repos that users can't edit/change.

Why it's useful: Opening up CI/CD to users comes with some risk for abuse (see this example of GitLab requiring valid credit cards to avoid crypto mining on their runners). Gitea is also perfectly aligned for folks who want to run niche SaaS products that might use the same tech / workflow across repos.

Similar (but different) features seen on GitHub:

GitHub Actions have Required Workflows that allow you to specify CI/CD operations that run across multiple repositories. See more details in their blog post. My understanding is this is similar to Reusable Workflows (related blog post) but differs slightly:

Required workflows can be stored in any repository folder and are not restricted to the .github/workflows folder like normal workflows. If a required workflow calls a reusable workflow, the reusable workflow must be stored in the .github/workflows folder.

For my particular use case, I wouldn't necessarily want to define the Action in another repo, I'd rather set it in the Site Administration settings or in a separate config file.

Screenshots

No response

[lunny]

How about adding it to protected branch rules?

[jimafisk]

Thanks for following up @lunny! I'm not sure if my use case is common, but my hope was the universal action wouldn't actually get tracked with the repo code itself. I pictured being able to define the action in something like Site Administrator > Actions > Global Workflows and being able to assign it to all or select repositories throughout the instance. It would allow administrators to enforce certain repo rules, or in my case our whole Gitea instance is centered around a specific technology and we want to require a particular build/deployment process that users can't change. Maybe what you had in mind for protected branch rules is similar? Thanks!

[lunny]

Thanks for following up @lunny! I'm not sure if my use case is common, but my hope was the universal action wouldn't actually get tracked with the repo code itself. I pictured being able to define the action in something like Site Administrator > Actions > Global Workflows and being able to assign it to all or select repositories throughout the instance. It would allow administrators to enforce certain repo rules, or in my case our whole Gitea instance is centered around a specific technology and we want to require a particular build/deployment process that users can't change. Maybe what you had in mind for protected branch rules is similar? Thanks!

OK. I understand your requirements. It's a global enforce workflows which is configured by admin in admin panel.
Whether the logs should be displayed on repository's actions tab or not?

[jimafisk]

Whether the logs should be displayed on repository's actions tab or not?

That's a great question, for me it would be useful to still log the builds in the repo. Potentially other folks would want to hide this though - I guess having a configurable "hide logs" option in the administrator settings would be ideal, but not critical.

[AvengerMoJo]

@lunny I started with creating a WIP branch https://github.com/AvengerMoJo/gitea/tree/wip_require_action_feature
It allows the repo to enable a global require workflow flag to start with. ( done )
Then, I will create a org setting page to adding the global enabled workflow to auto run for a ll repo in the org. (wip)

[AvengerMoJo]

I am following the action runner template and then added a "add global workflow" button so, all the enabled workflows are listed in the pull down, then select / multi select to enable for all the repos in org to be called.
I may need some help and discussion before implementing next step.
Once the global enable workflow (Require Action) is being added.

1. Default behavior is to allow all repos in the Org to run those Require Actions. Do we need the filter function now to remove specific repo from running it?
2. How should I schedule those Require Actions schedule to run for each repo?
3. Since each repo doesn't has actually has the workflow files in their git tree. The original Actions tab in the repo interface need to be updated, but where should those log and Require Actions history should be store?

Thanks

[lunny]

I am following the action runner template and then added a "add global workflow" button so, all the enabled workflows are listed in the pull down, then select / multi select to enable for all the repos in org to be called. I may need some help and discussion before implementing next step. Once the global enable workflow (Require Action) is being added.

1. Default behavior is to allow all repos in the Org to run those Require Actions. Do we need the filter function now to remove specific repo from running it?

Maybe the repositories could choose whether to inherit from these global workflows.

2. How should I schedule those Require Actions schedule to run for each repo?

Hm, the get schedules function needs to be changed to get parent-level workflows.

3. Since each repo doesn't has actually has the workflow files in their git tree. The original Actions tab in the repo interface need to be updated, but where should those log and Require Actions history should be store?

The inherited workflow files should be displayed on actions left sidebar with different color/icon with repo's. Logs should be still stored like before. I have no idea how to store the inherited workflows.

[AvengerMoJo]

1. Default behavior is to allow all repos in the Org to run those Require Actions. Do we need the filter function now to remove specific repo from running it?

Maybe the repositories could choose whether to inherit from these global workflows.

I don't object to the idea of repo level should able to opt out of the global workflows. However, I want to highlight and make sure we are in-sync of the benefit about this Require Action is to allow Org level to apply workflow to all Repos without adding files or variable and setup them up one by one individually. So the Org level view should be the top level default to enable for all repos. ( Or else individual repo could actually use or link other workflow privately not need for this feature ) and likewise Org level filter may need to implement to opt out the repo don't need to run the global workflows?

[lunny]

The original requirement is global level. So maybe we need to support both global level and org level finally.

[lunny]

Note: GitHub no longer supports required workflows for GitHub Actions. To require workflows to pass before merging, upgrade your GitHub Enterprise Server instance to the latest version and use repository rulesets instead.

Looks like Github has deprecated this feature.

[AvengerMoJo]

Here are the screenshot of the wip implementation so far.

[BlenderDefender]

@lunny Yes, GitHub has moved this feature to branch protection rules, and it's only available in GitHub enterprise cloud.