chore: gate restricted contexts with approval job for contributor workflow (#27862)

astone123 · web-flow · commit 154311a457fb · 2023-09-21T11:19:37.000-04:00
diff --git a/.circleci/workflows.yml b/.circleci/workflows.yml
@@ -2898,6 +2898,14 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
     - build:
         requires:
           - node_modules_install
+
+    # In subsequent jobs, we use some contexts that are restricted to members of the Cypress organization.
+    # This job will allow for a Cypress member to approve and run the rest of the restricted jobs in the pipeline after the contributor code has been reviewed.
+    - contributor-pr:
+        type: approval
+        requires:
+          - build
+
     - check-ts:
         requires:
           - build
@@ -2909,22 +2917,22 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
         context: [test-runner:poll-circle-workflow, test-runner:percy]
         required_env_var: PERCY_TOKEN # skips job if not defined (external PR)
         requires:
-          - build
+          - contributor-pr
     - lint-types:
         requires:
           - build
     # unit, integration and e2e tests
     - cli-visual-tests:
         context: test-runner:percy
         requires:
-          - build
+          - contributor-pr
     - unit-tests:
         requires:
           - build
     - verify-release-readiness:
         context: test-runner:npm-release
         requires:
-          - build
+          - contributor-pr
     - server-unit-tests:
         requires:
           - build
@@ -2937,7 +2945,7 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
     - system-tests-node-modules-install:
         context: test-runner:performance-tracking
         requires:
-          - build
+          - contributor-pr
     - system-tests-chrome:
         context: test-runner:performance-tracking
         requires:
@@ -2962,46 +2970,46 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
     - driver-integration-tests-chrome:
         context: test-runner:cypress-record-key
         requires:
-          - build
+          - contributor-pr
     - driver-integration-tests-chrome-beta:
         context: test-runner:cypress-record-key
         requires:
-          - build
+          - contributor-pr
     - driver-integration-tests-firefox:
         context: test-runner:cypress-record-key
         requires:
-          - build
+          - contributor-pr
     - driver-integration-tests-electron:
         context: test-runner:cypress-record-key
         requires:
-          - build
+          - contributor-pr
     - driver-integration-tests-webkit:
         context: test-runner:cypress-record-key
         requires:
-          - build
+          - contributor-pr
     - driver-integration-memory-tests:
         requires:
           - build
     - run-frontend-shared-component-tests-chrome:
         context: [test-runner:cypress-record-key, test-runner:launchpad-tests, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - run-launchpad-integration-tests-chrome:
         context: [test-runner:cypress-record-key, test-runner:launchpad-tests, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - run-launchpad-component-tests-chrome:
         context: [test-runner:cypress-record-key, test-runner:launchpad-tests, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - run-app-integration-tests-chrome:
         context: [test-runner:cypress-record-key, test-runner:launchpad-tests, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - run-webpack-dev-server-integration-tests:
         context: [test-runner:cypress-record-key, test-runner:percy]
         requires:
@@ -3014,16 +3022,16 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
         context: [test-runner:cypress-record-key, test-runner:launchpad-tests, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - run-reporter-component-tests-chrome:
         context: [test-runner:cypress-record-key, test-runner:percy]
         percy: true
         requires:
-          - build
+          - contributor-pr
     - reporter-integration-tests:
         context: [test-runner:cypress-record-key, test-runner:percy]
         requires:
-          - build
+          - contributor-pr
     - npm-webpack-dev-server:
         requires:
           - system-tests-node-modules-install
@@ -3167,28 +3175,16 @@ linux-x64-contributor-workflow: &linux-x64-contributor-workflow
           - run-vite-dev-server-integration-tests
           - v8-integration-tests
 
-    # This approval job will block the building of the binary on contributor jobs
-    # If a member of the Cypress team manually approves this job, then it will run with the required contexts
-    - approve-binary-build:
-        type: approval
-        requires:
-          - build
-
     - create-and-trigger-packaging-artifacts:
-        context:
-          - test-runner:upload
-          - test-runner:build-binary
-          - publish-binary
+        context: [test-runner:upload, test-runner:build-binary, publish-binary]
         requires:
-          - approve-binary-build
+          - contributor-pr
     - wait-for-binary-publish:
         type: approval
         requires:
           - create-and-trigger-packaging-artifacts
     - get-published-artifacts:
-        context:
-          - publish-binary
-          - test-runner:commit-status-checks
+        context: [publish-binary, test-runner:commit-status-checks]
         requires:
           - wait-for-binary-publish
     # various testing scenarios, like building full binary
@@ -3287,11 +3283,7 @@ linux-arm64-workflow: &linux-arm64-workflow
 
     - create-and-trigger-packaging-artifacts:
         name: linux-arm64-create-and-trigger-packaging-artifacts
-        context:
-          - test-runner:upload
-          - test-runner:commit-status-checks
-          - test-runner:build-binary
-          - publish-binary
+        context: [test-runner:upload, test-runner:commit-status-checks, test-runner:build-binary, publish-binary]
         executor: linux-arm64
         resource_class: arm.medium
         requires:
@@ -3305,9 +3297,7 @@ linux-arm64-workflow: &linux-arm64-workflow
 
     - get-published-artifacts:
         name: linux-arm64-get-published-artifacts
-        context:
-          - publish-binary
-          - test-runner:commit-status-checks
+        context: [publish-binary, test-runner:commit-status-checks]
         executor: linux-arm64
         resource_class: arm.medium
         requires:
@@ -3529,4 +3519,4 @@ workflows:
     <<: *darwin-workflow-filters
   windows:
     <<: *windows-workflow
-    <<: *windows-workflow-filters
+    <<: *windows-workflow-filters
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -363,6 +363,8 @@ Additionally, we test the code by running it against various other example proje
 
 If you're curious how we manage all of these tests in CI check out our [CircleCI config](.circleci/config.yml).
 
+Some of our test jobs in CircleCI require access to environment variables that are sensitive and are restricted to Cypress maintainers only. If you are not a Cypress maintainer, when your CI job runs, only a subset of jobs will run at first. A Cypress maintainer will need to approve the `contributor-pr` job in your workflow in order for your CI pipeline to complete.
+
 #### Docker
 
 Sometimes tests pass locally, but fail in CI. Our CI environment is dockerized. In order to run the image used in CI locally:
