Public workflows in SourceCraft

You can make SourceCraft workflows runnable by all organization members. You can grant access to them even if there are no roles in the repository the workflow resides in and no access to its secrets.

The member who runs such a public workflow is able to feed into it the inputs, follow its progress, and get the output data, including artifacts.

You can use this feature, for example, to check tasks in students' test repositories. Another potential use is granting access to some of the CI processes without assigning additional roles to users.

Public workflow configuration

A workflow becomes public if you provide settings: shared: true in the default branch of its configuration file, .sourcecraft/ci.yaml. Here is an example:

workflows:
  professor-test:
    inputs:
      STUDENTREPO:
        type: string
        required: true
      TASK:
        type: string
        required: true
    settings:
      shared: true
    tasks:
      - name: professor-task
        cubes:
          - name: professor-cube
            script:
              - |
              	mkdir -p artifacts
                echo "Repo: ${{ inputs.STUDENTREPO }}" > artifacts/professor-output
                echo "Task: ${{ inputs.TASK }}" >> artifacts/professor-output
            artifacts:
              paths:
                - artifacts/professor-output

on:
  push: professor-test

Warning

All public workflow runs are performed by the user who adds the last update to .sourcecraft/ci.yaml in the main branch.

If .sourcecraft/ci.yaml in the main branch was updated directly via git push origin main using a limited-lifetime personal access token (PAT), the workflow will remain public only during that lifetime.

Public workflow execution

You can start a public workflow from within another workflow using the special cr.yandex/sourcecraft/cubes/shared-workflows:latest cube or via the API.

In the input parameters, provide the following:

  • Slug of the repository containing the workflow.

  • Organization slug.

  • Workflow name.

  • Optionally, the inputs parameters, e.g., the link for cloning the repository you are starting the workflow from.

  • Optionally, a reference to the execution result: artifacts.

    Warning

    To get the artifacts from a public workflow, provide the job and cube names and the local artifact path to the environment variables of the cr.yandex/sourcecraft/cubes/shared-workflows:latest cube or in a separate API call.

Examples:

workflows:
  check-solution:
    tasks:
      - name: main
        cubes:
          - name: run-shared-workflow
            image: cr.yandex/sourcecraft/cubes/shared-workflows:latest
            env:
              ORG_SLUG: professor-org
              REPO_SLUG: professor-repo
              WORKFLOW_NAME: professor-test
              WORKFLOW_VALUES: '[{"name": "STUDENTREPO", "value": "student"}, {"name": "TASK", "value": "task-1"}]'
              TASK_NAME: professor-task
              CUBE_NAME: professor-cube
              ARTIFACT_LOCAL_PATH: artifacts/professor-output
            artifacts:
              paths:
                - artifacts/output

on:
  push: check-solution

  1. Create a personal access token (PAT).

  2. Run the public workflow by providing "shared": true in the request body:

    export PAT=<personal_access_token>

cat > body.json << 'EOF'
{
  "workflows": [
    {
      "name": "professor-test",
      "values": [
        {
          "name": "STUDENTREPO",
          "value": "student"
        },
        {
          "name": "TASK",
          "value": "task-1"
        }
      ]
    }
  ],
  "shared": true
}
EOF

curl \
  --request POST \
  --header "Authorization: Bearer $PAT" \
  --data '@body.json' \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/runs"

    Warning

    You can only run a public workflow in the repository's main branch and only with the CI/CD configuration from the main branch. Providing head and config_revision in the request body will produce an execution error.

    Save the execution slug value from the response.

  3. Get the status of a running workflow:

    curl \
  --request GET \
  --header "Authorization: Bearer $PAT" \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/runs/<execution_slug>"

    Note

    The status and artifacts of a public workflow can only be accessed with the same personal token (PAT) used to run the workflow.

  4. Get artifacts of a running workflow:

    curl \
  --request GET \
  --header "Authorization: Bearer $PAT" \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/artifacts/<execution_slug>/professor-test/professor-task/professor-cube"

For more information, see Working with the SourceCraft REST API.

See also

Previous
GitLab pipelines
Next
Webhooks