Configuring a public workflow in SourceCraft

You can make SourceCraft workflows runnable by all organization members. You can grant access to them even if there are no roles in the repository the workflow resides in and no access to its secrets.

The member who runs such a public workflow is able to feed into it the inputs, follow its progress, and get the output data, including artifacts.

You can use this feature, for example, to check tasks in students' test repositories. Another potential use is granting access to some of the CI processes without assigning additional roles to users.

To configure a public workflow:

  1. Create a public workflow.
  2. Run the public workflow.

Creating a public workflow

Note

This section of the tutorial is for users creating a public workflow and holding the Repository developer minimum role.

  1. If you do not have a repository yet, create one.

  2. Add the .sourcecraft/ci.yaml file with your workflow contents to the repository main branch, like this:

    workflows:
  professor-test:
    inputs:
      STUDENTREPO:
        type: string
        required: true
      TASK:
        type: string
        required: true
    settings:
      shared: true
    tasks:
      - name: professor-task
        cubes:
          - name: professor-cube
            script:
              - |
              	mkdir -p artifacts
                echo "Repo: ${{ inputs.STUDENTREPO }}" > artifacts/professor-output
                echo "Task: ${{ inputs.TASK }}" >> artifacts/professor-output
            artifacts:
              paths:
                - artifacts/professor-output

on:
  push: professor-test

    Where settings:shared: true grants the permission to run the workflow to all organization members.

    Warning

    All public workflow runs are performed by the user who adds the last update to .sourcecraft/ci.yaml in the main branch.

    If .sourcecraft/ci.yaml in the main branch was updated directly via git push origin main using a limited-lifetime personal access token (PAT), the workflow will remain public only during that lifetime.

Running a public workflow

Note

This section of the tutorial is for organization members running a public workflow.

You can start a public workflow from within another workflow using the special cr.yandex/sourcecraft/cubes/shared-workflows:latest cube or via the API.

In the input parameters, provide the following:

  • Slug of the repository containing the workflow.

  • Organization slug.

  • Workflow name.

  • Optionally, the inputs parameters, e.g., the link for cloning the repository you are starting the workflow from.

  • Optionally, a reference to the execution result: artifacts.

    Warning

    To get the artifacts from a public workflow, provide the job and cube names and the local artifact path to the environment variables of the cr.yandex/sourcecraft/cubes/shared-workflows:latest cube or in a separate API call.

  1. If you do not have a repository yet, create one.

  2. Add the .sourcecraft/ci.yaml file with the workflow contents to the repository main branch; this file will run the public workflow. Here is an example:

    workflows:
  check-solution:
    tasks:
      - name: main
        cubes:
          - name: run-shared-workflow
            image: cr.yandex/sourcecraft/cubes/shared-workflows:latest
            env:
              ORG_SLUG: professor-org
              REPO_SLUG: professor-repo
              WORKFLOW_NAME: professor-test
              WORKFLOW_VALUES: '[{"name": "STUDENTREPO", "value": "student"}, {"name": "TASK", "value": "task-1"}]'
              TASK_NAME: professor-task
              CUBE_NAME: professor-cube
              ARTIFACT_LOCAL_PATH: artifacts/professor-output
            artifacts:
              paths:
                - artifacts/output

on:
  push: check-solution

    According to the CI/CD configuration, changes to the branch will trigger the workflow to run automatically. Alternatively, you can run it manually.

  3. Check the CI process:

    1. Under CI/CD on the repository page, go to CI/CD.

    2. Open a running workflow.

      The page that opens will display the workflow tasks, cubes (task steps), as well as statuses and execution results.

    3. In the bottom-right corner of the run-shared-workflow cube, click .

    4. Wait for the workflow to complete.

  1. Create a personal access token (PAT).

  2. Run the public workflow by providing "shared": true in the request body:

    export PAT=<personal_access_token>

cat > body.json << 'EOF'
{
  "workflows": [
    {
      "name": "professor-test",
      "values": [
        {
          "name": "STUDENTREPO",
          "value": "student"
        },
        {
          "name": "TASK",
          "value": "task-1"
        }
      ]
    }
  ],
  "shared": true
}
EOF

curl \
  --request POST \
  --header "Authorization: Bearer $PAT" \
  --data '@body.json' \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/runs"

    Warning

    You can only run a public workflow in the repository's main branch and only with the CI/CD configuration from the main branch. Providing head and config_revision in the request body will produce an execution error.

    Save the execution slug value from the response.

  3. Get the status of a running workflow:

    curl \
  --request GET \
  --header "Authorization: Bearer $PAT" \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/runs/<execution_slug>"

    Note

    The status and artifacts of a public workflow can only be accessed with the same personal token (PAT) used to run the workflow.

  4. Get artifacts of a running workflow:

    curl \
  --request GET \
  --header "Authorization: Bearer $PAT" \
  --url "https://api.sourcecraft.tech/<organization_slug>/<repository_slug>/cicd/artifacts/<execution_slug>/professor-test/professor-task/professor-cube"

For more information, see Working with the SourceCraft REST API.

See also

Previous
Using a GitLab pipeline
Next
Setting up a webhook