devops_admin
/
odex25_standard
mirror of https://github.com/hydracp9/odex25_standard
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: upgrade and clean github workflows [Professional Refactoring]

This commit is contained in:
maltayyar2 2026-01-15 00:32:12 +03:00
parent dc9db165c4
commit abe44b19ad
7 changed files with 264 additions and 1125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
.github/workflows/block_reserved_branches.yml vendored
View File

@ -1,157 +0,0 @@
name: Block Reserved Branches
on:
create:
branches:
- '**'
jobs:
block-reserved-branches:
runs-on: app-sever-project-runner
steps:
- name: Validate branch creator + reserved names
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
REPO: ${{ github.repository }}
BRANCH_NAME: ${{ github.ref_name }}
CREATOR: ${{ github.actor }}
run: |
echo "Branch: $BRANCH_NAME"
echo "Creator: $CREATOR"
#######################################################
# 🟦 1) Allowed Users List
#######################################################
# ALLOWED_USERS=(
# "expsa"
# "moutazmuhammad"
# "ronozoro"
# "Abubaker-Altaib"
# "altexp"
# "the5abir"
# "ahmadaking"
# "kchyounes19"
# "abdurrahman-saber"
# "maltayyar2"
# "esam-sermah"
# "mohammed-alkhazrji"
# )
# IS_ALLOWED="false"
# for user in "${ALLOWED_USERS[@]}"; do
# if [[ "$CREATOR" == "$user" ]]; then
# IS_ALLOWED="true"
# break
# fi
# done
# if [[ "$IS_ALLOWED" == "false" ]]; then
# echo "❌ User '$CREATOR' is NOT allowed to create branches. Deleting..."
# curl -s -X DELETE \
# -H "Authorization: token $GH_TOKEN" \
# https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
# exit 1
# fi
# echo "✔ User '$CREATOR' is allowed."
#######################################################
# 🟦 2) Reserved Branch Names (Your Existing List)
#######################################################
RESERVED_NAMES=(
master
dev_odex25_accounting
dev_odex25_base
dev_odex25_dms
dev_odex25_donation
dev_odex25_fleet
dev_odex25_helpdesk
dev_odex25_hr
dev_odex25_inventory
dev_odex25_maintenance
dev_odex25_mobile
dev_odex25_pos
dev_odex25_project
dev_odex25_purchase
dev_odex25_realstate
dev_odex25_sales
dev_odex25_survey
dev_odex25_transactions
dev_odex25_website
dev_odex-event
dev_openeducat_erp-14.0.1.0
dev_odex25_benefit
dev_odex25_takaful
dev_odex25_ensan
master_odex25_accounting
master_odex25_base
master_odex25_dms
master_odex25_donation
master_odex25_fleet
master_odex25_helpdesk
master_odex25_hr
master_odex25_inventory
master_odex25_maintenance
master_odex25_mobile
master_odex25_pos
master_odex25_project
master_odex25_purchase
master_odex25_realstate
master_odex25_sales
master_odex25_survey
master_odex25_transactions
master_odex25_website
master_odex-event
master_openeducat_erp-14.0.1.0
master_odex25_benefit
master_odex25_takaful
master_odex25_ensan
preprod_odex25_accounting
preprod_odex25_base
preprod_odex25_dms
preprod_odex25_donation
preprod_odex25_fleet
preprod_odex25_helpdesk
preprod_odex25_hr
preprod_odex25_inventory
preprod_odex25_maintenance
preprod_odex25_mobile
preprod_odex25_pos
preprod_odex25_project
preprod_odex25_purchase
preprod_odex25_realstate
preprod_odex25_sales
preprod_odex25_survey
preprod_odex25_transactions
preprod_odex25_website
preprod_odex-event
preprod_openeducat_erp-14.0.1.0
preprod_odex25_benefit
preprod_odex25_takaful
preprod_odex25_ensan
)
# Exact match
for reserved in "${RESERVED_NAMES[@]}"; do
if [[ "$BRANCH_NAME" == "$reserved" ]]; then
echo "❌ Branch name '$BRANCH_NAME' is reserved. Deleting..."
curl -s -X DELETE \
-H "Authorization: token $GH_TOKEN" \
https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
exit 1
fi
done
#######################################################
# 🟦 3) Pattern-based Restriction
#######################################################
if [[ "$BRANCH_NAME" == master_* || "$BRANCH_NAME" == preprod_* || "$BRANCH_NAME" == dev_* ]]; then
echo "❌ Branch name '$BRANCH_NAME' matches restricted pattern. Deleting..."
curl -s -X DELETE \
-H "Authorization: token $GH_TOKEN" \
https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
exit 1
fi
echo "✅ Branch '$BRANCH_NAME' is allowed."

149
.github/workflows/delete-merged-branches.yml vendored
View File

@ -1,4 +1,3 @@
# Author: Ahmad Samir <a.atta@exp-sa.com>
name: Auto Delete Branch After Merge name: Auto Delete Branch After Merge
on: on:
@ -8,126 +7,42 @@ on:
jobs: jobs:
delete-merged-branch: delete-merged-branch:
if: github.event.pull_request.merged == true if: github.event.pull_request.merged == true
name: Delete Merged Branch runs-on: ubuntu-latest
runs-on: linting_odex25-standard-modules_runner
steps: steps:
- name: Delete merged branch (with protection check and rules) - name: Delete merged branch
env: uses: actions/github-script@v7
GH_TOKEN: ${{ secrets.GH_TOKEN }} with:
REPO: ${{ github.repository }} github-token: ${{ secrets.GH_TOKEN }}
BASE_REF: ${{ github.event.pull_request.base.ref }} script: |
HEAD_REF: ${{ github.event.pull_request.head.ref }} const base = context.payload.pull_request.base.ref;
run: | const head = context.payload.pull_request.head.ref;
echo "🔍 Base branch: $BASE_REF" const owner = context.repo.owner;
echo "🔍 Head branch: $HEAD_REF" const repo = context.repo.repo;
PROTECTED_BRANCHES=( core.info(`Check Deletion for: ${head} (merged into ${base})`);
master
dev_odex-event
dev_odex25_accounting
dev_odex25_base
dev_odex25_dms
dev_odex25_fleet
dev_odex25_hr
dev_odex25_inventory
dev_odex25_maintenance
dev_odex25_mobile
dev_odex25_pos
dev_odex25_project
dev_odex25_purchase
dev_odex25_realstate
dev_odex25_sales
dev_odex25_survey
dev_odex25_transactions
dev_odex25_website
dev_openeducat_erp-14.0.1.0
dev_odex25_ensan
dev_odex25_helpdesk
dev_odex25_donation
preprod_odex-event
preprod_odex25_accounting
preprod_odex25_base
preprod_odex25_dms
preprod_odex25_fleet
preprod_odex25_hr
preprod_odex25_inventory
preprod_odex25_maintenance
preprod_odex25_mobile
preprod_odex25_pos
preprod_odex25_project
preprod_odex25_purchase
preprod_odex25_realstate
preprod_odex25_sales
preprod_odex25_survey
preprod_odex25_transactions
preprod_odex25_website
preprod_openeducat_erp-14.0.1.0
preprod_odex25_ensan
preprod_odex25_helpdesk
preprod_odex25_donation
master_odex-event
master_odex25_accounting
master_odex25_base
master_odex25_dms
master_odex25_fleet
master_odex25_hr
master_odex25_inventory
master_odex25_maintenance
master_odex25_mobile
master_odex25_pos
master_odex25_project
master_odex25_purchase
master_odex25_realstate
master_odex25_sales
master_odex25_survey
master_odex25_transactions
master_odex25_website
master_openeducat_erp-14.0.1.0
master_odex25_ensan
master_odex25_helpdesk
master_odex25_donation
)
# Rule 1 // Protected Patterns
if [[ "$HEAD_REF" == dev_* && "$BASE_REF" == preprod_* ]]; then const protectedPrefixes = ["dev_", "preprod_", "master_", "main"];
echo "🚫 Rule: Do not delete dev_* merged into preprod_*"
exit 0
fi
# Rule 2 // Check if head branch is protected
if [[ "$HEAD_REF" == preprod_* && "$BASE_REF" == master_* ]]; then const isProtected = protectedPrefixes.some(prefix => head.startsWith(prefix));
echo "🚫 Rule: Do not delete preprod_* merged into master_*"
exit 0
fi
# Rule 3: Protected branches if (isProtected) {
for protected in "${PROTECTED_BRANCHES[@]}"; do core.info(`🛡️ Branch '${head}' is a protected environment branch. Skipping deletion.`);
if [[ "$HEAD_REF" == "$protected" ]]; then return;
echo "🛡️ '$HEAD_REF' is a protected branch. Skipping deletion." }
exit 0
fi
done
echo "✅ '$HEAD_REF' is eligible for deletion. Checking protection..." // Additional Safety: Don't delete if it's not a standard feature/fix pattern?
// User wants to clean up users branches.
PROTECTION_URL="https://api.github.com/repos/$REPO/branches/$HEAD_REF/protection" try {
core.info(`🧹 Deleting branch: ${head}`);
PROTECTION_STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $GH_TOKEN" "$PROTECTION_URL") await github.rest.git.deleteRef({
owner,
if [ "$PROTECTION_STATUS" -eq 200 ]; then repo,
echo "🔓 Removing protection on '$HEAD_REF'..." ref: `heads/${head}`
curl -s -X DELETE -H "Authorization: token $GH_TOKEN" "$PROTECTION_URL" });
else core.info("✅ Branch deleted successfully.");
echo " No protection found for '$HEAD_REF' (HTTP $PROTECTION_STATUS)" } catch (error) {
fi core.warning(`Failed to delete branch: ${error.message}`);
}
echo "🧹 Attempting to delete branch '$HEAD_REF'..."
DELETE_STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X DELETE -H "Authorization: token $GH_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$REPO/git/refs/heads/$HEAD_REF)
if [ "$DELETE_STATUS" -eq 204 ]; then
echo "✅ Branch '$HEAD_REF' successfully deleted"
else
echo "❌ Failed to delete branch '$HEAD_REF' — HTTP $DELETE_STATUS"
exit 1
fi

143
.github/workflows/deploy-manager.yml vendored Normal file
View File

@ -0,0 +1,143 @@
name: Hydra Deployment Manager
on:
push:
branches:
- 'dev_**'
- 'preprod_**'
# - 'master_**' # ❌ Disabled auto-push to master (Production is Manual only as requested)
workflow_dispatch:
inputs:
target_env:
description: 'Target Environment'
required: true
type: choice
options:
- dev
- preprod
- prod
default: 'dev'
force_restart:
description: 'Force Service Restart'
required: true
type: boolean
default: true
jobs:
deploy:
runs-on: ubuntu-latest
name: Deploy
steps:
- name: Extract Context
id: context
run: |
REF_NAME=${{ github.ref_name }}
EVENT_NAME=${{ github.event_name }}
INPUT_ENV=${{ inputs.target_env }}
echo "Processing Event: $EVENT_NAME on Ref: $REF_NAME"
# Default values
ENV=""
MODULE=""
PORT=""
# Logic:
# 1. PUSH EVENT (Auto)
if [ "$EVENT_NAME" == "push" ]; then
if [[ "$REF_NAME" == dev_* ]]; then
ENV="dev"
MODULE=${REF_NAME#dev_}
elif [[ "$REF_NAME" == preprod_* ]]; then
ENV="preprod"
MODULE=${REF_NAME#preprod_}
fi
# 2. DISPATCH EVENT (Manual)
elif [ "$EVENT_NAME" == "workflow_dispatch" ]; then
ENV="$INPUT_ENV"
# Extract module from branch name regardless of prefix
# e.g. master_odex25_hr -> odex25_hr
# e.g. dev_odex25_hr -> odex25_hr
if [[ "$REF_NAME" == dev_* ]]; then
MODULE=${REF_NAME#dev_}
elif [[ "$REF_NAME" == preprod_* ]]; then
MODULE=${REF_NAME#preprod_}
elif [[ "$REF_NAME" == master_* ]]; then
MODULE=${REF_NAME#master_}
else
# Fallback for non-standard branches? Maybe feature?
# For now assume the user runs this on a valid tier branch
echo "::error::Manual deployment must be run from a dev_, preprod_, or master_ branch to identify the module."
exit 1
fi
fi
# Set Port based on ENV
if [ "$ENV" == "dev" ]; then
PORT="14000"
elif [ "$ENV" == "preprod" ]; then
PORT="14010"
elif [ "$ENV" == "prod" ]; then
PORT="14069"
fi
echo "Resolved: ENV=$ENV, MODULE=$MODULE, PORT=$PORT"
echo "ENV=$ENV" >> $GITHUB_OUTPUT
echo "MODULE=$MODULE" >> $GITHUB_OUTPUT
echo "PORT=$PORT" >> $GITHUB_OUTPUT
- name: Deploy to Hydra Server (SSH)
if: steps.context.outputs.ENV != ''
uses: appleboy/ssh-action@v1.0.0
with:
host: ${{ secrets.HYDRA_HOST }}
username: ${{ secrets.HYDRA_USER }}
key: ${{ secrets.HYDRA_SSH_KEY }}
port: 22
script: |
MODULE="${{ steps.context.outputs.MODULE }}"
ENV="${{ steps.context.outputs.ENV }}"
BRANCH="${{ github.ref_name }}"
FORCE_RESTART="${{ inputs.force_restart }}"
echo "🚀 Deploying $MODULE to $ENV Environment..."
# Directory Mapping
# Currently only DEV is mapped to /root/odoo-infra/odoo14/addons/custom_modules
# Future structure:
# /root/odoo-infra/dev/custom_modules
# /root/odoo-infra/preprod/custom_modules
# /root/odoo-infra/prod/custom_modules
if [ "$ENV" == "dev" ]; then
TARGET_ROOT="/root/odoo-infra/odoo14/addons/custom_modules"
SERVICE="odoo-14" # We renamed it to generic odoo-14 for now, but logical dev
else
echo "🚧 Environment '$ENV' folder structure is not yet created on the server. Deployment simulated."
exit 0
fi
TARGET_DIR="$TARGET_ROOT/$MODULE"
if [ -d "$TARGET_DIR" ]; then
cd "$TARGET_DIR"
echo "⬇️ Pulling changes from $BRANCH..."
git fetch origin
git reset --hard origin/$BRANCH
if [ "$FORCE_RESTART" == "true" ] || [ "${{ github.event_name }}" == "push" ]; then
echo "🔄 Restarting Service..."
cd /root/odoo-infra
docker compose restart $SERVICE
fi
echo "✅ Deployment Successful."
else
echo "⚠️ Module directory not found: $TARGET_DIR"
exit 1
fi

178
.github/workflows/dev-preprod-servers.yml vendored
View File

@ -1,178 +0,0 @@
name: Dev/Preprod Servers - Pull Code
on:
push:
branches:
- dev_odex-event
- dev_odex25_accounting
- dev_odex25_base
- dev_odex25_dms
- dev_odex25_fleet
- dev_odex25_helpdesk
- dev_odex25_hr
- dev_odex25_inventory
- dev_odex25_maintenance
- dev_odex25_mobile
- dev_odex25_pos
- dev_odex25_project
- dev_odex25_purchase
- dev_odex25_realstate
- dev_odex25_sales
- dev_odex25_survey
- dev_odex25_transactions
- dev_odex25_website
- dev_openeducat_erp-14.0.1.0
- dev_odex25_donation
- dev_odex25_benefit
- dev_odex25_takaful
- dev_odex25_ensan
- preprod_odex-event
- preprod_odex25_accounting
- preprod_odex25_base
- preprod_odex25_dms
- preprod_odex25_fleet
- preprod_odex25_helpdesk
- preprod_odex25_hr
- preprod_odex25_inventory
- preprod_odex25_maintenance
- preprod_odex25_mobile
- preprod_odex25_pos
- preprod_odex25_project
- preprod_odex25_purchase
- preprod_odex25_realstate
- preprod_odex25_sales
- preprod_odex25_survey
- preprod_odex25_transactions
- preprod_odex25_website
- preprod_openeducat_erp-14.0.1.0
- preprod_odex25_donation
- preprod_odex25_benefit
- preprod_odex25_takaful
- preprod_odex25_ensan
workflow_dispatch:
inputs:
environment:
description: 'Select Server'
required: true
type: choice
options:
- dev
- preprod
default: dev
jobs:
deploy_preprod_server:
name: Deploy to Preprod Servers
runs-on: app-sever-project-runner
if: |
(github.ref == 'refs/heads/preprod_odex-event' ||
github.ref == 'refs/heads/preprod_odex25_accounting' ||
github.ref == 'refs/heads/preprod_odex25_base' ||
github.ref == 'refs/heads/preprod_odex25_dms' ||
github.ref == 'refs/heads/preprod_odex25_fleet' ||
github.ref == 'refs/heads/preprod_odex25_helpdesk' ||
github.ref == 'refs/heads/preprod_odex25_hr' ||
github.ref == 'refs/heads/preprod_odex25_inventory' ||
github.ref == 'refs/heads/preprod_odex25_maintenance' ||
github.ref == 'refs/heads/preprod_odex25_mobile' ||
github.ref == 'refs/heads/preprod_odex25_pos' ||
github.ref == 'refs/heads/preprod_odex25_project' ||
github.ref == 'refs/heads/preprod_odex25_purchase' ||
github.ref == 'refs/heads/preprod_odex25_realstate' ||
github.ref == 'refs/heads/preprod_odex25_sales' ||
github.ref == 'refs/heads/preprod_odex25_survey' ||
github.ref == 'refs/heads/preprod_odex25_transactions' ||
github.ref == 'refs/heads/preprod_odex25_website' ||
github.ref == 'refs/heads/preprod_openeducat_erp-14.0.1.0' ||
github.ref == 'refs/heads/preprod_odex25_benefit' ||
github.ref == 'refs/heads/preprod_odex25_takaful' ||
github.ref == 'refs/heads/preprod_odex25_donation')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'preprod')
steps:
- name: Checkout And Restart Project
run: |
sudo chmod +x /home/${{ secrets.CLIENT_USER }}/scripts/pull/preprod_pull_standard_code.sh
sudo /home/${{ secrets.CLIENT_USER }}/scripts/pull/preprod_pull_standard_code.sh
sudo systemctl restart ${{ secrets.ENSAN_APP_PREPROD_SERVICE }} ${{ secrets.ODEX25_GENERAL_PREPROD_SERVICE }} ${{ secrets.ODEX25_STANDARD_PREPROD_SERVICE }} ${{ secrets.TWAHOD_APP_PREPROD_SERVICE }} ${{ secrets.ODEX25_DEMO_PREPROD_SERVICE }} ${{ secrets.HELPDESK_PREPROD_SERVICE }} ${{ secrets.CYBER_APP_PREPROD_SERVICE }} ${{ secrets.JAZALA_APP_PREPROD_SERVICE }}
if [ $? -eq 0 ]; then
echo "** [INFO] "PREPROD" services have been restarted."
else
echo "** [ERROR] Failed to restart "PREPROD" services."
fi
deploy_test_server:
name: Deploy to Dev Servers
runs-on: app-sever-project-runner
if: |
(github.ref == 'refs/heads/dev_odex-event' ||
github.ref == 'refs/heads/dev_odex25_accounting' ||
github.ref == 'refs/heads/dev_odex25_base' ||
github.ref == 'refs/heads/dev_odex25_dms' ||
github.ref == 'refs/heads/dev_odex25_fleet' ||
github.ref == 'refs/heads/dev_odex25_helpdesk' ||
github.ref == 'refs/heads/dev_odex25_hr' ||
github.ref == 'refs/heads/dev_odex25_inventory' ||
github.ref == 'refs/heads/dev_odex25_maintenance' ||
github.ref == 'refs/heads/dev_odex25_mobile' ||
github.ref == 'refs/heads/dev_odex25_pos' ||
github.ref == 'refs/heads/dev_odex25_project' ||
github.ref == 'refs/heads/dev_odex25_purchase' ||
github.ref == 'refs/heads/dev_odex25_realstate' ||
github.ref == 'refs/heads/dev_odex25_sales' ||
github.ref == 'refs/heads/dev_odex25_survey' ||
github.ref == 'refs/heads/dev_odex25_transactions' ||
github.ref == 'refs/heads/dev_odex25_website' ||
github.ref == 'refs/heads/dev_openeducat_erp-14.0.1.0' ||
github.ref == 'refs/heads/dev_odex25_benefit' ||
github.ref == 'refs/heads/dev_odex25_takaful' ||
github.ref == 'refs/heads/dev_odex25_donation')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'dev')
steps:
- name: Checkout And Restart Project
run: |
sudo chmod +x /home/${{ secrets.CLIENT_USER }}/scripts/pull/dev_pull_standard_code.sh
sudo /home/${{ secrets.CLIENT_USER }}/scripts/pull/dev_pull_standard_code.sh
sudo systemctl restart ${{ secrets.ENSAN_APP_TEST_SERVICE }} ${{ secrets.ODEX25_GENERAL_TEST_SERVICE }} ${{ secrets.ODEX25_STANDARD_TEST_SERVICE }} ${{ secrets.TWAHOD_APP_TEST_SERVICE }} ${{ secrets.HELPDESK_TEST_SERVICE }} ${{ secrets.KAZ_LIBRARY_TEST_SERVICE }} ${{ secrets.CYBER_APP_TEST_SERVICE }} ${{ secrets.JAZALA_APP_TEST_SERVICE }}
if [ $? -eq 0 ]; then
echo "** [INFO] "DEV" services have been restarted."
else
echo "** [ERROR] Failed to restart "DEV" services."
fi
ensan_vpn_stage_server:
name: Deploy to Ensan Stage
runs-on: new-ensan-vpn-client-server-runner
if: |
(github.ref == 'refs/heads/preprod_odex-event' ||
github.ref == 'refs/heads/preprod_odex25_accounting' ||
github.ref == 'refs/heads/preprod_odex25_base' ||
github.ref == 'refs/heads/preprod_odex25_dms' ||
github.ref == 'refs/heads/preprod_odex25_fleet' ||
github.ref == 'refs/heads/preprod_odex25_helpdesk' ||
github.ref == 'refs/heads/preprod_odex25_hr' ||
github.ref == 'refs/heads/preprod_odex25_inventory' ||
github.ref == 'refs/heads/preprod_odex25_maintenance' ||
github.ref == 'refs/heads/preprod_odex25_mobile' ||
github.ref == 'refs/heads/preprod_odex25_pos' ||
github.ref == 'refs/heads/preprod_odex25_project' ||
github.ref == 'refs/heads/preprod_odex25_purchase' ||
github.ref == 'refs/heads/preprod_odex25_realstate' ||
github.ref == 'refs/heads/preprod_odex25_sales' ||
github.ref == 'refs/heads/preprod_odex25_survey' ||
github.ref == 'refs/heads/preprod_odex25_transactions' ||
github.ref == 'refs/heads/preprod_odex25_website' ||
github.ref == 'refs/heads/preprod_openeducat_erp-14.0.1.0' ||
github.ref == 'refs/heads/preprod_odex25_benefit' ||
github.ref == 'refs/heads/preprod_odex25_takaful' ||
github.ref == 'refs/heads/preprod_odex25_donation')
|| (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'preprod')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
sudo chmod +x ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.ENSAN_PROJECT_USER }} ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }} ${{ secrets.ENSAN_STAGE_SERVICE }} preprod ${GITHUB_REF#refs/heads/preprod_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}

370
.github/workflows/prevent-invalid-branch-merges.yml vendored
View File

@ -1,333 +1,71 @@
# Author: Ahmad Samir <a.atta@exp-sa.com>
name: Prevent Invalid Merges name: Prevent Invalid Merges
on: on:
pull_request: pull_request:
branches: types: [opened, reopened, synchronize, edited]
- dev_odex-event
- dev_odex25_accounting
- dev_odex25_base
- dev_odex25_dms
- dev_odex25_fleet
- dev_odex25_hr
- dev_odex25_inventory
- dev_odex25_maintenance
- dev_odex25_mobile
- dev_odex25_pos
- dev_odex25_project
- dev_odex25_purchase
- dev_odex25_realstate
- dev_odex25_sales
- dev_odex25_survey
- dev_odex25_transactions
- dev_odex25_website
- dev_openeducat_erp-14.0.1.0
- dev_odex25_ensan
- dev_odex25_helpdesk
- dev_odex25_donation
- dev_odex25_benefit
- dev_odex25_takaful
- preprod_odex-event
- preprod_odex25_accounting
- preprod_odex25_base
- preprod_odex25_dms
- preprod_odex25_fleet
- preprod_odex25_hr
- preprod_odex25_inventory
- preprod_odex25_maintenance
- preprod_odex25_mobile
- preprod_odex25_pos
- preprod_odex25_project
- preprod_odex25_purchase
- preprod_odex25_realstate
- preprod_odex25_sales
- preprod_odex25_survey
- preprod_odex25_transactions
- preprod_odex25_website
- preprod_openeducat_erp-14.0.1.0
- preprod_odex25_ensan
- preprod_odex25_helpdesk
- preprod_odex25_donation
- preprod_odex25_benefit
- preprod_odex25_takaful
- master_odex-event
- master_odex25_accounting
- master_odex25_base
- master_odex25_dms
- master_odex25_fleet
- master_odex25_hr
- master_odex25_inventory
- master_odex25_maintenance
- master_odex25_mobile
- master_odex25_pos
- master_odex25_project
- master_odex25_purchase
- master_odex25_realstate
- master_odex25_sales
- master_odex25_survey
- master_odex25_transactions
- master_odex25_website
- master_openeducat_erp-14.0.1.0
- master_odex25_ensan
- master_odex25_helpdesk
- master_odex25_donation
- master_odex25_benefit
- master_odex25_takaful
jobs: jobs:
validate-merge-source: validate-merge-flow:
runs-on: linting_odex25-standard-modules_runner runs-on: ubuntu-latest
steps: steps:
- name: Check source branch for merge - name: Validate Branch Flow
run: | uses: actions/github-script@v7
echo "Base branch: ${{ github.base_ref }}" with:
echo "Head branch: ${{ github.head_ref }}" script: |
const base = context.payload.pull_request.base.ref;
const head = context.payload.pull_request.head.ref;
core.info(`Checking Merge Flow: ${head} -> ${base}`);
# ✅ Preprod Branches // 1. Parse module name from base branch
if [[ "${{ github.base_ref }}" == "preprod_odex-event" && "${{ github.head_ref }}" != "dev_odex-event" ]]; then // Expected formats: dev_X, preprod_X, master_X
echo "::error ::You can only merge to 'preprod_odex-event' from 'dev_odex-event' branch!" const tiers = ["dev", "preprod", "master"];
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_accounting" && "${{ github.head_ref }}" != "dev_odex25_accounting" ]]; then function parseBranch(branchName) {
echo "::error ::You can only merge to 'preprod_odex25_accounting' from 'dev_odex25_accounting' branch!" for (const tier of tiers) {
exit 1 if (branchName.startsWith(tier + "_")) {
fi return { tier: tier, module: branchName.substring(tier.length + 1) };
}
}
return null; // Not a standard environment branch (maybe feature/fix)
}
if [[ "${{ github.base_ref }}" == "preprod_odex25_base" && "${{ github.head_ref }}" != "dev_odex25_base" ]]; then const baseInfo = parseBranch(base);
echo "::error ::You can only merge to 'preprod_odex25_base' from 'dev_odex25_base' branch!" const headInfo = parseBranch(head);
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_dms" && "${{ github.head_ref }}" != "dev_odex25_dms" ]]; then // If base is not a protected tier (dev/preprod/master), allow merge (feature -> feature)
echo "::error ::You can only merge to 'preprod_odex25_dms' from 'dev_odex25_dms' branch!" if (!baseInfo) {
exit 1 core.info("Base branch is not a protected environment tier. Merge allowed.");
fi return;
}
if [[ "${{ github.base_ref }}" == "preprod_odex25_fleet" && "${{ github.head_ref }}" != "dev_odex25_fleet" ]]; then // Logic for Protected Base Branches
echo "::error ::You can only merge to 'preprod_odex25_fleet' from 'dev_odex25_fleet' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_hr" && "${{ github.head_ref }}" != "dev_odex25_hr" ]]; then // ❌ Rule: Cannot merge directly into master from anywhere except preprod (of same module)
echo "::error ::You can only merge to 'preprod_odex25_hr' from 'dev_odex25_hr' branch!" if (baseInfo.tier === "master") {
exit 1 if (!headInfo || headInfo.tier !== "preprod" || headInfo.module !== baseInfo.module) {
fi core.setFailed(`❌ Forbidden: You can ONLY merge into 'master_${baseInfo.module}' from 'preprod_${baseInfo.module}'. Detected: ${head}`);
return;
}
}
if [[ "${{ github.base_ref }}" == "preprod_odex25_inventory" && "${{ github.head_ref }}" != "dev_odex25_inventory" ]]; then // ❌ Rule: Cannot merge directly into preprod from anywhere except dev (of same module)
echo "::error ::You can only merge to 'preprod_odex25_inventory' from 'dev_odex25_inventory' branch!" if (baseInfo.tier === "preprod") {
exit 1 if (!headInfo || headInfo.tier !== "dev" || headInfo.module !== baseInfo.module) {
fi core.setFailed(`❌ Forbidden: You can ONLY merge into 'preprod_${baseInfo.module}' from 'dev_${baseInfo.module}'. Detected: ${head}`);
return;
}
}
if [[ "${{ github.base_ref }}" == "preprod_odex25_maintenance" && "${{ github.head_ref }}" != "dev_odex25_maintenance" ]]; then // ❌ Rule: Cannot merge directly into dev from master or preprod (reverse flow)
echo "::error ::You can only merge to 'preprod_odex25_maintenance' from 'dev_odex25_maintenance' branch!" // (Optional: You might allow hotfixes, but strictly strictly dev<-feature is best)
exit 1 if (baseInfo.tier === "dev") {
fi // Allow feature branches to merge into dev
// Block upstream branches
if (headInfo && (headInfo.tier === "master" || headInfo.tier === "preprod")) {
core.setFailed(`❌ Forbidden: Cannot merge upstream (${head}) back into dev.`);
return;
}
}
if [[ "${{ github.base_ref }}" == "preprod_odex25_mobile" && "${{ github.head_ref }}" != "dev_odex25_mobile" ]]; then core.info("✅ Merge flow validation passed.");
echo "::error ::You can only merge to 'preprod_odex25_mobile' from 'dev_odex25_mobile' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_pos" && "${{ github.head_ref }}" != "dev_odex25_pos" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_pos' from 'dev_odex25_pos' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_project" && "${{ github.head_ref }}" != "dev_odex25_project" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_project' from 'dev_odex25_project' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_purchase" && "${{ github.head_ref }}" != "dev_odex25_purchase" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_purchase' from 'dev_odex25_purchase' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_realstate" && "${{ github.head_ref }}" != "dev_odex25_realstate" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_realstate' from 'dev_odex25_realstate' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_sales" && "${{ github.head_ref }}" != "dev_odex25_sales" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_sales' from 'dev_odex25_sales' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_survey" && "${{ github.head_ref }}" != "dev_odex25_survey" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_survey' from 'dev_odex25_survey' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_transactions" && "${{ github.head_ref }}" != "dev_odex25_transactions" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_transactions' from 'dev_odex25_transactions' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_website" && "${{ github.head_ref }}" != "dev_odex25_website" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_website' from 'dev_odex25_website' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_openeducat_erp-14.0.1.0" && "${{ github.head_ref }}" != "dev_openeducat_erp-14.0.1.0" ]]; then
echo "::error ::You can only merge to 'preprod_openeducat_erp-14.0.1.0' from 'dev_openeducat_erp-14.0.1.0' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_ensan" && "${{ github.head_ref }}" != "dev_odex25_ensan" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_ensan' from 'dev_odex25_ensan' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_helpdesk" && "${{ github.head_ref }}" != "dev_odex25_helpdesk" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_helpdesk' from 'dev_odex25_helpdesk' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_donation" && "${{ github.head_ref }}" != "dev_odex25_donation" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_donation' from 'dev_odex25_donation' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_benefit" && "${{ github.head_ref }}" != "dev_odex25_benefit" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_donation' from 'dev_odex25_donation' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "preprod_odex25_takaful" && "${{ github.head_ref }}" != "dev_odex25_takaful" ]]; then
echo "::error ::You can only merge to 'preprod_odex25_donation' from 'dev_odex25_donation' branch!"
exit 1
fi
# ✅ Master Branches
if [[ "${{ github.base_ref }}" == "master_odex-event" && "${{ github.head_ref }}" != "preprod_odex-event" ]]; then
echo "::error ::You can only merge to 'master_odex-event' from 'preprod_odex-event' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_accounting" && "${{ github.head_ref }}" != "preprod_odex25_accounting" ]]; then
echo "::error ::You can only merge to 'master_odex25_accounting' from 'preprod_odex25_accounting' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_base" && "${{ github.head_ref }}" != "preprod_odex25_base" ]]; then
echo "::error ::You can only merge to 'master_odex25_base' from 'preprod_odex25_base' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_dms" && "${{ github.head_ref }}" != "preprod_odex25_dms" ]]; then
echo "::error ::You can only merge to 'master_odex25_dms' from 'preprod_odex25_dms' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_fleet" && "${{ github.head_ref }}" != "preprod_odex25_fleet" ]]; then
echo "::error ::You can only merge to 'master_odex25_fleet' from 'preprod_odex25_fleet' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_hr" && "${{ github.head_ref }}" != "preprod_odex25_hr" ]]; then
echo "::error ::You can only merge to 'master_odex25_hr' from 'preprod_odex25_hr' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_inventory" && "${{ github.head_ref }}" != "preprod_odex25_inventory" ]]; then
echo "::error ::You can only merge to 'master_odex25_inventory' from 'preprod_odex25_inventory' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_maintenance" && "${{ github.head_ref }}" != "preprod_odex25_maintenance" ]]; then
echo "::error ::You can only merge to 'master_odex25_maintenance' from 'preprod_odex25_maintenance' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_mobile" && "${{ github.head_ref }}" != "preprod_odex25_mobile" ]]; then
echo "::error ::You can only merge to 'master_odex25_mobile' from 'preprod_odex25_mobile' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_pos" && "${{ github.head_ref }}" != "preprod_odex25_pos" ]]; then
echo "::error ::You can only merge to 'master_odex25_pos' from 'preprod_odex25_pos' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_project" && "${{ github.head_ref }}" != "preprod_odex25_project" ]]; then
echo "::error ::You can only merge to 'master_odex25_project' from 'preprod_odex25_project' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_purchase" && "${{ github.head_ref }}" != "preprod_odex25_purchase" ]]; then
echo "::error ::You can only merge to 'master_odex25_purchase' from 'preprod_odex25_purchase' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_realstate" && "${{ github.head_ref }}" != "preprod_odex25_realstate" ]]; then
echo "::error ::You can only merge to 'master_odex25_realstate' from 'preprod_odex25_realstate' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_sales" && "${{ github.head_ref }}" != "preprod_odex25_sales" ]]; then
echo "::error ::You can only merge to 'master_odex25_sales' from 'preprod_odex25_sales' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_survey" && "${{ github.head_ref }}" != "preprod_odex25_survey" ]]; then
echo "::error ::You can only merge to 'master_odex25_survey' from 'preprod_odex25_survey' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_transactions" && "${{ github.head_ref }}" != "preprod_odex25_transactions" ]]; then
echo "::error ::You can only merge to 'master_odex25_transactions' from 'preprod_odex25_transactions' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_website" && "${{ github.head_ref }}" != "preprod_odex25_website" ]]; then
echo "::error ::You can only merge to 'master_odex25_website' from 'preprod_odex25_website' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_openeducat_erp-14.0.1.0" && "${{ github.head_ref }}" != "preprod_openeducat_erp-14.0.1.0" ]]; then
echo "::error ::You can only merge to 'master_openeducat_erp-14.0.1.0' from 'preprod_openeducat_erp-14.0.1.0' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_ensan" && "${{ github.head_ref }}" != "preprod_odex25_ensan" ]]; then
echo "::error ::You can only merge to 'master_odex25_ensan' from 'preprod_odex25_ensan' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_helpdesk" && "${{ github.head_ref }}" != "preprod_odex25_helpdesk" ]]; then
echo "::error ::You can only merge to 'master_odex25_helpdesk' from 'preprod_odex25_helpdesk' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_donation" && "${{ github.head_ref }}" != "preprod_odex25_donation" ]]; then
echo "::error ::You can only merge to 'master_odex25_donation' from 'preprod_odex25_donation' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_benefit" && "${{ github.head_ref }}" != "preprod_odex25_benefit" ]]; then
echo "::error ::You can only merge to 'master_odex25_donation' from 'preprod_odex25_donation' branch!"
exit 1
fi
if [[ "${{ github.base_ref }}" == "master_odex25_takaful" && "${{ github.head_ref }}" != "preprod_odex25_takaful" ]]; then
echo "::error ::You can only merge to 'master_odex25_donation' from 'preprod_odex25_donation' branch!"
exit 1
fi
# ❌ Block ALL merges to 'master'
if [[ "${{ github.base_ref }}" == "master" ]]; then
echo "::error ::Merging to 'master' branch is not allowed!"
exit 1
fi
echo "Merge validation passed."

259
.github/workflows/production_pull_code.yml vendored
View File

@ -1,259 +0,0 @@
name: Production Projects - Pull Code
on:
workflow_dispatch:
inputs:
environment:
description: 'Select Project Prod Server'
required: true
type: choice
options:
- "Ensan Project - Production"
- "Helpdesk Khabir Project"
- "King AbdelAziz Library Project"
- "Twahod Project"
- "Ekram Project"
- "Sahli Project - Production"
- "Sahli Project - Stage"
- "Jazala Project"
jobs:
# Ensan Project
ensan_master_server:
name: Deploy to Ensan Master
runs-on: new-ensan-vpn-client-server-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Ensan Project - Production' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_donation' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.ENSAN_PROJECT_USER }} ${{ secrets.ENSAN_STANDARD_FOLDER_PATH }} ${{ secrets.ENSAN_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# Helpdesk Project
helpdesk_maser_server:
name: Deploy to Helpdesk Master
runs-on: helpdesk_server
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Helpdesk Khabir Project' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.HELPDESK_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.HELPDESK_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.HELPDESK_PROJECT_USER }} ${{ secrets.HELPDESK_STANDARD_FOLDER_PATH }} ${{ secrets.HELPDESK_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# King Abdel Aziz Lobrary project
kaz_master_server:
name: Deploy to KAZ Master
runs-on: kaz-library-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'King AbdelAziz Library Project' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.KAZ_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.KAZ_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.KAZ_PROJECT_USER }} ${{ secrets.KAZ_STANDARD_FOLDER_PATH }} ${{ secrets.KAZ_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
sudo systemctl restart odoo-server-stage.service
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# Twahod project
twahod_master_server:
name: Deploy to Twahod Master
runs-on: twahod-client-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Twahod Project' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.TWAHOD_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.TWAHOD_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.TWAHOD_PROJECT_USER }} ${{ secrets.TWAHOD_STANDARD_FOLDER_PATH }} ${{ secrets.TWAHOD_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# Ekram project
ekram_master_server:
name: Deploy to Ekram Master
runs-on: ekram-client-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Ekram Project' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.EKRAM_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.EKRAM_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.EKRAM_PROJECT_USER }} ${{ secrets.EKRAM_STANDARD_FOLDER_PATH }} ${{ secrets.EKRAM_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# Sahli Prod project
sahli_prod_master_server:
name: Deploy to Sahli Prod Master
runs-on: sahli-client-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Sahli Project - Production' && (github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_project') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.SAHLI_PROJECT_USER }} ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }} ${{ secrets.SAHLI_PROD_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
sahli_stage_master_server:
name: Deploy to Sahli Stage Master
runs-on: sahli-client-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Sahli Project - Stage' && (github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_project') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}-stage
sudo chmod +x ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.SAHLI_PROJECT_USER }} ${{ secrets.SAHLI_STANDARD_FOLDER_PATH }} ${{ secrets.SAHLI_STAGE_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*
# Jazala project
jazala_master_server:
name: Deploy to Jazala Master
runs-on: jazala-client-project-runner
if: github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'Jazala Project' && (github.ref == 'refs/heads/master_odex-event' || github.ref == 'refs/heads/master_odex25_accounting' || github.ref == 'refs/heads/master_odex25_base' || github.ref == 'refs/heads/master_odex25_dms' || github.ref == 'refs/heads/master_odex25_fleet' || github.ref == 'refs/heads/master_odex25_helpdesk' || github.ref == 'refs/heads/master_odex25_ENSAN' || github.ref == 'refs/heads/master_odex25_hr' || github.ref == 'refs/heads/master_odex25_inventory' || github.ref == 'refs/heads/master_odex25_maintenance' || github.ref == 'refs/heads/master_odex25_mobile' || github.ref == 'refs/heads/master_odex25_pos' || github.ref == 'refs/heads/master_odex25_project' || github.ref == 'refs/heads/master_odex25_purchase' || github.ref == 'refs/heads/master_odex25_realstate' || github.ref == 'refs/heads/master_odex25_sales' || github.ref == 'refs/heads/master_odex25_survey' || github.ref == 'refs/heads/master_odex25_transactions' || github.ref == 'refs/heads/master_odex25_website' || github.ref == 'refs/heads/master_openeducat_erp-14.0.1.0' || github.ref == 'refs/heads/master_odex25_takaful' || github.ref == 'refs/heads/master_odex25_benefit' || github.ref == 'refs/heads/master_odex25_ensan') &&
(github.actor == 'moutazmuhammad' ||
github.actor == 'expsa' ||
github.actor == 'ahmadaking' ||
github.actor == 'ronozoro' ||
github.actor == 'Abubaker-Altaib' ||
github.actor == 'abdurrahman-saber' ||
github.actor == 'altexp' ||
github.actor == 'kchyounes19' ||
github.actor == 'maltayyar2' ||
github.actor == 'SamirLADOUI-sa' ||
github.actor == 'mohammed-alkhazrji')
steps:
- name: Checkout And Restart Project
run: |
echo "** [INFO] Running on branch --> ${GITHUB_REF#refs/heads/}"
mkdir -p ~/master_branch_sha
echo "$(date '+%Y-%m-%d %H:%M:%S') - ${{ github.sha }}" >> ~/master_branch_sha/${GITHUB_REF#refs/heads/}
sudo chmod +x ${{ secrets.JAZALA_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh
sudo ${{ secrets.JAZALA_STANDARD_FOLDER_PATH }}/scripts/pull_code.sh ${{ secrets.JAZALA_PROJECT_USER }} ${{ secrets.JAZALA_STANDARD_FOLDER_PATH }} ${{ secrets.JAZALA_MASTER_SERVICE }} master ${GITHUB_REF#refs/heads/master_} ${GITHUB_REF#refs/heads/} ${{ secrets.GH_TOKEN }}
- name: Cleanup workspace
if: always()
run: |
rm -rf $GITHUB_WORKSPACE/*

115
.github/workflows/restrict-pr-authors.yaml vendored
View File

@ -1,111 +1,48 @@
name: Restrict PR Authors & Committers name: Restrict PR Authors
permissions:
contents: read
pull-requests: write
on: on:
pull_request: pull_request:
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
branches: branches:
- dev_odex-event - '**' # Apply to all PRs in this repo
- dev_odex25_accounting
- dev_odex25_base permissions:
- dev_odex25_dms pull-requests: write
- dev_odex25_fleet
- dev_odex25_hr
- dev_odex25_inventory
- dev_odex25_maintenance
- dev_odex25_mobile
- dev_odex25_pos
- dev_odex25_project
- dev_odex25_purchase
- dev_odex25_realstate
- dev_odex25_sales
- dev_odex25_survey
- dev_odex25_transactions
- dev_odex25_website
- dev_openeducat_erp-14.0.1.0
- dev_odex25_benefit
- dev_odex25_takaful
- dev_odex25_helpdesk
- dev_odex25_donation
- dev_odex25_ensan
jobs: jobs:
check_pr_author: check_pr_author:
runs-on: linting_odex25-standard-modules_runner runs-on: ubuntu-latest
steps: steps:
- name: Validate PR Author & Commit Authors - name: Validate PR Author
uses: actions/github-script@v7 uses: actions/github-script@v7
with: with:
github-token: ${{ secrets.GH_TOKEN }}
script: | script: |
// TODO: Add your team members here
const allowed = [ const allowed = [
"expsa", "hydracp9",
"moutazmuhammad", "eltayar", // Added for testing/dev
"ronozoro", // "another-client-user"
"Abubaker-Altaib",
"altexp",
"the5abir",
"ahmadaking",
"kchyounes19",
"abdurrahman-saber",
"maltayyar2",
"esam-sermah",
"mohammed-alkhazrji",
"SamirLADOUI-sa",
"NossibaElhadi"
]; ];
const pr = context.payload.pull_request; const prAuthor = context.payload.pull_request.user.login;
const prAuthor = pr.user.login;
const owner = context.repo.owner;
const repo = context.repo.repo;
core.info(`PR author: ${prAuthor}`); core.info(`PR Author: ${prAuthor}`);
// Check PR author
if (!allowed.includes(prAuthor)) { if (!allowed.includes(prAuthor)) {
core.error(`Unauthorized PR author: ${prAuthor}. Closing PR...`); core.setFailed(`⛔ Unauthorized Access: User '${prAuthor}' is not in the allowed list.`);
// Optional: Close the PR automatically
try {
await github.rest.pulls.update({ await github.rest.pulls.update({
owner, owner: context.repo.owner,
repo, repo: context.repo.repo,
pull_number: pr.number, pull_number: context.payload.pull_request.number,
state: "closed" state: "closed"
}); });
return; core.info("PR has been closed automatically.");
} catch (e) {
core.warning("Failed to close PR automatically.");
}
} else {
core.info("✅ Authorized.");
} }
core.info("All PR authors are allowed.");
# // Check commit authors
# const commitList = await github.rest.pulls.listCommits({
# owner,
# repo,
# pull_number: pr.number
# });
# core.info("PR author is allowed.");
# // Uncomment below if you want to block unauthorized commit authors also
# /*
# for (const commit of commitList.data) {
# const commitAuthor = commit.author ? commit.author.login : null;
# if (commitAuthor && !allowed.includes(commitAuthor)) {
# core.error(`Unauthorized commit author: ${commitAuthor}. Closing PR...`);
# await github.rest.pulls.update({
# owner,
# repo,
# pull_number: pr.number,
# state: "closed"
# });
# return;
# }
# }
# core.info("All PR authors and committers are allowed.");
# */