From 32f83ad6761ce904061a2ba355e1f7bc498f7270 Mon Sep 17 00:00:00 2001
From: William Chargin <wchargin@gmail.com>
Date: Tue, 7 Jan 2020 21:03:23 -0800
Subject: [PATCH] ci: fast-fail on forked PRs with no credentials (#1522)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Summary:
PRs created from forks don’t have credentials when running CI. This
commit causes the `test-full` job (which requires credentials) to fail
fast with a helpful error message.

Test Plan:
Push distinct versions of this commit to a fork and to the main
repository, and open pull requests for each. Note that the tests pass
from the main repository, but fail with a nice message from the fork:

![Screenshot of expected fast-fail behavior][ss]

The “team member pushes to trusted branch” workflow has already been
successfully exercised for #1521.

[ss]: https://user-images.githubusercontent.com/4317806/71707839-b782ab00-2da1-11ea-8aa9-7d8720538a87.png

wchargin-branch: forked-pr-fail-fast
---
 config/test.js | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/config/test.js b/config/test.js
index b7e134b..7c69fd7 100644
--- a/config/test.js
+++ b/config/test.js
@@ -10,6 +10,11 @@ main();
 
 function main() {
   const options = parseArgs();
+  if (isForkedPrFullRun(options)) {
+    printForkedPrFullRunErrorMessage();
+    process.exitCode = 1;
+    return;
+  }
   const printVerboseResults = options.mode === "FULL";
   const runOptions = {printVerboseResults};
   const tasks = makeTasks(options.mode, options.limitMemoryUsage);
@@ -33,6 +38,37 @@ function parseArgs() {
   return options;
 }
 
+/**
+ * Check whether we're running full CI for a PR created on a fork. In
+ * this state, Circle CI omits secure environment variables (which is
+ * good and desired), but this means that we'll have to abort tests.
+ */
+function isForkedPrFullRun(options) {
+  if (options.mode !== "FULL") {
+    return false;
+  }
+  if (!process.env["CIRCLE_PR_NUMBER"]) {
+    // This environment variable is only set on forked PRs.
+    // https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables
+    return false;
+  }
+  if (process.env["SOURCECRED_GITHUB_TOKEN"]) {
+    return false;
+  }
+  return true;
+}
+
+function printForkedPrFullRunErrorMessage() {
+  console.error(
+    [
+      "fatal: cannot run full test suite: missing credentials",
+      "Tests on forked PRs run without credentials by default. A core team ",
+      "member will sanity-check your PR and push its head commit to a branch ",
+      "on the main SourceCred repository, which will re-run these tests.",
+    ].join("\n")
+  );
+}
+
 function makeTasks(
   mode /*: "BASIC" | "FULL" */,
   limitMemoryUsage /*: boolean */