feat: create release at lean4-pr-releases for each PR (#2448)

.github/workflows/pr-release.yml

@@ -0,0 +1,69 @@
+# Push a release to the lean4-pr-releases repository, whenever someone pushes to a PR branch.
+
+# This needs to run with the `secrets.PR_RELEASES_TOKEN` token available,
+# but PR branches will generally come from forks,
+# so it is not possible to run this using the `pull_request` or `pull_request_target` workflows.
+# Instead we use `workflow_run`, which essentially allows us to escalate privileges
+# (but only runs the CI as described in the `master` branch, not in the PR branch).
+
+name: PR release
+
+on:
+  workflow_run: # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
+    workflows: [CI]
+    types: [completed]
+
+jobs:
+  on-success:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Retrieve information about the original workflow
+        uses: potiuk/get-workflow-origin@v1_1 # https://github.com/marketplace/actions/get-workflow-origin
+        id: workflow-info
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          sourceRunId: ${{ github.event.workflow_run.id }}
+      - name: Checkout
+        # Only proceed if the previous workflow had a pull request number.
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.PR_RELEASES_TOKEN }}
+          # Since `workflow_run` runs on master, we need to specify which commit to check out,
+          # so that we tag the PR.
+          ref: ${{ steps.workflow-info.outputs.targetCommitSha }}
+          # We need a full checkout, so that we can push the PR commits to the `lean4-pr-releases` repo.
+          fetch-depth: 0
+
+      - name: Download artifact from the previous workflow.
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
+        id: download-artifact
+        uses: dawidd6/action-download-artifact@v2 # https://github.com/marketplace/actions/download-workflow-artifact
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          path: artifacts
+      - name: Prepare release
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
+        run: |
+          git remote add pr-releases https://foo:'${{ secrets.PR_RELEASES_TOKEN }}'@github.com/${{ github.repository_owner }}/lean4-pr-releases.git
+          # Try to delete any existing release for the current PR.
+          gh release delete --repo ${{ github.repository_owner }}/lean4-pr-releases pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }} -y || true
+          git tag -f pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}
+          git push -f pr-releases pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}
+        env:
+          GH_TOKEN: ${{ secrets.PR_RELEASES_TOKEN }}
+      - name: Release
+        if: ${{ steps.workflow-info.outputs.pullRequestNumber != '' }}
+        uses: softprops/action-gh-release@v1
+        with:
+          name: Release for PR ${{ steps.workflow-info.outputs.pullRequestNumber }}
+          # There are coredumps files here as well, but all in deeper subdirectories.
+          files: artifacts/*/*
+          fail_on_unmatched_files: true
+          draft: false
+          tag_name: pr-release-${{ steps.workflow-info.outputs.pullRequestNumber }}
+          repository: ${{ github.repository_owner }}/lean4-pr-releases
+        env:
+          # The token used here must have `workflow` privileges.
+          GITHUB_TOKEN: ${{ secrets.PR_RELEASES_TOKEN }}