external-secrets/.github/workflows/e2e.yml

# Run secret-dependent e2e tests only after /ok-to-test approval
on:
  pull_request:
  repository_dispatch:
    types: [ok-to-test-command]

permissions:
  id-token: write
  checks: write
  contents: read

name: e2e tests

env:
  # Common versions
  GO_VERSION: '1.19'
  GINKGO_VERSION: 'v2.8.0'
  DOCKER_BUILDX_VERSION: 'v0.4.2'
  KIND_VERSION: 'v0.17.0'
  KIND_IMAGE: 'kindest/node:v1.26.0'

  # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
  # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
  GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
  GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
  GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}

  AWS_REGION: "eu-central-1"
  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}

  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID}}
  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}}
  TENANT_ID: ${{ secrets.TENANT_ID}}
  VAULT_URL: ${{ secrets.VAULT_URL}}


jobs:

  integration-trusted:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
    steps:

    - name: Branch based PR checkout
      uses: actions/checkout@v3

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e

  # Repo owner has commented /ok-to-test on a (fork-based) pull request
  integration-fork:
    runs-on: ubuntu-latest
    if: github.event_name == 'repository_dispatch'
    steps:

    # Check out merge commit
    - name: Fork based /ok-to-test checkout
      uses: actions/checkout@v3
      with:
        ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e

    # Update check run called "integration-fork"
    - uses: actions/github-script@v6
      id: update-check-run
      if: ${{ always() }}
      env:
        number: ${{ github.event.client_payload.pull_request.number }}
        job: ${{ github.job }}
        # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
        conclusion: ${{ job.status }}
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const { data: pull } = await github.rest.pulls.get({
            ...context.repo,
            pull_number: process.env.number
          });
          const ref = pull.head.sha;
          console.log("\n\nPR sha: " + ref)
          const { data: checks } = await github.rest.checks.listForRef({
            ...context.repo,
            ref
          });
          console.log("\n\nPR CHECKS: " + checks)
          const check = checks.check_runs.filter(c => c.name === process.env.job);
          console.log("\n\nPR Filtered CHECK: " + check)
          console.log(check)
          const { data: result } = await github.rest.checks.update({
            ...context.repo,
            check_run_id: check[0].id,
            status: 'completed',
            conclusion: process.env.conclusion
          });
          return result;
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`# Run secret-dependent e2e tests only after /ok-to-test approval`
			`on:`
			`pull_request:`
			`repository_dispatch:`
			`types: [ok-to-test-command]`

Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00			`permissions:`
			`id-token: write`
fix: add status checks permission (#1813) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2022-12-14 15:31:38 +00:00			`checks: write`
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00			`contents: read`

			`name: e2e tests`

feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`env:`
			`# Common versions`
fix: aws parameter store json decode, bump go 1.19 (#1525) * fix: parameter store should decode complex json values Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2022-09-06 17:46:36 +00:00			`GO_VERSION: '1.19'`
feat: bump packages (#1976) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2023-02-01 23:53:27 +00:00			`GINKGO_VERSION: 'v2.8.0'`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`DOCKER_BUILDX_VERSION: 'v0.4.2'`
aws secretsmanager/parameterstore referent auth (#1884) * feat: implement referentAuth for aws Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * feat: e2e tests Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * Update pkg/provider/aws/provider.go Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> * Update pkg/provider/aws/provider.go Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> * feat: allow each credential to be referent Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Moritz Johner <moolen@users.noreply.github.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2023-01-13 09:19:25 +00:00			`KIND_VERSION: 'v0.17.0'`
			`KIND_IMAGE: 'kindest/node:v1.26.0'`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00
			`# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run`
			`# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether`
			`# credentials have been provided before trying to run steps that need them.`
			`GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}`
add gcp creds evn var 2021-06-18 10:14:48 +00:00			`GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}`
e2e testing for gcp Workload Identity 2021-12-29 12:02:56 +00:00			`GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}`
			`GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account`
			`GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account`
fix(e2e): refactor e2e tests 2021-07-12 18:27:48 +00:00			`GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}`
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00
			`AWS_REGION: "eu-central-1"`
			`AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}`

test: add ci variables 2021-06-29 12:48:49 +00:00			`AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID}}`
			`AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}}`
			`TENANT_ID: ${{ secrets.TENANT_ID}}`
			`VAULT_URL: ${{ secrets.VAULT_URL}}`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00

			`jobs:`
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`integration-trusted:`
			`runs-on: ubuntu-latest`
🐛Fixing: github.actor instead of github.author (#1424) Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> 2022-08-03 13:30:08 +00:00			`if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`steps:`

			`- name: Branch based PR checkout`
build(deps): bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> 2022-03-07 08:06:46 +00:00			`uses: actions/checkout@v3`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00
			`- name: Fetch History`
			`run: git fetch --prune --unshallow`

Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00			`- uses: ./.github/actions/e2e`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00
			`# Repo owner has commented /ok-to-test on a (fork-based) pull request`
			`integration-fork:`
			`runs-on: ubuntu-latest`
Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00			`if: github.event_name == 'repository_dispatch'`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`steps:`

			`# Check out merge commit`
			`- name: Fork based /ok-to-test checkout`
build(deps): bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> 2022-03-07 08:06:46 +00:00			`uses: actions/checkout@v3`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`with:`
			`ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'`

			`- name: Fetch History`
			`run: git fetch --prune --unshallow`

Feature: initial generator implementation + Github Actions OIDC/AWS (#1539) Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com> 2022-10-29 18:15:50 +00:00			`- uses: ./.github/actions/e2e`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00
			`# Update check run called "integration-fork"`
build(deps): bump actions/github-script from 1 to 6 Bumps [actions/github-script](https://github.com/actions/github-script) from 1 to 6. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v1...v6) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> 2022-02-14 08:05:09 +00:00			`- uses: actions/github-script@v6`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`id: update-check-run`
			`if: ${{ always() }}`
			`env:`
			`number: ${{ github.event.client_payload.pull_request.number }}`
			`job: ${{ github.job }}`
			`# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run`
feat: implement templateFrom 2021-06-25 23:56:42 +00:00			`conclusion: ${{ job.status }}`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`with:`
			`github-token: ${{ secrets.GITHUB_TOKEN }}`
			`script: \|`
fix: update github-script actions Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2022-02-15 15:08:41 +00:00			`const { data: pull } = await github.rest.pulls.get({`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`...context.repo,`
			`pull_number: process.env.number`
			`});`
			`const ref = pull.head.sha;`
chore: add log PR report 2021-11-15 15:47:09 +00:00			`console.log("\n\nPR sha: " + ref)`
fix: update github-script actions Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2022-02-15 15:08:41 +00:00			`const { data: checks } = await github.rest.checks.listForRef({`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`...context.repo,`
			`ref`
			`});`
chore: add log PR report 2021-11-15 15:47:09 +00:00			`console.log("\n\nPR CHECKS: " + checks)`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`const check = checks.check_runs.filter(c => c.name === process.env.job);`
chore: add log PR report 2021-11-15 15:47:09 +00:00			`console.log("\n\nPR Filtered CHECK: " + check)`
			`console.log(check)`
fix: update github-script actions Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2022-02-15 15:08:41 +00:00			`const { data: result } = await github.rest.checks.update({`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`...context.repo,`
chore: add log PR report 2021-11-15 15:47:09 +00:00			`check_run_id: check[0].id,`
feat: add ok-to-test workflow 2021-06-13 13:28:52 +00:00			`status: 'completed',`
			`conclusion: process.env.conclusion`
			`});`
			`return result;`