# Run secret-dependent e2e tests only after /ok-to-test approval on: pull_request: repository_dispatch: types: [ok-to-test-command] permissions: contents: read name: e2e tests env: # Common versions GO_VERSION: '1.21' GINKGO_VERSION: 'v2.8.0' DOCKER_BUILDX_VERSION: 'v0.4.2' KIND_VERSION: 'v0.17.0' KIND_IMAGE: 'kindest/node:v1.26.0' # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether # credentials have been provided before trying to run steps that need them. GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}} GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}} GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}} AWS_REGION: "eu-central-1" AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }} TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}} TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }} TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}} TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }} TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}} SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }} SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }} SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }} SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }} SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }} DELINEA_TLD: ${{ secrets.DELINEA_TLD }} DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }} DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }} DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }} DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }} SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }} SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }} SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }} jobs: integration-trusted: runs-on: ubuntu-latest permissions: id-token: write checks: write contents: read if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]' steps: - name: Branch based PR checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Fetch History run: git fetch --prune --unshallow - uses: ./.github/actions/e2e # Repo owner has commented /ok-to-test on a (fork-based) pull request integration-fork: runs-on: ubuntu-latest permissions: id-token: write checks: write contents: read if: github.event_name == 'repository_dispatch' steps: # Check out merge commit - name: Fork based /ok-to-test checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge' - name: Fetch History run: git fetch --prune --unshallow - uses: ./.github/actions/e2e # Update check run called "integration-fork" - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: update-check-run if: ${{ always() }} env: number: ${{ github.event.client_payload.pull_request.number }} job: ${{ github.job }} # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run conclusion: ${{ job.status }} with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const { data: pull } = await github.rest.pulls.get({ ...context.repo, pull_number: process.env.number }); const ref = pull.head.sha; console.log("\n\nPR sha: " + ref) const { data: checks } = await github.rest.checks.listForRef({ ...context.repo, ref }); console.log("\n\nPR CHECKS: " + checks) const check = checks.check_runs.filter(c => c.name === process.env.job); console.log("\n\nPR Filtered CHECK: " + check) console.log(check) const { data: result } = await github.rest.checks.update({ ...context.repo, check_run_id: check[0].id, status: 'completed', conclusion: process.env.conclusion }); return result;