1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
external-secrets/.github/workflows/e2e.yml
Gustavo Fernandes de Carvalho 9512254a04
use github token for the actions check (#3679)
* use github token for the actions check

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

* fix msg

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>

---------

Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
2024-07-10 10:32:50 -03:00

150 lines
5.7 KiB
YAML

# Run secret-dependent e2e tests only after /ok-to-test approval
on:
pull_request:
repository_dispatch:
types: [ok-to-test-command]
permissions:
contents: read
issues: write
pull-requests: write
checks: write
statuses: read
name: e2e tests
env:
# Common versions
GO_VERSION: '1.21'
GINKGO_VERSION: 'v2.8.0'
DOCKER_BUILDX_VERSION: 'v0.4.2'
KIND_VERSION: 'v0.17.0'
KIND_IMAGE: 'kindest/node:v1.26.0'
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
AWS_REGION: "eu-central-1"
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
jobs:
integration-trusted:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
steps:
- name: Branch based PR checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Fetch History
run: git fetch --prune --unshallow
- uses: ./.github/actions/e2e
# Repo owner has commented /ok-to-test on a (fork-based) pull request
integration-fork:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'repository_dispatch'
steps:
# Check out merge commit
- name: Fork based /ok-to-test checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: '${{ env.TARGET_SHA }}'
- name: Fetch History
run: git fetch --prune --unshallow
- id: e2e
uses: ./.github/actions/e2e
- id: create_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
# Update check run called "integration-fork"
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: update-check-run
if: ${{ always() }}
env:
number: ${{ github.event.client_payload.pull_request.number }}
job: ${{ github.job }}
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
conclusion: ${{ job.status }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { data: pull } = await github.rest.pulls.get({
...context.repo,
pull_number: process.env.number
});
const ref = pull.head.sha;
console.log("\n\nPR sha: " + ref)
const { data: checks } = await github.rest.checks.listForRef({
...context.repo,
ref
});
console.log("\n\nPR CHECKS: " + checks)
const check = checks.check_runs.filter(c => c.name === process.env.job);
console.log("\n\nPR Filtered CHECK: " + check)
console.log(check)
const { data: result } = await github.rest.checks.update({
...context.repo,
check_run_id: check[0].id,
status: 'completed',
conclusion: process.env.conclusion
});
return result;
- name: Update on Succeess
if: always() && steps.e2e.conclusion == 'success'
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ steps.create_token.outputs.token }}
issue-number: ${{ github.event.client_payload.pull_request.number }}
body: |
[Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
- name: Update on Failure
if: always() && steps.e2e.conclusion != 'success'
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ steps.create_token.outputs.token }}
issue-number: ${{ github.event.client_payload.pull_request.number }}
body: |
[Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})