mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-15 17:51:01 +00:00
9512254a04
* use github token for the actions check Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> * fix msg Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com> --------- Signed-off-by: Gustavo Carvalho <gusfcarvalho@gmail.com>
150 lines
5.7 KiB
YAML
150 lines
5.7 KiB
YAML
# Run secret-dependent e2e tests only after /ok-to-test approval
|
|
on:
|
|
pull_request:
|
|
repository_dispatch:
|
|
types: [ok-to-test-command]
|
|
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
pull-requests: write
|
|
checks: write
|
|
statuses: read
|
|
name: e2e tests
|
|
|
|
env:
|
|
# Common versions
|
|
GO_VERSION: '1.21'
|
|
GINKGO_VERSION: 'v2.8.0'
|
|
DOCKER_BUILDX_VERSION: 'v0.4.2'
|
|
KIND_VERSION: 'v0.17.0'
|
|
KIND_IMAGE: 'kindest/node:v1.26.0'
|
|
|
|
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
|
|
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
|
|
# credentials have been provided before trying to run steps that need them.
|
|
TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
|
|
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
|
|
GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
|
|
GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
|
|
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
|
|
GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
|
|
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
|
|
|
|
AWS_REGION: "eu-central-1"
|
|
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
|
|
|
|
TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
|
|
TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
|
|
TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
|
|
TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
|
|
TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
|
|
|
|
SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
|
|
SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
|
|
SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
|
|
SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
|
|
SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
|
|
DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
|
|
DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
|
|
DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
|
|
DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
|
|
DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
|
|
|
|
SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
|
|
SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
|
|
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
|
|
jobs:
|
|
|
|
integration-trusted:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
id-token: write
|
|
checks: write
|
|
contents: read
|
|
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
|
|
steps:
|
|
|
|
- name: Branch based PR checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
|
|
- name: Fetch History
|
|
run: git fetch --prune --unshallow
|
|
|
|
- uses: ./.github/actions/e2e
|
|
|
|
# Repo owner has commented /ok-to-test on a (fork-based) pull request
|
|
integration-fork:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
id-token: write
|
|
checks: write
|
|
contents: read
|
|
if: github.event_name == 'repository_dispatch'
|
|
steps:
|
|
|
|
# Check out merge commit
|
|
- name: Fork based /ok-to-test checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
|
with:
|
|
ref: '${{ env.TARGET_SHA }}'
|
|
|
|
- name: Fetch History
|
|
run: git fetch --prune --unshallow
|
|
|
|
- id: e2e
|
|
uses: ./.github/actions/e2e
|
|
- id: create_token
|
|
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
|
|
with:
|
|
app_id: ${{ secrets.APP_ID }}
|
|
private_key: ${{ secrets.PRIVATE_KEY }}
|
|
# Update check run called "integration-fork"
|
|
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
id: update-check-run
|
|
if: ${{ always() }}
|
|
env:
|
|
number: ${{ github.event.client_payload.pull_request.number }}
|
|
job: ${{ github.job }}
|
|
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
|
|
conclusion: ${{ job.status }}
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
script: |
|
|
const { data: pull } = await github.rest.pulls.get({
|
|
...context.repo,
|
|
pull_number: process.env.number
|
|
});
|
|
const ref = pull.head.sha;
|
|
console.log("\n\nPR sha: " + ref)
|
|
const { data: checks } = await github.rest.checks.listForRef({
|
|
...context.repo,
|
|
ref
|
|
});
|
|
console.log("\n\nPR CHECKS: " + checks)
|
|
const check = checks.check_runs.filter(c => c.name === process.env.job);
|
|
console.log("\n\nPR Filtered CHECK: " + check)
|
|
console.log(check)
|
|
const { data: result } = await github.rest.checks.update({
|
|
...context.repo,
|
|
check_run_id: check[0].id,
|
|
status: 'completed',
|
|
conclusion: process.env.conclusion
|
|
});
|
|
return result;
|
|
- name: Update on Succeess
|
|
if: always() && steps.e2e.conclusion == 'success'
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
with:
|
|
token: ${{ steps.create_token.outputs.token }}
|
|
issue-number: ${{ github.event.client_payload.pull_request.number }}
|
|
body: |
|
|
[Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
|
|
- name: Update on Failure
|
|
if: always() && steps.e2e.conclusion != 'success'
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
with:
|
|
token: ${{ steps.create_token.outputs.token }}
|
|
issue-number: ${{ github.event.client_payload.pull_request.number }}
|
|
body: |
|
|
[Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
|