|
@@ -15,15 +15,17 @@ env:
|
|
|
TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
|
|
TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
|
|
|
GHCR_USERNAME: ${{ github.actor }}
|
|
GHCR_USERNAME: ${{ github.actor }}
|
|
|
AWS_REGION: "eu-central-1"
|
|
AWS_REGION: "eu-central-1"
|
|
|
|
|
+
|
|
|
jobs:
|
|
jobs:
|
|
|
|
|
|
|
|
|
|
+ # Same-repo pull request: build and test run as two jobs on separate runners.
|
|
|
integration-trusted:
|
|
integration-trusted:
|
|
|
- runs-on: ubuntu-latest
|
|
|
|
|
permissions:
|
|
permissions:
|
|
|
- id-token: write #for oidc auth with aws/gcp/azure
|
|
|
|
|
- contents: read #for checkout
|
|
|
|
|
|
|
+ id-token: write # for oidc auth with aws/gcp/azure
|
|
|
|
|
+ contents: read # for checkout
|
|
|
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
|
|
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
|
|
|
- env:
|
|
|
|
|
|
|
+ uses: ./.github/workflows/e2e-reusable.yml
|
|
|
|
|
+ secrets:
|
|
|
GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
|
|
GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
|
|
|
GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
|
|
GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
|
|
|
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
|
|
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
|
|
@@ -52,30 +54,26 @@ jobs:
|
|
|
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
|
|
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
|
|
|
GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
|
|
GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
|
|
|
GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
|
|
GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
|
|
|
- steps:
|
|
|
|
|
- - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
|
|
|
|
|
- with:
|
|
|
|
|
- egress-policy: audit
|
|
|
|
|
-
|
|
|
|
|
- - name: Branch based PR checkout
|
|
|
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
|
- with:
|
|
|
|
|
- persist-credentials: false
|
|
|
|
|
-
|
|
|
|
|
- - name: Fetch History
|
|
|
|
|
- run: git fetch --prune --unshallow
|
|
|
|
|
-
|
|
|
|
|
- - uses: ./.github/actions/e2e
|
|
|
|
|
|
|
+ AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
|
|
|
|
|
+ AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
|
|
|
|
|
+ AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
|
|
|
|
|
+ GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
|
|
|
|
|
+ GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
|
|
|
|
|
+ GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
|
|
|
|
|
+ ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
|
|
|
|
|
+ ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
|
|
|
|
|
+ ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
|
|
|
|
|
+ ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
|
|
|
|
|
+ ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
|
|
|
|
|
|
|
|
- # Repo owner has commented /ok-to-test on a (fork-based) pull request
|
|
|
|
|
|
|
+ # Repo owner has commented /ok-to-test on a (fork-based) pull request.
|
|
|
integration-fork:
|
|
integration-fork:
|
|
|
- runs-on: ubuntu-latest
|
|
|
|
|
permissions:
|
|
permissions:
|
|
|
- id-token: write #for oidc auth with aws/gcp/azure
|
|
|
|
|
- contents: read #for checkout
|
|
|
|
|
- pull-requests: write # to publish the status as comments
|
|
|
|
|
|
|
+ id-token: write # for oidc auth with aws/gcp/azure
|
|
|
|
|
+ contents: read # for checkout
|
|
|
if: github.event_name == 'repository_dispatch'
|
|
if: github.event_name == 'repository_dispatch'
|
|
|
- env:
|
|
|
|
|
|
|
+ uses: ./.github/workflows/e2e-reusable.yml
|
|
|
|
|
+ secrets:
|
|
|
GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
|
|
GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
|
|
|
GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
|
|
GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
|
|
|
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
|
|
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
|
|
@@ -104,25 +102,32 @@ jobs:
|
|
|
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
|
|
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
|
|
|
GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
|
|
GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
|
|
|
GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
|
|
GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
|
|
|
|
|
+ AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
|
|
|
|
|
+ AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
|
|
|
|
|
+ AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
|
|
|
|
|
+ GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
|
|
|
|
|
+ GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
|
|
|
|
|
+ GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
|
|
|
|
|
+ ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
|
|
|
|
|
+ ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
|
|
|
|
|
+ ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
|
|
|
|
|
+ ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
|
|
|
|
|
+ ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
|
|
|
|
|
+
|
|
|
|
|
+ # Report the fork run result back onto the originating pull request.
|
|
|
|
|
+ report-fork:
|
|
|
|
|
+ if: github.event_name == 'repository_dispatch' && always()
|
|
|
|
|
+ needs: integration-fork
|
|
|
|
|
+ runs-on: ubuntu-latest
|
|
|
|
|
+ permissions:
|
|
|
|
|
+ pull-requests: write # to publish the status as comments
|
|
|
|
|
+ contents: read
|
|
|
steps:
|
|
steps:
|
|
|
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
|
|
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
|
|
|
with:
|
|
with:
|
|
|
egress-policy: audit
|
|
egress-policy: audit
|
|
|
|
|
|
|
|
- # Check out merge commit
|
|
|
|
|
- - name: Fork based /ok-to-test checkout
|
|
|
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
|
- with:
|
|
|
|
|
- ref: '${{ env.TARGET_SHA }}'
|
|
|
|
|
- persist-credentials: false
|
|
|
|
|
-
|
|
|
|
|
- - name: Fetch History
|
|
|
|
|
- run: git fetch --prune --unshallow
|
|
|
|
|
-
|
|
|
|
|
- - id: e2e
|
|
|
|
|
- uses: ./.github/actions/e2e
|
|
|
|
|
- id: create_token
|
|
- id: create_token
|
|
|
- if: always()
|
|
|
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
|
env:
|
|
env:
|
|
|
APP_ID: ${{ secrets.APP_ID }}
|
|
APP_ID: ${{ secrets.APP_ID }}
|
|
@@ -131,16 +136,17 @@ jobs:
|
|
|
private-key: ${{ secrets.PRIVATE_KEY }}
|
|
private-key: ${{ secrets.PRIVATE_KEY }}
|
|
|
owner: ${{ github.repository_owner }}
|
|
owner: ${{ github.repository_owner }}
|
|
|
|
|
|
|
|
- - name: Update on Succeess
|
|
|
|
|
- if: always() && steps.e2e.conclusion == 'success'
|
|
|
|
|
|
|
+ - name: Update on Success
|
|
|
|
|
+ if: needs.integration-fork.result == 'success'
|
|
|
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
|
|
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
|
|
|
with:
|
|
with:
|
|
|
token: ${{ steps.create_token.outputs.token }}
|
|
token: ${{ steps.create_token.outputs.token }}
|
|
|
issue-number: ${{ github.event.client_payload.pull_request.number }}
|
|
issue-number: ${{ github.event.client_payload.pull_request.number }}
|
|
|
body: |
|
|
body: |
|
|
|
[Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
|
|
[Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
|
|
|
|
|
+
|
|
|
- name: Update on Failure
|
|
- name: Update on Failure
|
|
|
- if: always() && steps.e2e.conclusion != 'success'
|
|
|
|
|
|
|
+ if: needs.integration-fork.result != 'success'
|
|
|
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
|
|
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
|
|
|
with:
|
|
with:
|
|
|
token: ${{ steps.create_token.outputs.token }}
|
|
token: ${{ steps.create_token.outputs.token }}
|