# Run secret-dependent e2e tests only after /ok-to-test approval on: pull_request: repository_dispatch: types: [ok-to-test-command] permissions: contents: read name: e2e tests env: # Common versions KIND_VERSION: 'v0.30.0' KIND_IMAGE: 'kindest/node:v1.33.4' TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }} GHCR_USERNAME: ${{ github.actor }} AWS_REGION: "eu-central-1" jobs: integration-trusted: runs-on: ubuntu-latest permissions: id-token: write #for oidc auth with aws/gcp/azure contents: read #for checkout if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]' env: GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }} GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }} GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }} GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }} AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }} AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }} AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }} TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }} TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }} TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }} TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }} TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }} SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }} SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }} SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }} SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }} SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }} DELINEA_TLD: ${{ secrets.DELINEA_TLD }} DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }} DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }} DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }} DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }} SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }} SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }} SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }} GRAFANA_URL: ${{ secrets.GRAFANA_URL }} GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }} steps: - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit - name: Branch based PR checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Fetch History run: git fetch --prune --unshallow - uses: ./.github/actions/e2e # Repo owner has commented /ok-to-test on a (fork-based) pull request integration-fork: runs-on: ubuntu-latest permissions: id-token: write #for oidc auth with aws/gcp/azure contents: read #for checkout pull-requests: write # to publish the status as comments if: github.event_name == 'repository_dispatch' env: GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }} GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }} GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }} GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }} AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }} AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }} AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }} TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }} TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }} TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }} TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }} TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }} SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }} SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }} SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }} SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }} SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }} DELINEA_TLD: ${{ secrets.DELINEA_TLD }} DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }} DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }} DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }} DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }} SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }} SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }} SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }} GRAFANA_URL: ${{ secrets.GRAFANA_URL }} GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }} steps: - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit # Check out merge commit - name: Fork based /ok-to-test checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: '${{ env.TARGET_SHA }}' persist-credentials: false - name: Fetch History run: git fetch --prune --unshallow - id: e2e uses: ./.github/actions/e2e - id: create_token if: always() uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 env: APP_ID: ${{ secrets.APP_ID }} with: app-id: ${{ env.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} owner: ${{ github.repository_owner }} - name: Update on Succeess if: always() && steps.e2e.conclusion == 'success' uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: token: ${{ steps.create_token.outputs.token }} issue-number: ${{ github.event.client_payload.pull_request.number }} body: | [Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }}) - name: Update on Failure if: always() && steps.e2e.conclusion != 'success' uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: token: ${{ steps.create_token.outputs.token }} issue-number: ${{ github.event.client_payload.pull_request.number }} body: | [Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})