| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156 |
- # Run secret-dependent e2e tests only after /ok-to-test approval
- on:
- pull_request:
- repository_dispatch:
- types: [ok-to-test-command]
- permissions:
- contents: read
- issues: write
- pull-requests: write
- name: e2e tests
- env:
- # Common versions
- GO_VERSION: '1.21'
- GINKGO_VERSION: 'v2.8.0'
- DOCKER_BUILDX_VERSION: 'v0.4.2'
- KIND_VERSION: 'v0.17.0'
- KIND_IMAGE: 'kindest/node:v1.26.0'
- # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
- # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
- # credentials have been provided before trying to run steps that need them.
- TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
- GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
- GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
- GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
- GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
- GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
- GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
- AWS_REGION: "eu-central-1"
- AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
- TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
- TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
- TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
- TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
- TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
- SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
- SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
- SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
- SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
- SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
- DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
- DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
- DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
- DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
- DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
- SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
- SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
- SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
- jobs:
- integration-trusted:
- runs-on: ubuntu-latest
- permissions:
- id-token: write
- checks: write
- contents: read
- if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
- steps:
- - name: Branch based PR checkout
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- - name: Fetch History
- run: git fetch --prune --unshallow
- - uses: ./.github/actions/e2e
- # Repo owner has commented /ok-to-test on a (fork-based) pull request
- integration-fork:
- runs-on: ubuntu-latest
- permissions:
- id-token: write
- checks: write
- contents: read
- if: github.event_name == 'repository_dispatch'
- steps:
- # Check out merge commit
- - name: Fork based /ok-to-test checkout
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- with:
- ref: '${{ env.TARGET_SHA }}'
- - name: Fetch History
- run: git fetch --prune --unshallow
- - id: e2e
- uses: ./.github/actions/e2e
- # Update check run called "integration-fork"
- - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
- id: update-check-run
- if: ${{ always() }}
- env:
- number: ${{ github.event.client_payload.pull_request.number }}
- job: ${{ github.job }}
- # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
- conclusion: ${{ job.status }}
- with:
- github-token: ${{ secrets.TEST_GITHUB_TOKEN }}
- script: |
- const { data: pull } = await github.rest.pulls.get({
- ...context.repo,
- pull_number: process.env.number
- });
- const ref = pull.head.sha;
- console.log("\n\nPR sha: " + ref)
- const { data: checks } = await github.rest.checks.listForRef({
- ...context.repo,
- ref
- });
- console.log("\n\nPR CHECKS: " + checks)
- const check = checks.check_runs.filter(c => c.name === process.env.job);
- console.log("\n\nPR Filtered CHECK: " + check)
- console.log(check)
- const { data: result } = await github.rest.checks.update({
- ...context.repo,
- check_run_id: check[0].id,
- status: 'completed',
- conclusion: process.env.conclusion
- });
- return result;
- - name: Find Comment
- if: always()
- uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
- id: fc
- with:
- token: ${{ secrets.TEST_GITHUB_TOKEN }}
- issue-number: ${{ github.event.client_payload.pull_request.number }}
- body-includes: /ok-to-test sha=${{ env.TARGET_SHA }}
- - name: Update on Succeess
- if: always() && steps.fc.outputs.comment-id != '' && steps.e2e.conclusion == 'success'
- uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
- with:
- token: ${{ secrets.TEST_GITHUB_TOKEN }}
- issue-number: ${{ github.event.client_payload.pull_request.number }}
- body: |
- [Bot] - :white_check_mark: [e2e tests pass](https://github.com/external-secrets/external-secrets/actions/runs/${{ steps.update-check-run.outputs.result.id }})
- reactions: +1
- edit-mode: append
- - name: Update on Failure
- if: always() && steps.fc.outputs.comment-id != '' && steps.e2e.conclusion != 'success'
- uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
- with:
- token: ${{ secrets.TEST_GITHUB_TOKEN }}
- issue-number: ${{ github.event.client_payload.pull_request.number }}
- body: |
- [Bot] - :x: [e2e tests failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ steps.update-check-run.outputs.result.id }})
- reactions: -1
- edit-mode: append
|
