helm-external-secrets/.github/workflows/e2e-managed.yml

name: managed e2e tests

on:
  repository_dispatch:
    types: [ok-to-test-managed-command]

permissions:
  contents: read

env:
  DOCKER_BUILDX_VERSION: 'v0.4.2'
  GHCR_USERNAME: ${{ github.actor }}
  USE_GKE_GCLOUD_AUTH_PLUGIN: true
  
  # GCP variables
  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
  GCP_SM_SA_GKE_JSON: ${{ secrets.GCP_SM_SA_GKE_JSON }}
  GCP_GKE_CLUSTER: e2e
  TF_VAR_GCP_GKE_CLUSTER: e2e
  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
  TF_VAR_GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
  TF_VAR_GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  TF_VAR_GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
  GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
  
  # AWS variables
  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
  AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  AWS_REGION: "eu-central-1"
  AWS_CLUSTER_NAME: "eso-e2e-managed"
  TF_VAR_AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  TF_VAR_AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  TF_VAR_AWS_REGION: "eu-central-1"
  TF_VAR_AWS_CLUSTER_NAME: "eso-e2e-managed"
  
  # Azure variables
  TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
  TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
  TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
  TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
  TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}

jobs:

  setup:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: read
    outputs:
      check_run_id: ${{ steps.create_check.outputs.check_run_id }}
    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - name: Create status check
        id: create_check
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}
          HEAD_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const job_name = "e2e-managed-" + process.env.PROVIDER
            const ref = process.env.HEAD_SHA
            const { data: checks } = await github.rest.checks.listForRef({
              ...context.repo,
              ref
            });
            const check = checks.check_runs.filter(c => c.name === job_name);
            if(check && check.length > 0){
              const { data: result } = await github.rest.checks.update({
                ...context.repo,
                check_run_id: check[0].id,
                status: 'in_progress',
              });
              core.setOutput('check_run_id', check[0].id);
              return result;
            }
            const { data: result } = await github.rest.checks.create({
              ...context.repo,
              name: job_name,
              head_sha: ref,
              status: 'in_progress',
            });
            core.setOutput('check_run_id', result.id);
            return result;

  # AWS-specific job
  test-aws:
    runs-on: ubuntu-latest
    if: github.event.client_payload.slash_command.args.named.provider == 'aws'
    needs: [setup]
    permissions:
      id-token: write
      contents: read
      packages: write
    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - name: Fork based /ok-to-test-managed checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

      - name: Setup Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: go.mod

      - name: Find the Go Cache
        id: go
        run: |
          echo "build-cache=$(go env GOCACHE)" >> $GITHUB_OUTPUT
          echo "mod-cache=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache the Go Build Cache
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.build-cache }}
          key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-

      - name: Cache Go Dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.mod-cache }}
          key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-

      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
        with:
          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Apply Terraform
        run: make tf.apply.aws

      - name: Get AWS EKS credentials
        run: aws --region $AWS_REGION eks update-kubeconfig --name $AWS_CLUSTER_NAME

      - name: Login to Docker
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        if: env.GHCR_USERNAME != ''
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run AWS e2e Tests
        run: |
          export PATH=$PATH:$(go env GOPATH)/bin
          make test.e2e.managed GINKGO_LABELS="aws && managed" TEST_SUITES="provider"

      - name: Destroy Terraform
        if: always()
        run: make tf.destroy.aws

  # GCP-specific job
  test-gcp:
    runs-on: ubuntu-latest
    if: github.event.client_payload.slash_command.args.named.provider == 'gcp'
    needs: [setup]
    permissions:
      id-token: write
      contents: read
      packages: write
    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - name: Fork based /ok-to-test-managed checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

      - name: Setup Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: go.mod

      - name: Find the Go Cache
        id: go
        run: |
          echo "build-cache=$(go env GOCACHE)" >> $GITHUB_OUTPUT
          echo "mod-cache=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache the Go Build Cache
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.build-cache }}
          key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-

      - name: Cache Go Dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.mod-cache }}
          key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-

      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v3

      - name: Authenticate to Google Cloud
        uses: 'google-github-actions/auth@fc2174804b84f912b1f6d334e9463f484f1c552d' # v3
        with:
          project_id: ${{ secrets.GCP_FED_PROJECT_ID }}
          service_account: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
          workload_identity_provider: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
          create_credentials_file: true

      - name: Apply Terraform
        run: make tf.apply.gcp

      - name: Setup gcloud CLI
        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3
        with:
          install_components: 'gke-gcloud-auth-plugin'

      - name: Get GKE credentials
        uses: google-github-actions/get-gke-credentials@3e00d2f47c840b194fc2ccc712879146e87f98cb # v3
        with:
          cluster_name: '${{ env.GCP_GKE_CLUSTER }}'
          location: 'europe-west1'
          project_id: '${{ secrets.GCP_FED_PROJECT_ID }}'

      - name: Login to Docker
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        if: env.GHCR_USERNAME != ''
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run GCP e2e Tests
        env:
          GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
        run: |
          export PATH=$PATH:$(go env GOPATH)/bin
          make test.e2e.managed GINKGO_LABELS="gcp && managed" TEST_SUITES="provider"

      - name: Destroy Terraform
        if: always()
        run: make tf.destroy.gcp

  # Azure-specific job
  test-azure:
    runs-on: ubuntu-latest
    if: github.event.client_payload.slash_command.args.named.provider == 'azure'
    needs: [setup]
    permissions:
      id-token: write
      contents: read
      packages: write
    steps:
      - uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - name: Fork based /ok-to-test-managed checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

      - name: Setup Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: go.mod

      - name: Find the Go Cache
        id: go
        run: |
          echo "build-cache=$(go env GOCACHE)" >> $GITHUB_OUTPUT
          echo "mod-cache=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache the Go Build Cache
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.build-cache }}
          key: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-unit-tests-${{ github.sha }}-

      - name: Cache Go Dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        with:
          path: ${{ steps.go.outputs.mod-cache }}
          key: ${{ runner.os }}-pkg-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-pkg-${{ github.sha }}-

      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v3

      - name: Azure CLI login
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5
        with:
          client-id: ${{ secrets.TFC_AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.TFC_AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}

      - name: Apply Terraform
        env:
          ARM_CLIENT_ID: "${{ secrets.TFC_AZURE_CLIENT_ID }}"
          ARM_SUBSCRIPTION_ID: "${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}"
          ARM_TENANT_ID: "${{ secrets.TFC_AZURE_TENANT_ID }}"
        run: make tf.apply.azure

      - name: Get AKS credentials
        run: az aks get-credentials --admin --name eso-cluster --resource-group external-secrets-e2e

      - name: Login to Docker
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        if: env.GHCR_USERNAME != ''
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run Azure e2e Tests
        run: |
          export PATH=$PATH:$(go env GOPATH)/bin
          make test.e2e.managed GINKGO_LABELS="azure && managed" TEST_SUITES="provider"

      - name: Destroy Terraform
        if: always()
        env:
          ARM_CLIENT_ID: "${{ secrets.TFC_AZURE_CLIENT_ID }}"
          ARM_SUBSCRIPTION_ID: "${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}"
          ARM_TENANT_ID: "${{ secrets.TFC_AZURE_TENANT_ID }}"
        run: make tf.destroy.azure

  # Final status update job
  update-status:
    runs-on: ubuntu-latest
    if: always()
    needs: [setup, test-aws, test-gcp, test-azure]
    permissions:
      checks: write
      contents: read
    steps:
      - name: Update status check
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          AWS_RESULT: ${{ needs.test-aws.result }}
          GCP_RESULT: ${{ needs.test-gcp.result }}
          AZURE_RESULT: ${{ needs.test-azure.result }}
          CHECK_RUN_ID: ${{ needs.setup.outputs.check_run_id }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const conclusion = process.env.AWS_RESULT + process.env.GCP_RESULT + process.env.AZURE_RESULT;
            const checkRunId = process.env.CHECK_RUN_ID;
            
            // Determine the overall conclusion
            let finalConclusion = 'success';
            if (conclusion.includes('failure')) {
              finalConclusion = 'failure';
            } else if (conclusion.includes('cancelled')) {
              finalConclusion = 'cancelled';
            } else if (conclusion === '') {
              finalConclusion = 'skipped';
            }
            
            if (checkRunId) {
              await github.rest.checks.update({
                ...context.repo,
                check_run_id: checkRunId,
                status: 'completed',
                conclusion: finalConclusion
              });
            }