logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
							# Run secret-dependent e2e tests only after /ok-to-test approval
on:
  pull_request:
  repository_dispatch:
    types: [ok-to-test-command]

permissions:
  contents: read
name: e2e tests

env:
  # Common versions
  KIND_VERSION: 'v0.30.0'
  KIND_IMAGE: 'kindest/node:v1.33.4'
  TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
  GHCR_USERNAME: ${{ github.actor }}
  AWS_REGION: "eu-central-1"
jobs:

  integration-trusted:
    runs-on: ubuntu-latest
    permissions:
      id-token: write #for oidc auth with aws/gcp/azure
      contents: read  #for checkout
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
    env:
      GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
      GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
      GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
      GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
      GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
      AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
      AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
      TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
      TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
      TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
      TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
      TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
      SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
      SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
      SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
      SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
      SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
      DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
      DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
      DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
      DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
      DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
      SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
      SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
      SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
      GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
      GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
    steps:
    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
      with:
        egress-policy: audit

    - name: Branch based PR checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e

  # Repo owner has commented /ok-to-test on a (fork-based) pull request
  integration-fork:
    runs-on: ubuntu-latest
    permissions:
      id-token: write      #for oidc auth with aws/gcp/azure
      contents: read       #for checkout
      pull-requests: write # to publish the status as comments
    if: github.event_name == 'repository_dispatch'
    env:
      GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
      GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
      GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
      GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
      GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
      AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
      AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
      TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
      TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
      TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
      TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
      TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
      SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
      SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
      SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
      SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
      SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
      DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
      DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
      DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
      DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
      DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
      SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
      SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
      SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
      GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
      GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
    steps:
    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
      with:
        egress-policy: audit

    # Check out merge commit
    - name: Fork based /ok-to-test checkout
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        ref: '${{ env.TARGET_SHA }}'
        persist-credentials: false

    - name: Fetch History
      run: git fetch --prune --unshallow

    - id: e2e
      uses: ./.github/actions/e2e
    - id: create_token
      if: always()
      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
      env:
        APP_ID: ${{ secrets.APP_ID }}
      with:
        app-id: ${{ env.APP_ID }}
        private-key: ${{ secrets.PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}

    - name: Update on Succeess
      if: always() && steps.e2e.conclusion == 'success'
      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ steps.create_token.outputs.token }}
        issue-number: ${{ github.event.client_payload.pull_request.number }}
        body: |
            [Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
    - name: Update on Failure
      if: always() &&  steps.e2e.conclusion != 'success'
      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ steps.create_token.outputs.token }}
        issue-number: ${{ github.event.client_payload.pull_request.number }}
        body: |
            [Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})