helm-external-secrets/.github/workflows/e2e.yml

# Run secret-dependent e2e tests only after /ok-to-test approval
on:
  pull_request:
  repository_dispatch:
    types: [ok-to-test-command]

permissions:
  id-token: write
  checks: write
  contents: read

name: e2e tests

env:
  # Common versions
  GO_VERSION: '1.19'
  GINKGO_VERSION: 'v2.8.0'
  DOCKER_BUILDX_VERSION: 'v0.4.2'
  KIND_VERSION: 'v0.17.0'
  KIND_IMAGE: 'kindest/node:v1.26.0'

  # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
  # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
  GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
  GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
  GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}

  AWS_REGION: "eu-central-1"
  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}

  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID}}
  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}}
  TENANT_ID: ${{ secrets.TENANT_ID}}
  VAULT_URL: ${{ secrets.VAULT_URL}}
  SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
  SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
  SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
  SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
  SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
  DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
  DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
  DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
  DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
  DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
jobs:

  integration-trusted:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
    steps:

    - name: Branch based PR checkout
      uses: actions/checkout@v3

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e

  # Repo owner has commented /ok-to-test on a (fork-based) pull request
  integration-fork:
    runs-on: ubuntu-latest
    if: github.event_name == 'repository_dispatch'
    steps:

    # Check out merge commit
    - name: Fork based /ok-to-test checkout
      uses: actions/checkout@v3
      with:
        ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e

    # Update check run called "integration-fork"
    - uses: actions/github-script@v6
      id: update-check-run
      if: ${{ always() }}
      env:
        number: ${{ github.event.client_payload.pull_request.number }}
        job: ${{ github.job }}
        # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
        conclusion: ${{ job.status }}
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const { data: pull } = await github.rest.pulls.get({
            ...context.repo,
            pull_number: process.env.number
          });
          const ref = pull.head.sha;
          console.log("\n\nPR sha: " + ref)
          const { data: checks } = await github.rest.checks.listForRef({
            ...context.repo,
            ref
          });
          console.log("\n\nPR CHECKS: " + checks)
          const check = checks.check_runs.filter(c => c.name === process.env.job);
          console.log("\n\nPR Filtered CHECK: " + check)
          console.log(check)
          const { data: result } = await github.rest.checks.update({
            ...context.repo,
            check_run_id: check[0].id,
            status: 'completed',
            conclusion: process.env.conclusion
          });
          return result;