e2e.yml 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155
  1. # Run secret-dependent e2e tests only after /ok-to-test approval
  2. on:
  3. pull_request:
  4. repository_dispatch:
  5. types: [ok-to-test-command]
  6. permissions:
  7. contents: read
  8. name: e2e tests
  9. env:
  10. # Common versions
  11. KIND_VERSION: 'v0.30.0'
  12. KIND_IMAGE: 'kindest/node:v1.33.4'
  13. TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
  14. GHCR_USERNAME: ${{ github.actor }}
  15. AWS_REGION: "eu-central-1"
  16. jobs:
  17. # Same-repo pull request: build and test run as two jobs on separate runners.
  18. integration-trusted:
  19. permissions:
  20. id-token: write # for oidc auth with aws/gcp/azure
  21. contents: read # for checkout
  22. if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
  23. uses: ./.github/workflows/e2e-reusable.yml
  24. secrets:
  25. GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
  26. GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
  27. GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
  28. GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
  29. GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  30. AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
  31. AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  32. AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  33. TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
  34. TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
  35. TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
  36. TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
  37. TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
  38. SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
  39. SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
  40. SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
  41. SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
  42. SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
  43. DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
  44. DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
  45. DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
  46. DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
  47. DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
  48. SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
  49. SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
  50. SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
  51. GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
  52. GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
  53. AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
  54. AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
  55. AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
  56. GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
  57. GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
  58. GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
  59. ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
  60. ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
  61. ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
  62. ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
  63. ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
  64. # Repo owner has commented /ok-to-test on a (fork-based) pull request.
  65. integration-fork:
  66. permissions:
  67. id-token: write # for oidc auth with aws/gcp/azure
  68. contents: read # for checkout
  69. if: github.event_name == 'repository_dispatch'
  70. uses: ./.github/workflows/e2e-reusable.yml
  71. secrets:
  72. GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
  73. GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
  74. GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
  75. GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
  76. GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  77. AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
  78. AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  79. AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  80. TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
  81. TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
  82. TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
  83. TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
  84. TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
  85. SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
  86. SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
  87. SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
  88. SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
  89. SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
  90. DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
  91. DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
  92. DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
  93. DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
  94. DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
  95. SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
  96. SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
  97. SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
  98. GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
  99. GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
  100. AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
  101. AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
  102. AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
  103. GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
  104. GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
  105. GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
  106. ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
  107. ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
  108. ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
  109. ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
  110. ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
  111. # Report the fork run result back onto the originating pull request.
  112. report-fork:
  113. if: github.event_name == 'repository_dispatch' && always()
  114. needs: integration-fork
  115. runs-on: ubuntu-latest
  116. permissions:
  117. pull-requests: write # to publish the status as comments
  118. contents: read
  119. steps:
  120. - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
  121. with:
  122. egress-policy: audit
  123. - id: create_token
  124. uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
  125. env:
  126. APP_ID: ${{ secrets.APP_ID }}
  127. with:
  128. app-id: ${{ env.APP_ID }}
  129. private-key: ${{ secrets.PRIVATE_KEY }}
  130. owner: ${{ github.repository_owner }}
  131. - name: Update on Success
  132. if: needs.integration-fork.result == 'success'
  133. uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
  134. with:
  135. token: ${{ steps.create_token.outputs.token }}
  136. issue-number: ${{ github.event.client_payload.pull_request.number }}
  137. body: |
  138. [Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
  139. - name: Update on Failure
  140. if: needs.integration-fork.result != 'success'
  141. uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
  142. with:
  143. token: ${{ steps.create_token.outputs.token }}
  144. issue-number: ${{ github.event.client_payload.pull_request.number }}
  145. body: |
  146. [Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})