| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 |
- # Run secret-dependent e2e tests only after /ok-to-test approval
- on:
- pull_request:
- repository_dispatch:
- types: [ok-to-test-command]
- permissions:
- contents: read
- name: e2e tests
- env:
- # Common versions
- KIND_VERSION: 'v0.30.0'
- KIND_IMAGE: 'kindest/node:v1.33.4'
- TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
- GHCR_USERNAME: ${{ github.actor }}
- AWS_REGION: "eu-central-1"
- jobs:
- # Same-repo pull request: build and test run as two jobs on separate runners.
- integration-trusted:
- permissions:
- id-token: write # for oidc auth with aws/gcp/azure
- contents: read # for checkout
- if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
- uses: ./.github/workflows/e2e-reusable.yml
- secrets:
- GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
- GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
- GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
- GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
- GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
- AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
- AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
- AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
- TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
- TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
- TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
- TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
- TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
- SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
- SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
- SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
- SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
- SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
- DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
- DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
- DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
- DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
- DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
- SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
- SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
- SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
- GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
- GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
- AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
- AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
- AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
- GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
- GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
- GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
- ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
- ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
- ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
- ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
- ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
- # Repo owner has commented /ok-to-test on a (fork-based) pull request.
- integration-fork:
- permissions:
- id-token: write # for oidc auth with aws/gcp/azure
- contents: read # for checkout
- if: github.event_name == 'repository_dispatch'
- uses: ./.github/workflows/e2e-reusable.yml
- secrets:
- GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
- GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
- GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
- GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
- GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
- AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
- AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
- AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
- TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
- TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
- TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
- TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
- TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
- SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
- SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
- SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
- SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
- SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
- DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
- DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
- DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
- DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
- DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
- SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
- SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
- SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
- GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
- GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
- AKEYLESS_ACCESS_ID: ${{ secrets.AKEYLESS_ACCESS_ID }}
- AKEYLESS_ACCESS_TYPE: ${{ secrets.AKEYLESS_ACCESS_TYPE }}
- AKEYLESS_ACCESS_TYPE_PARAM: ${{ secrets.AKEYLESS_ACCESS_TYPE_PARAM }}
- GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
- GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
- GITLAB_ENVIRONMENT: ${{ secrets.GITLAB_ENVIRONMENT }}
- ORACLE_USER_OCID: ${{ secrets.ORACLE_USER_OCID }}
- ORACLE_TENANCY_OCID: ${{ secrets.ORACLE_TENANCY_OCID }}
- ORACLE_REGION: ${{ secrets.ORACLE_REGION }}
- ORACLE_FINGERPRINT: ${{ secrets.ORACLE_FINGERPRINT }}
- ORACLE_KEY: ${{ secrets.ORACLE_KEY }}
- # Report the fork run result back onto the originating pull request.
- report-fork:
- if: github.event_name == 'repository_dispatch' && always()
- needs: integration-fork
- runs-on: ubuntu-latest
- permissions:
- pull-requests: write # to publish the status as comments
- contents: read
- steps:
- - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
- with:
- egress-policy: audit
- - id: create_token
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
- env:
- APP_ID: ${{ secrets.APP_ID }}
- with:
- app-id: ${{ env.APP_ID }}
- private-key: ${{ secrets.PRIVATE_KEY }}
- owner: ${{ github.repository_owner }}
- - name: Update on Success
- if: needs.integration-fork.result == 'success'
- uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
- with:
- token: ${{ steps.create_token.outputs.token }}
- issue-number: ${{ github.event.client_payload.pull_request.number }}
- body: |
- [Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
- - name: Update on Failure
- if: needs.integration-fork.result != 'success'
- uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
- with:
- token: ${{ steps.create_token.outputs.token }}
- issue-number: ${{ github.event.client_payload.pull_request.number }}
- body: |
- [Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
|