logic855
/
helm-external-secrets
зеркало из https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
							on:
  repository_dispatch:
    types: [ok-to-test-managed-command]

  pull_request:

permissions:
  contents: read

env:
  # Common versions
  DOCKER_BUILDX_VERSION: 'v0.4.2'

  # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
  # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  GHCR_USERNAME: ${{ github.actor }}
  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY}}
  USE_GKE_GCLOUD_AUTH_PLUGIN: true
  GCP_SM_SA_GKE_JSON: ${{ secrets.GCP_SM_SA_GKE_JSON}}
  GCP_GKE_CLUSTER: e2e
  TF_VAR_GCP_GKE_CLUSTER: e2e
  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION}}
  TF_VAR_GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
  TF_VAR_GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account for tf
  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  TF_VAR_GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
  GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
  GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}

  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN}}
  AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  AWS_REGION: "eu-central-1"
  AWS_CLUSTER_NAME: "eso-e2e-managed"
  TF_VAR_AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
  TF_VAR_AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
  TF_VAR_AWS_REGION: "eu-central-1"
  TF_VAR_AWS_CLUSTER_NAME: "eso-e2e-managed"

  TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
  TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
  TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
  TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
  TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}

  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # TODO: temporarily replace vars for testing in PR
  GITHUB_PR_NUMBER: "5409"
  CLOUD_PROVIDER: "azure"
  #GITHUB_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }}
  #CLOUD_PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}

name: managed e2e tests

jobs:
  run-e2e-managed:
    runs-on: ubuntu-latest
    # TODO: temporarily disabled to test in PR
    #if: github.event_name == 'repository_dispatch'
    permissions:
      id-token: write #for oidc auth with aws/gcp/azure
      checks: write   #publish the commit status
      contents: read  #for checkout
      packages: write #for publishing packages 
    steps:
    - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
      with:
        egress-policy: audit

    # Check out merge commit
    - name: Fork based /ok-to-test-managed checkout
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        ref: 'refs/pull/${{ env.GITHUB_PR_NUMBER }}/merge'

    - name: Fetch History
      run: git fetch --prune --unshallow

    - uses: ./.github/actions/e2e-managed

    # set status=completed
    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
      if: ${{ always() }}
      env:
        number: ${{ env.GITHUB_PR_NUMBER }}
        provider: ${{ env.CLOUD_PROVIDER }}
        job: ${{ github.job }}
        # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
        conclusion: ${{ job.status }}
      with:
        github-token: ${{ env.GITHUB_TOKEN }}
        script: |
          const { data: pull } = await github.rest.pulls.get({
            ...context.repo,
            pull_number: process.env.number
          });
          const ref = pull.head.sha;
          const { data: checks } = await github.rest.checks.listForRef({
            ...context.repo,
            ref
          });
          const job_name = "e2e-managed-" + process.env.provider
          const check = checks.check_runs.filter(c => c.name === job_name);
          const { data: result } = await github.rest.checks.update({
            ...context.repo,
            check_run_id: check[0].id,
            status: 'completed',
            conclusion: process.env.conclusion
          });
          return result;