forked from external-secrets/external-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (135 loc) · 5.72 KB
/
e2e.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Run secret-dependent e2e tests only after /ok-to-test approval
on:
pull_request:
repository_dispatch:
types: [ok-to-test-command]
permissions:
contents: read
issues: write
pull-requests: write
checks: write
statuses: read
name: e2e tests
env:
# Common versions
GO_VERSION: '1.21'
GINKGO_VERSION: 'v2.8.0'
DOCKER_BUILDX_VERSION: 'v0.4.2'
KIND_VERSION: 'v0.17.0'
KIND_IMAGE: 'kindest/node:v1.26.0'
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}}
GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}}
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account
GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}}
AWS_REGION: "eu-central-1"
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
jobs:
integration-trusted:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
steps:
- name: Branch based PR checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Fetch History
run: git fetch --prune --unshallow
- uses: ./.github/actions/e2e
# Repo owner has commented /ok-to-test on a (fork-based) pull request
integration-fork:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'repository_dispatch'
steps:
# Check out merge commit
- name: Fork based /ok-to-test checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: '${{ env.TARGET_SHA }}'
- name: Fetch History
run: git fetch --prune --unshallow
- id: e2e
uses: ./.github/actions/e2e
- id: create_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
# Update check run called "integration-fork"
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: update-check-run
if: ${{ always() }}
env:
number: ${{ github.event.client_payload.pull_request.number }}
job: ${{ github.job }}
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
conclusion: ${{ job.status }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { data: pull } = await github.rest.pulls.get({
...context.repo,
pull_number: process.env.number
});
const ref = pull.head.sha;
console.log("\n\nPR sha: " + ref)
const { data: checks } = await github.rest.checks.listForRef({
...context.repo,
ref
});
console.log("\n\nPR CHECKS: " + checks)
const check = checks.check_runs.filter(c => c.name === process.env.job);
console.log("\n\nPR Filtered CHECK: " + check)
console.log(check)
const { data: result } = await github.rest.checks.update({
...context.repo,
check_run_id: check[0].id,
status: 'completed',
conclusion: process.env.conclusion
});
return result;
- name: Update on Succeess
if: always() && steps.e2e.conclusion == 'success'
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ steps.create_token.outputs.token }}
issue-number: ${{ github.event.client_payload.pull_request.number }}
body: |
[Bot] - :white_check_mark: [e2e for ${{ env.TARGET_SHA }} passed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})
- name: Update on Failure
if: always() && steps.e2e.conclusion != 'success'
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
token: ${{ steps.create_token.outputs.token }}
issue-number: ${{ github.event.client_payload.pull_request.number }}
body: |
[Bot] - :x: [e2e for ${{ env.TARGET_SHA }} failed](https://github.com/external-secrets/external-secrets/actions/runs/${{ github.run_id }})