Build and Review PR #18 #80
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Review PR | |
| run-name: 'Build and Review PR #${{ github.event.pull_request.number }}' | |
| on: | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| # | |
| # This workflow uses the pull_request trigger which prevents write permissions on the | |
| # GH_TOKEN and secrets access from public forks. This should remain as a pull_request | |
| # trigger to minimize the access public forks have in the repository. The reduced | |
| # permissions are adequate but do mean that re-compiles and readme changes will have to be | |
| # made manually by the PR author. These auto-updates could be done by this workflow | |
| # for branches but in order to re-trigger a PR build (which is needed for status checks), | |
| # we would make the commits with a different user and their PAT. To minimize exposure | |
| # and complication we will request those changes be manually made by the PR author. | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| # paths: | |
| # Do not include specific paths here. We always want this build to run and produce a | |
| # status check which are branch protection rules can use. If this is skipped because of | |
| # path filtering, a status check will not be created and we won't be able to merge the PR | |
| # without disabling that requirement. If we have a status check that is always produced, | |
| # we can also use that to require all branches be up to date before they are merged. | |
| jobs: | |
| build-and-review-pr: | |
| # This reusable workflow will check to see if an action's source code has changed based on | |
| # whether the PR includes files that match the files-with-code arg or are in one of the | |
| # dirs-with-code directories. If there are source code changes, this reusable workflow | |
| # will then run the action's build (if one was provided) and update the README.md with the | |
| # the latest version of the action. If those two steps result in any changes that need to | |
| # be committed, the workflow will fail because the PR needs some updates. Instructions for | |
| # updating the PR will be available in the build log, the workflow summary and as a PR | |
| # comment if the PR came from a branch (not a fork). | |
| # This workflow assumes: | |
| # - The main README.md is at the root of the repo | |
| # - The README contains a contribution guidelines and usage examples section | |
| uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1 | |
| with: | |
| action-name: ${{ github.repository }} | |
| default-branch: main | |
| readme-name: 'README.md' | |
| # The id of the contribution guidelines section of the README.md | |
| readme-contribution-id: '#contributing' | |
| # The id of the usage examples section of the README.md | |
| readme-examples-id: '#usage-examples' | |
| # The files that contain source code for the action. Only files that affect the action's execution | |
| # should be included like action.yml or package.json. Do not include files like README.md or .gitignore. | |
| # Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code. | |
| # ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml. | |
| files-with-code: 'action.yml,package.json,package-lock.json' | |
| # The directories that contain source code for the action. Only dirs with files that affect the action's | |
| # execution should be included like src or dist. Do not include dirs like .github or node_modules. | |
| # ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml. | |
| dirs-with-code: 'src,dist' | |
| # The npm script to run to build the action. This is typically 'npm run build' if the | |
| # action needs to be compiled. For composite-run-steps actions this is typically empty. | |
| build-command: 'npm run build' | |
| test: | |
| runs-on: ubuntu-latest | |
| env: | |
| ORG: 'im-open' | |
| THIS_REPO: 'setup-deploy-keys' | |
| INTERNAL_REPO_TO_CLONE: 'im-open/internal-repo-for-testing-purple-actions' | |
| INTERNAL_REPO_TO_CLONE_DIR: 'internal-repo-for-testing-purple-actions' | |
| # The private key which will be used to clone the internal & empty deploy-keys-testing repo. | |
| # The repo does not contain anything sensitive, it is just marked as internal so the key can be tested here. | |
| # This SSH key was generated as a readonly key (so no push abilities). | |
| INTERNAL_REPO_TO_CLONE_KEY: ${{ secrets.SSH_KEY_TESTING_REPO }} | |
| SSH_DEPLOY_KEY_INFO: | | |
| [ | |
| { "orgAndRepo": "im-open/internal-repo-for-testing-purple-actions", "envName" : "INTERNAL_REPO_TO_CLONE_KEY" } | |
| ] | |
| steps: | |
| #-------------------------------------- | |
| # SETUP | |
| #-------------------------------------- | |
| - name: Fail test job if fork | |
| run: | | |
| if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then | |
| echo "This test job requires secrets that PRs from forks will not have access to. Before this PR can be merged, the tests should be run on an intermediate branch created by repository owners." | |
| exit 1 | |
| fi | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: Setup - Checkout the action | |
| if: always() | |
| uses: actions/checkout@v4 | |
| - name: Setup - Verify the internal repo to clone dir does not exist | |
| if: always() | |
| run: ./test/assert-dir-does-not-exist.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}" | |
| - name: Setup - Verify the ssh-agent is not running | |
| if: always() | |
| run: ./test/assert-ssh-agent-is-not-running.sh | |
| - name: Setup - Verify .gitconfig does not contain any insteadOf urls (because it does not exist) | |
| if: always() | |
| run: | | |
| if [ -f "~/.gitconfig" ] | |
| then | |
| echo "The .gitconfig file exists which is unexpected" | |
| exit 1 | |
| else | |
| echo "The .gitconfig file does not exist which is expected. No insteadOf rules exist." | |
| exit 0 | |
| fi | |
| - name: Setup - Verify the ssh config has no configuration (because it does not exist) | |
| working-directory: /home/runner | |
| if: always() | |
| run: | | |
| TARGET_FILE=".ssh/config" | |
| if [ -f "$TARGET_FILE" ] | |
| then | |
| echo "$TARGET_FILE exists which is NOT expected. Contents:" | |
| cat $TARGET_FILE | |
| exit 1 | |
| else | |
| echo "$TARGET_FILE does not exist which is expected." | |
| fi | |
| #-------------------------------------------- | |
| # VALIDATE STARTING CONDITIONS/NO PERMISSIONS | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When an internal repo is cloned with the default PAT | |
| if: always() | |
| id: internal-failure | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| run: git clone [email protected]:${{ env.INTERNAL_REPO_TO_CLONE }}.git | |
| - name: Then the outcome should be failure because of lack of permissions to clone an internal repo | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.internal-failure.outcome }}" | |
| - name: And the directory for the internal repo to clone should not exist | |
| if: always() | |
| run: ./test/assert-dir-does-not-exist.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}" | |
| - name: And the ssh-agent should be running | |
| if: always() | |
| run: ./test/assert-ssh-agent-is-running.sh | |
| #-------------------------------------------- | |
| # SETUP DEPLOY KEYS AND CLONE INTERNAL REPO | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with a key for the internal repo | |
| if: always() | |
| id: setup-deploy-keys | |
| uses: ./ | |
| with: | |
| deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} | |
| - name: And the internal repo is cloned | |
| if: always() | |
| id: internal-success | |
| run: git clone [email protected]:${{ env.INTERNAL_REPO_TO_CLONE }}.git | |
| - name: Then the outcome should be success | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "success" --actual "${{ steps.internal-success.outcome }}" | |
| - name: And the ssh-agent should be running | |
| if: always() | |
| run: ./test/assert-ssh-agent-is-running.sh | |
| - name: And the directory for the internal repo to clone dir should exist | |
| if: always() | |
| run: ./test/assert-dir-exists.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}" | |
| - name: And the .gitconfig should exist with 3 entries for ${{ env.INTERNAL_REPO_TO_CLONE }} insteadOf urls | |
| if: always() | |
| run: | | |
| configEntries=$(git config --get-regexp "${{ steps.setup-deploy-keys.outputs.key-filename }}") | |
| count=0 | |
| while IFS=$'\n' read -ra ENTRIES; do | |
| for i in "${ENTRIES[@]}"; do | |
| count=$((count+1)) | |
| echo -e "\nEntry $count: '$i'" | |
| done | |
| done <<< "$configEntries" | |
| if [ $count -ne 3 ] | |
| then | |
| echo -e "\nExpected 3 insteadOf entries in .gitconfig but found $count" | |
| exit 1 | |
| else | |
| echo -e "\nThere were 3 insteadOf entries in the .gitconfig as expected." | |
| fi | |
| - name: And the ssh config should exist with an entry for ${{ env.INTERNAL_REPO_TO_CLONE }} | |
| if: always() | |
| run: | | |
| TARGET_FILE="/home/runner/.ssh/config" | |
| if [ -f "$TARGET_FILE" ] | |
| then | |
| echo "$TARGET_FILE exists which is expected." | |
| actualContent=$(cat $TARGET_FILE) | |
| else | |
| echo "$TARGET_FILE does not exist which is not expected" | |
| exit 1 | |
| fi | |
| rawExpectedContent=$(cat ./test/files/expected-ssh-host.txt) | |
| hostKey="${{ steps.setup-deploy-keys.outputs.key-filename }}" | |
| expectedContent=$(echo "${rawExpectedContent//REPLACEME/"$hostKey"}" ) | |
| ./test/assert-values-match.sh --name "ssh config" --expected "$expectedContent" --actual "$actualContent" | |
| #-------------------------------------------- | |
| # UN-PARSEABLE INPUT | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with an un-parseable input | |
| uses: ./ | |
| if: always() | |
| id: unparseable | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| with: | |
| deploy-key-info: '[ orgAndRepo=im-open/internal-repo-for-testing-purple-actions, envName=INTERNAL_REPO_TO_CLONE_KEY ]' | |
| - name: Then the outcome should be failure | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.unparseable.outcome }}" | |
| - name: And the validation-error output should be 'argument-parsing' | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "validation-error" --expected "argument-parsing" --actual "${{ steps.unparseable.outputs.validation-error }}" | |
| #-------------------------------------------- | |
| # EMPTY ARRAY | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with an empty array | |
| uses: ./ | |
| if: always() | |
| id: empty-array | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| with: | |
| deploy-key-info: '[]' | |
| - name: Then the outcome should be failure | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.empty-array.outcome }}" | |
| - name: And the validation-error output should be 'empty-keys' | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "validation-error" --expected "empty-keys" --actual "${{ steps.empty-array.outputs.validation-error }}" | |
| #-------------------------------------------- | |
| # EMPTY orgAndRepo ARG | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with a missing orgAndRepo | |
| uses: ./ | |
| if: always() | |
| id: missing-orgAndRepo | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| with: | |
| deploy-key-info: | | |
| [ | |
| { "orgAndRepo": "", "envName" : "INTERNAL_REPO_TO_CLONE_KEY" } | |
| ] | |
| - name: Then the outcome should be failure | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.missing-orgAndRepo.outcome }}" | |
| - name: And the validation-error output should be 'missing-orgAndRepo' | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "validation-error" --expected "missing-orgAndRepo" --actual "${{ steps.missing-orgAndRepo.outputs.validation-error }}" | |
| #-------------------------------------------- | |
| # EMPTY envName ARG | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with a missing envName | |
| uses: ./ | |
| if: always() | |
| id: missing-envName | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| with: | |
| deploy-key-info: | | |
| [ | |
| { "orgAndRepo": "im-open/internal-repo-for-testing-purple-actions", "envName" : "" } | |
| ] | |
| - name: Then the outcome should be failure | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.missing-envName.outcome }}" | |
| - name: And the validation-error output should be 'missing-envName' | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "validation-error" --expected "missing-envName" --actual "${{ steps.missing-envName.outputs.validation-error }}" | |
| #-------------------------------------------- | |
| # UNPOPULATED ENV VAR FOR SECRET | |
| #-------------------------------------------- | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" | |
| - name: When setup-deploy-keys is run with an unpopulated env var | |
| uses: ./ | |
| if: always() | |
| id: unpopulated-env | |
| continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed. | |
| with: | |
| deploy-key-info: | | |
| [ | |
| { "orgAndRepo": "im-open/internal-repo-for-testing-purple-actions", "envName" : "UNPOPULATED_ENV_VARIABLE" } | |
| ] | |
| - name: Then the outcome should be failure | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.unpopulated-env.outcome }}" | |
| - name: And the validation-error output should be 'unpopulated-env-var' | |
| if: always() | |
| run: ./test/assert-values-match.sh --name "validation-error" --expected "unpopulated-env-var" --actual "${{ steps.unpopulated-env.outputs.validation-error }}" | |
| - name: '-------------------------------------------------------------------------------------------------------' | |
| run: echo "" |