-
Notifications
You must be signed in to change notification settings - Fork 2
350 lines (293 loc) · 16.1 KB
/
build-and-review-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
name: Build and Review PR
run-name: 'Build and Review PR #${{ github.event.pull_request.number }}'
on:
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# This workflow uses the pull_request trigger which prevents write permissions on the
# GH_TOKEN and secrets access from public forks. This should remain as a pull_request
# trigger to minimize the access public forks have in the repository. The reduced
# permissions are adequate but do mean that re-compiles and readme changes will have to be
# made manually by the PR author. These auto-updates could be done by this workflow
# for branches but in order to re-trigger a PR build (which is needed for status checks),
# we would make the commits with a different user and their PAT. To minimize exposure
# and complication we will request those changes be manually made by the PR author.
pull_request:
types: [opened, synchronize, reopened]
# paths:
# Do not include specific paths here. We always want this build to run and produce a
# status check which are branch protection rules can use. If this is skipped because of
# path filtering, a status check will not be created and we won't be able to merge the PR
# without disabling that requirement. If we have a status check that is always produced,
# we can also use that to require all branches be up to date before they are merged.
jobs:
build-and-review-pr:
# This reusable workflow will check to see if an action's source code has changed based on
# whether the PR includes files that match the files-with-code arg or are in one of the
# dirs-with-code directories. If there are source code changes, this reusable workflow
# will then run the action's build (if one was provided) and update the README.md with the
# the latest version of the action. If those two steps result in any changes that need to
# be committed, the workflow will fail because the PR needs some updates. Instructions for
# updating the PR will be available in the build log, the workflow summary and as a PR
# comment if the PR came from a branch (not a fork).
# This workflow assumes:
# - The main README.md is at the root of the repo
# - The README contains a contribution guidelines and usage examples section
uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1
with:
action-name: ${{ github.repository }}
default-branch: main
readme-name: 'README.md'
# The id of the contribution guidelines section of the README.md
readme-contribution-id: '#contributing'
# The id of the usage examples section of the README.md
readme-examples-id: '#usage-examples'
# The files that contain source code for the action. Only files that affect the action's execution
# should be included like action.yml or package.json. Do not include files like README.md or .gitignore.
# Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code.
# ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml.
files-with-code: 'action.yml,package.json,package-lock.json'
# The directories that contain source code for the action. Only dirs with files that affect the action's
# execution should be included like src or dist. Do not include dirs like .github or node_modules.
# ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml.
dirs-with-code: 'src,dist'
# The npm script to run to build the action. This is typically 'npm run build' if the
# action needs to be compiled. For composite-run-steps actions this is typically empty.
build-command: 'npm run build'
test:
runs-on: ubuntu-latest
env:
ORG: 'im-open'
THIS_REPO: 'setup-deploy-keys'
INTERNAL_REPO_TO_CLONE: 'im-open/internal-repo-for-testing-purple-team'
INTERNAL_REPO_TO_CLONE_DIR: 'internal-repo-for-testing'
# The private key which will be used to clone the internal & empty deploy-keys-testing repo.
# The repo does not contain anything sensitive, it is just marked as internal so the key can be tested here.
# This SSH key was generated as a readonly key (so no push abilities).
INTERNAL_REPO_TO_CLONE_KEY: ${{ secrets.SSH_KEY_TESTING_REPO }}
SSH_DEPLOY_KEY_INFO: |
[
{ "orgAndRepo": "im-open/internal-repo-for-testing-purple-team", "envName" : "INTERNAL_REPO_TO_CLONE_KEY" }
]
steps:
#--------------------------------------
# SETUP
#--------------------------------------
- name: Fail test job if fork
run: |
if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then
echo "This test job requires secrets that PRs from forks will not have access to. Before this PR can be merged, the tests should be run on an intermediate branch created by repository owners."
exit 1
fi
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: Setup - Checkout the action
if: always()
uses: actions/checkout@v3
- name: Setup - Verify the internal repo to clone dir does not exist
if: always()
run: ./test/assert-dir-does-not-exist.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}"
- name: Setup - Verify the ssh-agent is not running
if: always()
run: ./test/assert-ssh-agent-is-not-running.sh
- name: Setup - Verify .gitconfig does not contain any insteadOf urls (because it does not exist)
if: always()
run: |
if [ -f "~/.gitconfig" ]
then
echo "The .gitconfig file exists which is unexpected"
exit 1
else
echo "The .gitconfig file does not exist which is expected. No insteadOf rules exist."
exit 0
fi
- name: Setup - Verify the ssh config has no configuration (because it does not exist)
working-directory: /home/runner
if: always()
run: |
TARGET_FILE=".ssh/config"
if [ -f "$TARGET_FILE" ]
then
echo "$TARGET_FILE exists which is NOT expected. Contents:"
cat $TARGET_FILE
exit 1
else
echo "$TARGET_FILE does not exist which is expected."
fi
#--------------------------------------------
# VALIDATE STARTING CONDITIONS/NO PERMISSIONS
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When an internal repo is cloned with the default PAT
if: always()
id: internal-failure
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
run: git clone [email protected]:${{ env.INTERNAL_REPO_TO_CLONE }}.git
- name: Then the outcome should be failure because of lack of permissions to clone an internal repo
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.internal-failure.outcome }}"
- name: And the directory for the internal repo to clone should not exist
if: always()
run: ./test/assert-dir-does-not-exist.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}"
- name: And the ssh-agent should be running
if: always()
run: ./test/assert-ssh-agent-is-running.sh
#--------------------------------------------
# SETUP DEPLOY KEYS AND CLONE INTERNAL REPO
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with a key for the internal repo
if: always()
id: setup-deploy-keys
uses: ./
with:
deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }}
- name: And the internal repo is cloned
if: always()
id: internal-success
run: git clone [email protected]:${{ env.INTERNAL_REPO_TO_CLONE }}.git
- name: Then the outcome should be success
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "success" --actual "${{ steps.internal-success.outcome }}"
- name: And the ssh-agent should be running
if: always()
run: ./test/assert-ssh-agent-is-running.sh
- name: And the directory for the internal repo to clone dir should exist
if: always()
run: ./test/assert-dir-exists.sh --path "./${{ env.INTERNAL_REPO_TO_CLONE_DIR }}"
- name: And the .gitconfig should exist with 3 entries for ${{ env.INTERNAL_REPO_TO_CLONE }} insteadOf urls
if: always()
run: |
configEntries=$(git config --get-regexp "${{ steps.setup-deploy-keys.outputs.key-filename }}")
count=0
while IFS=$'\n' read -ra ENTRIES; do
for i in "${ENTRIES[@]}"; do
count=$((count+1))
echo -e "\nEntry $count: '$i'"
done
done <<< "$configEntries"
if [ $count -ne 3 ]
then
echo -e "\nExpected 3 insteadOf entries in .gitconfig but found $count"
exit 1
else
echo -e "\nThere were 3 insteadOf entries in the .gitconfig as expected."
fi
- name: And the ssh config should exist with an entry for ${{ env.INTERNAL_REPO_TO_CLONE }}
if: always()
run: |
TARGET_FILE="/home/runner/.ssh/config"
if [ -f "$TARGET_FILE" ]
then
echo "$TARGET_FILE exists which is expected."
actualContent=$(cat $TARGET_FILE)
else
echo "$TARGET_FILE does not exist which is not expected"
exit 1
fi
rawExpectedContent=$(cat ./test/files/expected-ssh-host.txt)
hostKey="${{ steps.setup-deploy-keys.outputs.key-filename }}"
expectedContent=$(echo "${rawExpectedContent//REPLACEME/"$hostKey"}" )
./test/assert-values-match.sh --name "ssh config" --expected "$expectedContent" --actual "$actualContent"
#--------------------------------------------
# UN-PARSEABLE INPUT
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with an un-parseable input
uses: ./
if: always()
id: unparseable
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
deploy-key-info: '[ orgAndRepo=im-open/internal-repo-for-testing-purple-team, envName=INTERNAL_REPO_TO_CLONE_KEY ]'
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.unparseable.outcome }}"
- name: And the validation-error output should be 'argument-parsing'
if: always()
run: ./test/assert-values-match.sh --name "validation-error" --expected "argument-parsing" --actual "${{ steps.unparseable.outputs.validation-error }}"
#--------------------------------------------
# EMPTY ARRAY
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with an empty array
uses: ./
if: always()
id: empty-array
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
deploy-key-info: '[]'
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.empty-array.outcome }}"
- name: And the validation-error output should be 'empty-keys'
if: always()
run: ./test/assert-values-match.sh --name "validation-error" --expected "empty-keys" --actual "${{ steps.empty-array.outputs.validation-error }}"
#--------------------------------------------
# EMPTY orgAndRepo ARG
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with a missing orgAndRepo
uses: ./
if: always()
id: missing-orgAndRepo
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
deploy-key-info: |
[
{ "orgAndRepo": "", "envName" : "INTERNAL_REPO_TO_CLONE_KEY" }
]
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.missing-orgAndRepo.outcome }}"
- name: And the validation-error output should be 'missing-orgAndRepo'
if: always()
run: ./test/assert-values-match.sh --name "validation-error" --expected "missing-orgAndRepo" --actual "${{ steps.missing-orgAndRepo.outputs.validation-error }}"
#--------------------------------------------
# EMPTY envName ARG
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with a missing envName
uses: ./
if: always()
id: missing-envName
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
deploy-key-info: |
[
{ "orgAndRepo": "im-open/internal-repo-for-testing-purple-team", "envName" : "" }
]
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.missing-envName.outcome }}"
- name: And the validation-error output should be 'missing-envName'
if: always()
run: ./test/assert-values-match.sh --name "validation-error" --expected "missing-envName" --actual "${{ steps.missing-envName.outputs.validation-error }}"
#--------------------------------------------
# UNPOPULATED ENV VAR FOR SECRET
#--------------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When setup-deploy-keys is run with an unpopulated env var
uses: ./
if: always()
id: unpopulated-env
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
deploy-key-info: |
[
{ "orgAndRepo": "im-open/internal-repo-for-testing-purple-team", "envName" : "UNPOPULATED_ENV_VARIABLE" }
]
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.unpopulated-env.outcome }}"
- name: And the validation-error output should be 'unpopulated-env-var'
if: always()
run: ./test/assert-values-match.sh --name "validation-error" --expected "unpopulated-env-var" --actual "${{ steps.unpopulated-env.outputs.validation-error }}"
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""