fix: allow forked PRs to access repo secrets

Signed-off-by: Mason Hu <[email protected]>
canonical · Sep 13, 2024 · 9c92adf · 9c92adf
1 parent dbdcc21
commit 9c92adf
Show file tree

Hide file tree

Showing 3 changed files with 247 additions and 5 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -7,6 +7,7 @@ permissions:
 jobs:
 
   commits:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     permissions:
       pull-requests: read   # to get list of commits from the PR
     name: Canonical CLA signed and Signed-off-by (DCO)
@@ -25,8 +26,8 @@ jobs:
         commits: ${{ steps.get-pr-commits.outputs.commits }}
 
   lint-scss:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
@@ -37,8 +38,8 @@ jobs:
         run: yarn lint-scss
 
   lint-js:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
@@ -49,8 +50,8 @@ jobs:
         run: yarn lint-js
 
   check-inclusive-naming:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -63,6 +64,7 @@ jobs:
           fail-on-error: true
 
   browser-e2e-test:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     environment: ci-end-to-end
     name: e2e-tests
     runs-on: ubuntu-latest
@@ -178,7 +180,7 @@ jobs:
           retention-days: 1
 
   merge-e2e-reports:
-    if: always()
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     needs: [browser-e2e-test]
     env:
       HTML_REPORT_URL_PATH: reports/pr-${{ github.event.number }}/${{ github.run_id }}/${{ github.run_attempt }}
@@ -222,6 +224,7 @@ jobs:
         echo "Please wait a few minute for the reports to get published before accessing the url!"
 
   js-tests:
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     name: js-tests
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/pr_forked.yaml b/.github/workflows/pr_forked.yaml
@@ -0,0 +1,237 @@
+name: Forked PR checks
+on: pull_request_target
+
+permissions:
+  contents: read
+
+jobs:
+
+  commits:
+    permissions:
+      pull-requests: read   # to get list of commits from the PR
+    name: Canonical CLA signed and Signed-off-by (DCO)
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check if CLA signed
+      uses: canonical/has-signed-canonical-cla@v1
+    - name: Get PR Commits
+      id: 'get-pr-commits'
+      uses: tim-actions/get-pr-commits@master
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Check that all commits are signed-off
+      uses: tim-actions/dco@master
+      with:
+        commits: ${{ steps.get-pr-commits.outputs.commits }}
+
+  lint-scss:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Lint scss
+        run: yarn lint-scss
+
+  lint-js:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install node dependencies
+        run: yarn install --immutable
+
+      - name: Lint JS
+        run: yarn lint-js
+
+  check-inclusive-naming:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check inclusive naming
+        uses: canonical/Inclusive-naming@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-review
+          fail-on-error: true
+
+  browser-e2e-test:
+    environment: ci-end-to-end
+    name: e2e-tests
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        lxd_channel: ["5.0/edge", "5.21/edge", "latest/edge"]
+        browser: ["chromium", "firefox"]
+    outputs:
+      job_status: ${{job.status}}
+    env:
+      LXD_OIDC_CLIENT_ID: ${{ secrets.LXD_OIDC_CLIENT_ID }}
+      LXD_OIDC_ISSUER: ${{ secrets.LXD_OIDC_ISSUER }}
+      LXD_OIDC_AUDIENCE: ${{ secrets.LXD_OIDC_AUDIENCE }}
+      LXD_OIDC_USER: ${{ secrets.LXD_OIDC_USER }}
+      LXD_OIDC_PASSWORD: ${{ secrets.LXD_OIDC_PASSWORD }}
+      LXD_OIDC_GROUPS_CLAIM: ${{ secrets.LXD_OIDC_GROUPS_CLAIM }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Dotrun
+        run: |
+          sudo pip3 install dotrun
+
+      - name: Restore cached keys
+        uses: actions/cache/restore@v3
+        with:
+          path: keys
+          key: keys-folder
+
+      - name: Install LXD-UI dependencies
+        run: |
+          set -x
+          sudo chmod 0777 ../lxd-ui
+          dotrun install
+
+      - name: Run LXD-UI
+        env:
+          ENVIRONMENT: devel
+          PORT: 8407
+          LXD_UI_BACKEND_IP: 172.17.0.1
+        run: |
+          dotrun &
+          curl --head --fail --retry-delay 2 --retry 100 --retry-connrefused --insecure https://localhost:8407
+
+      - name: Set keys permissions
+        run: |
+          set -x
+          sudo chmod -R 0666 keys
+          sudo chmod 0777 keys
+          
+      - name: Save keys
+        uses: actions/cache/save@v3
+        with:
+          path: keys
+          key: keys-folder
+
+      - name: Install LXD
+        uses: canonical/[email protected]
+        with:
+          channel: ${{ matrix.lxd_channel }}
+
+      - name: Setup LXD
+        shell: bash
+        run: |
+          set -x
+          sudo lxc config set core.https_address "[::]:8443"
+          sudo lxc config trust add keys/lxd-ui.crt
+          sudo lxc config set cluster.https_address "127.0.0.1"
+          sudo lxc cluster enable local
+          sudo lxc config set user.show_permissions=true
+
+      - name: Create a custom image
+        shell: bash
+        run: |
+          set -x
+          sudo lxc launch ubuntu-minimal:22.04 my-instance
+          sudo lxc publish my-instance --alias my-custom-image --force
+          sudo lxc delete my-instance --force
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install Playwright Browsers
+        run: npx playwright install --with-deps ${{ matrix.browser }}
+
+      - name: Set lxd channel env variable
+        id: lxd-env
+        run: |
+          # need to change / to - in lxd channel string for report naming
+          LXD_CHANNEL=$(echo '${{ matrix.lxd_channel }}' | sed 's#/#-#g')
+          echo "LXD_CHANNEL=$LXD_CHANNEL" >> $GITHUB_OUTPUT
+
+      - name: Setup for tests
+        if: ${{ matrix.lxd_channel != '5.0/edge' }}
+        shell: bash
+        run: ./tests/scripts/setup_test
+
+      - name: Run Playwright tests
+        run: npx playwright test --project ${{ matrix.browser }}:lxd-${{ steps.lxd-env.outputs.LXD_CHANNEL }}
+
+      - name: Rename Playwright report
+        if: always()
+        run: mv blob-report/report.zip blob-report/${{ matrix.browser }}-lxd-${{ steps.lxd-env.outputs.LXD_CHANNEL }}-report.zip
+
+      - name: Upload ${{ matrix.browser }}-lxd-${{ steps.lxd-env.outputs.LXD_CHANNEL }} blob reports to be merged
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: blob-report-${{ matrix.browser }}-lxd-${{ steps.lxd-env.outputs.LXD_CHANNEL }}
+          path: blob-report
+          retention-days: 1
+
+  merge-e2e-reports:
+    needs: [browser-e2e-test]
+    env:
+      HTML_REPORT_URL_PATH: reports/pr-${{ github.event.number }}/${{ github.run_id }}/${{ github.run_attempt }}
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 20
+
+    - name: Download blob reports from GitHub Actions Artifacts
+      uses: actions/download-artifact@v4
+      with:
+        path: blob-reports
+        pattern: blob-report-*
+        merge-multiple: true
+
+    # NOTE: there is no need to install playwright dependencies since we only need to merge reports here
+    - name: Merge into HTML Report
+      run: npx playwright merge-reports --config=merge.playwright.config.ts ./blob-reports
+
+    - name: Save additional test information
+      if: always()
+      run: |
+        touch playwright-report/info.txt
+        echo "HTML_REPORT_URL_PATH:$HTML_REPORT_URL_PATH" >> playwright-report/info.txt
+        cat playwright-report/info.txt
+    
+    - uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: playwright-report
+        path: playwright-report/
+        retention-days: 14
+
+    - name: Output Report URL as Worfklow Annotation
+      if: always()
+      run: |
+        FULL_HTML_REPORT_URL=https://canonical.github.io/lxd-ui/$HTML_REPORT_URL_PATH
+        echo "::notice title=Published Playwright Test Report::$FULL_HTML_REPORT_URL"
+        echo "Please wait a few minute for the reports to get published before accessing the url!"
+
+  js-tests:
+    name: js-tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Dotrun
+        run: |
+          sudo pip3 install dotrun
+
+      - name: Install LXD-UI dependencies
+        run: |
+          set -x
+          sudo chmod 0777 ../lxd-ui
+          dotrun install
+
+      - name: Run Javascript tests
+        run: dotrun test-js
diff --git a/.github/workflows/publish_test_reports.yml b/.github/workflows/publish_test_reports.yml
@@ -1,7 +1,9 @@
 name: Publish playwright test reports
 on:
     workflow_run:
-        workflows: [PR checks]
+        workflows: 
+          - PR checks
+          - Forked PR checks
         types: [completed]
 
 jobs: