[Snyk] Fix for 5 vulnerabilities #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run secret-dependent e2e tests only after /ok-to-test approval | |
on: | |
pull_request: | |
repository_dispatch: | |
types: [ok-to-test-command] | |
permissions: | |
id-token: write | |
checks: write | |
contents: read | |
name: e2e tests | |
env: | |
# Common versions | |
GO_VERSION: '1.19' | |
GINKGO_VERSION: 'v2.8.0' | |
DOCKER_BUILDX_VERSION: 'v0.4.2' | |
KIND_VERSION: 'v0.17.0' | |
KIND_IMAGE: 'kindest/node:v1.26.0' | |
# Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run | |
# a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether | |
# credentials have been provided before trying to run steps that need them. | |
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} | |
GCP_SM_SA_JSON: ${{ secrets.GCP_SM_SA_JSON}} | |
GCP_GKE_ZONE: ${{ secrets.GCP_GKE_ZONE}} | |
GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Goolge Service Account | |
GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account | |
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID}} | |
AWS_REGION: "eu-central-1" | |
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID}} | |
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET}} | |
TENANT_ID: ${{ secrets.TENANT_ID}} | |
VAULT_URL: ${{ secrets.VAULT_URL}} | |
jobs: | |
integration-trusted: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]' | |
steps: | |
- name: Branch based PR checkout | |
uses: actions/checkout@v3 | |
- name: Fetch History | |
run: git fetch --prune --unshallow | |
- uses: ./.github/actions/e2e | |
# Repo owner has commented /ok-to-test on a (fork-based) pull request | |
integration-fork: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'repository_dispatch' | |
steps: | |
# Check out merge commit | |
- name: Fork based /ok-to-test checkout | |
uses: actions/checkout@v3 | |
with: | |
ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge' | |
- name: Fetch History | |
run: git fetch --prune --unshallow | |
- uses: ./.github/actions/e2e | |
# Update check run called "integration-fork" | |
- uses: actions/github-script@v6 | |
id: update-check-run | |
if: ${{ always() }} | |
env: | |
number: ${{ github.event.client_payload.pull_request.number }} | |
job: ${{ github.job }} | |
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run | |
conclusion: ${{ job.status }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const { data: pull } = await github.rest.pulls.get({ | |
...context.repo, | |
pull_number: process.env.number | |
}); | |
const ref = pull.head.sha; | |
console.log("\n\nPR sha: " + ref) | |
const { data: checks } = await github.rest.checks.listForRef({ | |
...context.repo, | |
ref | |
}); | |
console.log("\n\nPR CHECKS: " + checks) | |
const check = checks.check_runs.filter(c => c.name === process.env.job); | |
console.log("\n\nPR Filtered CHECK: " + check) | |
console.log(check) | |
const { data: result } = await github.rest.checks.update({ | |
...context.repo, | |
check_run_id: check[0].id, | |
status: 'completed', | |
conclusion: process.env.conclusion | |
}); | |
return result; |