[AAE-19026] Fix app permissions #4502
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "pull-request" | |
on: | |
workflow_call: | |
inputs: | |
dry-run-flag: | |
description: 'enable dry-run on artifact push' | |
required: false | |
type: boolean | |
default: true | |
devel: | |
description: 'devel' | |
required: false | |
type: string | |
default: false | |
cron-run: | |
description: 'disables jobs which should not run when cron runs e2es' | |
required: false | |
type: boolean | |
default: false | |
pull_request: | |
types: [opened, synchronize, reopened] | |
branches: | |
- develop | |
- master | |
- develop-patch* | |
- master-patch* | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
BASE_REF: ${{ github.base_ref }} | |
HEAD_REF: ${{ github.head_ref }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
GITHUB_BRANCH: ${{ github.ref_name }} | |
GH_BUILD_DIR: ${{ github.workspace }} | |
GH_COMMIT: ${{ github.sha }} | |
BUILD_ID: ${{ github.run_id }} | |
GH_RUN_NUMBER: ${{ github.run_attempt }} | |
GH_BUILD_NUMBER: ${{ github.run_id }} | |
JOB_ID: ${{ github.run_id }} | |
PROXY_HOST_BPM: ${{ secrets.E2E_HOST }} | |
E2E_IDENTITY_HOST_APA: ${{ secrets.E2E_IDENTITY_HOST_APA }} | |
E2E_HOST_APA: ${{ secrets.E2E_HOST_APA }} | |
E2E_HOST: ${{ secrets.E2E_HOST }} | |
E2E_USERNAME: ${{ secrets.E2E_ADMIN_EMAIL_IDENTITY }} | |
E2E_PASSWORD: ${{ secrets.E2E_PASSWORD }} | |
E2E_ADMIN_EMAIL_IDENTITY: ${{ secrets.E2E_ADMIN_EMAIL_IDENTITY }} | |
E2E_ADMIN_PASSWORD_IDENTITY: ${{ secrets.E2E_ADMIN_PASSWORD_IDENTITY }} | |
USERNAME_ADF: ${{ secrets.E2E_ADMIN_EMAIL_IDENTITY }} | |
PASSWORD_ADF: ${{ secrets.E2E_PASSWORD }} | |
URL_HOST_ADF: "http://localhost:4200" | |
IDENTITY_ADMIN_EMAIL: ${{ secrets.E2E_ADMIN_EMAIL_IDENTITY }} | |
IDENTITY_ADMIN_PASSWORD: ${{ secrets.E2E_ADMIN_PASSWORD_IDENTITY }} | |
AWS_S3_BUCKET_ACTIVITI_LICENSE: ${{ secrets.AWS_S3_BUCKET_ACTIVITI_LICENSE }} | |
HOST_SSO: ${{ secrets.HOST_SSO }} | |
LOG_LEVEL: "ERROR" | |
E2E_LOG_LEVEL: "ERROR" | |
E2E_MODELER_USERNAME: ${{ secrets.E2E_MODELER_USERNAME }} | |
E2E_MODELER_PASSWORD: ${{ secrets.E2E_MODELER_PASSWORD }} | |
EXTERNAL_ACS_HOST: ${{ secrets.EXTERNAL_ACS_HOST }} | |
E2E_DEVOPS_USERNAME: ${{ secrets.E2E_DEVOPS_USERNAME }} | |
E2E_DEVOPS_PASSWORD: ${{ secrets.E2E_DEVOPS_PASSWORD }} | |
USERNAME_SUPER_ADMIN_ADF: ${{ secrets.USERNAME_SUPER_ADMIN_ADF }} | |
PASSWORD_SUPER_ADMIN_ADF: ${{ secrets.PASSWORD_SUPER_ADMIN_ADF }} | |
HR_USER: ${{ secrets.HR_USER }} | |
HR_USER_PASSWORD: ${{ secrets.HR_USER_PASSWORD }} | |
SMART_RUNNER_PATH: ".protractor-smartrunner" | |
S3_DBP_PATH: ${{ secrets.S3_DBP_PATH }} | |
S3_BUILD_BUCKET_SHORT_NAME: ${{ secrets.S3_BUILD_BUCKET_SHORT_NAME }} | |
NODE_OPTIONS: "--max-old-space-size=5120" | |
DOCKER_REPOSITORY_DOMAIN: ${{ secrets.DOCKER_REPOSITORY_DOMAIN }} | |
DOCKER_REPOSITORY_USER: ${{ secrets.DOCKER_REPOSITORY_USER }} | |
DOCKER_REPOSITORY_PASSWORD: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }} | |
DOCKER_REPOSITORY_STORYBOOK: "${{ secrets.DOCKER_REPOSITORY_DOMAIN }}/alfresco/storybook" | |
DOCKER_REPOSITORY: "${{ secrets.DOCKER_REPOSITORY_DOMAIN }}/alfresco/demo-shell" | |
REPO_OWNER: "Alfresco" | |
REPO_NAME: "alfresco-ng2-components" | |
DEMO_SHELL_DIR: "./dist/demo-shell" | |
STORYBOOK_DIR: "./dist/storybook/stories" | |
BUILT_LIBS_DIR: "./dist/libs" | |
NODE_MODULES_DIR: "./node_modules" | |
SMART_RUNNER_DIRECTORY: ".protractor-smartrunner" | |
SAVE_SCREENSHOT: true | |
REDIRECT_URI: / | |
BROWSER_RUN: false | |
MAXINSTANCES: 2 | |
PLAYWRIGHT_WORKERS: 2 | |
PLAYWRIGHT_STORYBOOK_E2E_HOST: http://localhost | |
PLAYWRIGHT_STORYBOOK_E2E_PORT: 4400 | |
PROXY_HOST_ECM: ${{ secrets.E2E_HOST }} | |
jobs: | |
pre-checks: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Ensure SHA pinned actions | |
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b1b635d24259e8a047a6ce7d6501ea432aa7a830 # v3.0.2 | |
- name: Check package-lock.json version | |
run: | | |
if [[ $(jq '.lockfileVersion == 3' package-lock.json) == "true" ]] ; then | |
echo "package-lock.json has a correct version" | |
else | |
echo "package-lock must be version 3" | |
exit 1 | |
fi | |
check-if-pr-is-approved: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Get branch name | |
uses: Alfresco/alfresco-build-tools/.github/actions/get-branch-name@b88340ccab0e8f2351eb1e056235f5671cfc5aab # v5.6.0 | |
- name: Save commit message | |
uses: Alfresco/alfresco-build-tools/.github/actions/get-commit-message@b88340ccab0e8f2351eb1e056235f5671cfc5aab # v5.6.0 | |
- name: ci:force flag parser | |
shell: bash | |
run: | | |
if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.actor }}" == "dependabot[bot]" ]; then | |
echo -e "\033[32mci:force check can be skipped\033[0m" | |
skip_check="true" | |
elif [[ "$COMMIT_MESSAGE" == *"[ci:force]"* ]]; then | |
echo -e "\033[32m[ci:force] flag detected. No need for approval.\033[0m" | |
skip_check="true" | |
fi | |
- name: Get PR number | |
if: ${{ github.event_name != 'schedule' }} | |
uses: kamatama41/get-pr-number-action@0bcaab5752c0b699149e74667c8ce2f764cbb7fa # v0.9.1 | |
id: action | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: show pr number | |
shell: bash | |
run: | | |
echo "PR: ${{ steps.action.outputs.number }}" | |
- name: check if pr is approved | |
env: | |
DEVEL_FLAG: ${{ inputs.devel }} | |
GH_TOKEN: ${{ github.token }} | |
skip_check: "false" | |
run: | | |
if [ "${{ github.event_name }}" == "schedule" ] || [ "${{ github.actor }}" == "dependabot[bot]" ]; then | |
echo -e "\033[32mci:force check can be skipped\033[0m" | |
skip_check="true" | |
elif [[ "$COMMIT_MESSAGE" == *"[ci:force]"* ]]; then | |
echo -e "\033[32m[ci:force] flag detected. No need for approval.\033[0m" | |
skip_check="true" | |
fi | |
if [ "${{ github.actor }}" == "dependabot[bot]" ] || [ "${{ github.actor }}" == "alfresco-build" ]; then | |
echo -e "\033[32mCommit by ${{ github.actor }}. No need for approval.\033[0m" | |
skip_check="true" | |
fi | |
if [ "${{ github.event_name }}" == "schedule" ]; then | |
echo -e "\033[32mSchedule event\033[0m" | |
skip_check="true" | |
fi | |
if [[ "$DEVEL_FLAG" == "true" ]]; then | |
echo -e "\033[32mDevel flag\033[0m" | |
skip_check="true" | |
fi | |
if [ "$skip_check" == "false" ]; then | |
echo "Checking PR approval" | |
prNumber=${{ steps.action.outputs.number }} | |
echo "PR: $prNumber" | |
checkApproval=$(gh api /repos/$GITHUB_REPOSITORY/pulls/$prNumber/reviews | jq '.[] | select(.state == "APPROVED") | .user.login') | |
if [[ $checkApproval ]]; then | |
echo -e "\033[32mPR approved\033[0m" | |
else | |
echo -e "\033[31mPR NOT approved\033[0m" | |
exit 1 | |
fi | |
fi | |
setup: | |
# long timeout required when cache has to be recreated | |
timeout-minutes: 30 | |
name: "Setup" | |
runs-on: ubuntu-22.04 | |
needs: [check-if-pr-is-approved, pre-checks] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all tags and branches | |
- uses: ./.github/actions/setup | |
- name: install | |
run: | | |
npm ci | |
npx nx run cli:bundle | |
npx nx run testing:bundle | |
- run: npx nx print-affected $NX_CALCULATION_FLAGS | |
- uses: ./.github/actions/upload-node-modules-and-artifacts | |
unit-tests: | |
timeout-minutes: 30 | |
name: "Unit tests: ${{ matrix.unit-tests.name }}" | |
runs-on: ubuntu-22.04 | |
needs: [setup] | |
strategy: | |
fail-fast: false | |
# max-parallel: 4 | |
matrix: | |
unit-tests: | |
- name: js-api | |
exclude: "core,insights,content-services,process-services,process-services-cloud,eslint-plugin-eslint-angular" | |
- name: content-services | |
exclude: "insights,core,extensions,process-services,process-services-cloud,eslint-plugin-eslint-angular,js-api" | |
- name: core | |
exclude: "insights,content-services,process-services,process-services-cloud,eslint-plugin-eslint-angular,js-api" | |
- name: insights | |
exclude: "core,extensions,content-services,process-services-cloud,process-services,eslint-plugin-eslint-angular,js-api" | |
- name: process-services | |
exclude: "core,extensions,content-services,process-services-cloud,insights,eslint-plugin-eslint-angular,js-api" | |
- name: process-cloud | |
exclude: "insights,core,extensions,content-services,process-services,eslint-plugin-eslint-angular,js-api" | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all tags and branches | |
- uses: ./.github/actions/setup | |
- uses: ./.github/actions/download-node-modules-and-artifacts | |
- name: Run unit tests | |
run: | | |
/usr/bin/xvfb-run --auto-servernum npx nx affected:test $NX_CALCULATION_FLAGS --exclude=${{ matrix.unit-tests.exclude }} | |
lint: | |
# long timeout required when cache has to be recreated | |
timeout-minutes: 30 | |
name: "Lint" | |
runs-on: ubuntu-22.04 | |
needs: [setup] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all tags and branches | |
- uses: ./.github/actions/setup | |
- uses: ./.github/actions/download-node-modules-and-artifacts | |
- run: npx nx affected --target=lint $NX_CALCULATION_FLAGS | |
build-libs: | |
# long timeout required when cache has to be recreated | |
timeout-minutes: 30 | |
name: "Build libs" | |
runs-on: ubuntu-22.04 | |
needs: [setup] | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all tags and branches | |
- uses: ./.github/actions/setup | |
- uses: ./.github/actions/download-node-modules-and-artifacts | |
- run: npx nx affected:build $NX_CALCULATION_FLAGS --prod | |
- run: npx nx build demoshell --configuration production | |
- run: npx nx affected --target=build-storybook $NX_CALCULATION_FLAGS --configuration=ci --parallel=1 | |
- uses: ./.github/actions/upload-node-modules-and-artifacts | |
e2e-storybook: | |
timeout-minutes: 20 | |
name: "e2e: storybook" | |
needs: [build-libs, lint, unit-tests] | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all | |
- uses: ./.github/actions/setup | |
- uses: ./.github/actions/download-node-modules-and-artifacts | |
- name: Process Cloud Storybook Playwright | |
run: | | |
npx playwright install chromium | |
sudo sysctl -w fs.inotify.max_user_watches=524288 | |
npx nx affected --target=e2e-playwright $NX_CALCULATION_FLAGS || exit 1 | |
- uses: ./.github/actions/upload-node-modules-and-artifacts | |
e2e: | |
timeout-minutes: 90 | |
name: "e2e: ${{ matrix.e2e-test.description }}" | |
needs: [build-libs, lint, unit-tests] | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
# max-parallel: 4 | |
matrix: | |
e2e-test: | |
- description: "Core" | |
test-id: "core" | |
folder: "core" | |
provider: "ALL" | |
auth: "OAUTH" | |
check-cs-env: "true" | |
check-ps-env: "true" | |
deps: "testing" | |
- description: "Content: Components" | |
test-id: "content-services" | |
folder: "content-services/components" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Content: Directives" | |
test-id: "content-services" | |
folder: "content-services/directives" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Content: Document List" | |
test-id: "content-services" | |
folder: "content-services/document-list" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Content: Metadata" | |
test-id: "content-services" | |
folder: "content-services/metadata" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Content: Upload and Versioning" | |
test-id: "content-services" | |
folder: "content-services/upload" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Search" | |
test-id: "content-services" | |
folder: "search" | |
provider: "ECM" | |
auth: "BASIC" | |
check-cs-env: "true" | |
deps: "testing" | |
- description: "Process: Form" | |
test-id: "process-services" | |
folder: "process-services/form" | |
provider: "BPM" | |
auth: "OAUTH" | |
check-ps-env: "true" | |
check-external-cs-env: "true" | |
deps: "testing" | |
- description: "Process: Process" | |
test-id: "process-services" | |
folder: "process-services/process" | |
provider: "BPM" | |
auth: "OAUTH" | |
check-ps-env: "true" | |
check-external-cs-env: "true" | |
deps: "testing" | |
- description: "Process: Tasks" | |
test-id: "process-services" | |
folder: "process-services/tasks" | |
provider: "BPM" | |
auth: "OAUTH" | |
check-ps-env: "true" | |
check-external-cs-env: "true" | |
deps: "testing" | |
- description: "Process: Widget" | |
test-id: "process-services" | |
folder: "process-services/widgets" | |
provider: "BPM" | |
auth: "OAUTH" | |
check-ps-env: "true" | |
check-external-cs-env: "true" | |
deps: "testing" | |
- description: "Process Cloud: Form" | |
test-id: "process-services-cloud" | |
folder: "process-services-cloud/form-field" | |
provider: "ALL" | |
auth: "OAUTH" | |
apa-proxy: true | |
check-cs-env: "true" | |
check-ps-cloud-env: "true" | |
deps: "testing" | |
- description: "Process Cloud: Process" | |
test-id: "process-services-cloud" | |
folder: "process-services-cloud/process" | |
provider: "ALL" | |
auth: "OAUTH" | |
apa-proxy: true | |
check-cs-env: "true" | |
check-ps-cloud-env: "true" | |
deps: "testing" | |
- description: "Process Cloud: Start Task" | |
test-id: "process-services-cloud" | |
folder: "process-services-cloud/start-task" | |
provider: "ALL" | |
auth: "OAUTH" | |
apa-proxy: true | |
check-cs-env: "true" | |
check-ps-cloud-env: "true" | |
deps: "testing" | |
- description: "Process Cloud: Tasks List" | |
test-id: "process-services-cloud" | |
folder: "process-services-cloud/task-list" | |
provider: "ALL" | |
auth: "OAUTH" | |
apa-proxy: true | |
check-cs-env: "true" | |
check-ps-cloud-env: "true" | |
deps: "testing" | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # Fetch all history for all | |
- uses: ./.github/actions/setup | |
with: | |
enable-cache: "true" | |
enable-node-modules-cache: "true" | |
- uses: ./.github/actions/download-node-modules-and-artifacts | |
- name: setup chrome | |
uses: ./.github/actions/setup-chrome | |
- name: e2e | |
uses: ./.github/actions/e2e | |
with: | |
e2e-test-id: ${{ matrix.e2e-test.test-id }} | |
e2e-test-folder: ${{ matrix.e2e-test.folder }} | |
e2e-test-provider: ${{ matrix.e2e-test.provider }} | |
e2e-test-auth: ${{ matrix.e2e-test.auth }} | |
check-cs-env: ${{ matrix.e2e-test.check-cs-env }} | |
check-ps-env: ${{ matrix.e2e-test.check-ps-env }} | |
check-ps-cloud-env: ${{ matrix.e2e-test.check-ps-cloud-env }} | |
check-external-cs-env: ${{ matrix.e2e-test.check-external-cs-env }} | |
apa-proxy: ${{ matrix.e2e-test.apa-proxy }} | |
deps: ${{ matrix.e2e-test.deps }} | |
PR-forbidden-labels: | |
if: ${{ inputs.cron-run == '' || inputs.cron-run == 'false' }} | |
runs-on: ubuntu-latest | |
steps: | |
- id: checkoutRepo | |
name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 1 | |
- name: PR contains forbidden labels | |
id: pr-forbidden | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const issueHasLabels = require('./scripts/github/update/check-issue-has-label.js'); | |
const checkLabels = ['next version ➡️', 'do not merge🙅🏻♂️']; | |
const hasLabel = await issueHasLabels({github, context, checkLabels}) | |
if(hasLabel) { | |
core.setFailed('The PR contains a forbidden label! You are not allowed to merge until the label is there.'); | |
} | |
- name: Check value after | |
run: | | |
echo "result ${{ toJson(steps.pr-forbidden.*.result) }}" && echo "result ${{ steps.pr-forbidden.*.result }}" | |
echo "result ${{ contains(toJson(steps.pr-forbidden.*.result), 'failure') }}" | |
finalize: | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
name: Final Results | |
needs: [check-if-pr-is-approved, pre-checks, setup, unit-tests, lint, build-libs, e2e, e2e-storybook] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Log e2e result | |
id: e2e-result | |
if: ${{ github.event_name == 'schedule' }} | |
uses: ./.github/actions/artifact-extract | |
with: | |
artifact-name: global-e2e-result | |
file-name: e2e-failures.txt | |
- name: identify-slack-group | |
id: groups | |
if: ${{ github.event_name == 'schedule' }} | |
uses: ./.github/actions/slack-group-area | |
with: | |
affected: ${{ steps.e2e-result.outputs.result }} | |
- uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
name: Nofify QA failure | |
if: ${{ github.event_name == 'schedule' && contains(needs.*.result, 'failure') }} | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: 'C016SMNNL8L' #guild-channel | |
slack-message: "🔴 Warning: The daily ADF cronjob failed\nWorkflow run : <https://github.com/Alfresco/alfresco-ng2-components/actions/runs/${{ github.run_id }}| here>\nDetails: ${{ steps.e2e-result.outputs.result }}\nArea: ${{ steps.groups.outputs.groups}}" | |
- name: workflow failure | |
run: exit 1 | |
if: ${{ contains(needs.*.result, 'failure') }} | |
- name: workflow canceled | |
run: exit 1 | |
if: ${{ contains(needs.*.result, 'cancelled') }} | |
- name: workflow success | |
run: exit 0 | |
if: ${{ contains(needs.*.result, 'success') }} | |