Skip to content

Finalizing the open-sourcing of the provider #17

Finalizing the open-sourcing of the provider

Finalizing the open-sourcing of the provider #17

Workflow file for this run

# The on.pull_request_target runs on changes to a pull request. Contrary to the on.pull_request, this pipeline has access to secrets and can therefore run e2e tests.
# DANGEROUS: 1) with access to secrets it is possible to steal those by a pull request that executes code that reads the secrets and exfiltrates those.
# DANGEROUS: 2) the GITHUB_TOKEN has read and write permissions by default. Therefore, restrict the permissions with the permissions field
# To adress (1), we use an environment pr-e2e-approval that will only execute the job after an explicit approval from team member (after inspecting the code for non-malicious activity).
# If the author of the PR is OWNER, MEMBER or COLLOBORATOR, the environment pr-e2e-no-approval is used that does not require an explicit approval.
# Requiremenets:
# 1) pr-e2e-approval environment configured to require approval before running
# 2) pr-e2e-no-approval environment configured that does not require approval.
name: PullRequest E2E Test
on:
pull_request_target:
paths-ignore:
- '*.md'
# on pull_request_target, the GITHUB_TOKEN has read/write access to the repository content by default, so restrict it to read only
permissions:
contents: read
jobs:
run-e2e-test:
uses: ./.github/workflows/e2e_test.yaml
with:
checkout-ref: ${{ github.event.pull_request.merge_commit_sha }}
environment: ${{ github.event_name == 'pull_request_target' && contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) && 'pr-e2e-no-approval' || 'pr-e2e-approval' }}
secrets:
CLI_SERVER_URL: ${{ secrets.CLI_SERVER_URL }}
GLOBAL_ACCOUNT: ${{ secrets.GLOBAL_ACCOUNT }}
IDP_URL: ${{ secrets.IDP_URL }}
SECOND_DIRECTORY_ADMIN_EMAIL: ${{ secrets.SECOND_DIRECTORY_ADMIN_EMAIL }}
CIS_CENTRAL_BINDING: ${{ secrets.CIS_CENTRAL_BINDING }}
BTP_TECHNICAL_USER: ${{ secrets.BTP_TECHNICAL_USER }}
TECHNICAL_USER_EMAIL: ${{ secrets.TECHNICAL_USER_EMAIL }}