-
Notifications
You must be signed in to change notification settings - Fork 1
35 lines (30 loc) · 1.95 KB
/
pr-e2e.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# The on.pull_request_target runs on changes to a pull request. Contrary to the on.pull_request, this pipeline has access to secrets and can therefore run e2e tests.
# DANGEROUS: 1) with access to secrets it is possible to steal those by a pull request that executes code that reads the secrets and exfiltrates those.
# DANGEROUS: 2) the GITHUB_TOKEN has read and write permissions by default. Therefore, restrict the permissions with the permissions field
# To adress (1), we use an environment pr-e2e-approval that will only execute the job after an explicit approval from team member (after inspecting the code for non-malicious activity).
# If the author of the PR is OWNER, MEMBER or COLLOBORATOR, the environment pr-e2e-no-approval is used that does not require an explicit approval.
# Requiremenets:
# 1) pr-e2e-approval environment configured to require approval before running
# 2) pr-e2e-no-approval environment configured that does not require approval.
name: PullRequest E2E Test
on:
pull_request_target:
paths-ignore:
- '*.md'
# on pull_request_target, the GITHUB_TOKEN has read/write access to the repository content by default, so restrict it to read only
permissions:
contents: read
jobs:
run-e2e-test:
uses: ./.github/workflows/e2e_test.yaml
with:
checkout-ref: ${{ github.event.pull_request.head.sha }}
environment: ${{ github.event_name == 'pull_request_target' && contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) && 'pr-e2e-no-approval' || 'pr-e2e-approval' }}
secrets:
CLI_SERVER_URL: ${{ secrets.CLI_SERVER_URL }}
GLOBAL_ACCOUNT: ${{ secrets.GLOBAL_ACCOUNT }}
IDP_URL: ${{ secrets.IDP_URL }}
SECOND_DIRECTORY_ADMIN_EMAIL: ${{ secrets.SECOND_DIRECTORY_ADMIN_EMAIL }}
CIS_CENTRAL_BINDING: ${{ secrets.CIS_CENTRAL_BINDING }}
BTP_TECHNICAL_USER: ${{ secrets.BTP_TECHNICAL_USER }}
TECHNICAL_USER_EMAIL: ${{ secrets.TECHNICAL_USER_EMAIL }}