From 74985fed0d88ea07f9ae95607b404fd9bb3df11e Mon Sep 17 00:00:00 2001 From: Laura Beatris <48022589+LauraBeatris@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:32:49 -0300 Subject: [PATCH] chore(repo): Add workflow to approve integration tests for fork PRs (#4482) --- .changeset/odd-colts-sing.md | 2 + .github/workflows/ci.yml | 9 +++ .github/workflows/run-integration-tests.yml | 90 +++++++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 .changeset/odd-colts-sing.md create mode 100644 .github/workflows/run-integration-tests.yml diff --git a/.changeset/odd-colts-sing.md b/.changeset/odd-colts-sing.md new file mode 100644 index 0000000000..a845151cc8 --- /dev/null +++ b/.changeset/odd-colts-sing.md @@ -0,0 +1,2 @@ +--- +--- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 423ca06fcb..a29b956c3a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,11 @@ name: CI on: workflow_dispatch: + inputs: + run_integration_tests: + description: 'Run integration tests' + type: boolean + default: false merge_group: pull_request: branches: @@ -133,6 +138,10 @@ jobs: integration-tests: name: Integration Tests + # Skip for fork PRs to prevent security vulnerabilities (no secrets) + # Runs if it comes from the root repo or once it gets approved by a maintainer + if: | + github.event.inputs.run_integration_tests == 'true' || github.event.pull_request.head.repo.full_name == github.repository needs: formatting-linting runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-l' }} timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml new file mode 100644 index 0000000000..330c9d94b7 --- /dev/null +++ b/.github/workflows/run-integration-tests.yml @@ -0,0 +1,90 @@ +# This workflow exists as a security measure for handling fork PRs. +# Since GitHub doesn't share repository secrets with fork PRs (for security), +# this workflow acts as a manual approval mechanism where Clerk org members can +# trigger integration tests on fork PRs by commenting '!run-integration-tests' +name: Run Integration Tests +run-name: Executed by ${{ github.actor }} + +on: + issue_comment: + types: [created] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.actor }} + cancel-in-progress: true + +jobs: + run-tests: + if: ${{ startsWith(github.event.comment.body, '!run-integration-tests') && github.repository == 'clerk/javascript' && github.event.issue.pull_request }} + runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-l' }} + timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} + + permissions: + contents: read + id-token: write + + steps: + - name: Limit action to Clerk members + uses: actions/github-script@v7 + with: + result-encoding: string + retries: 3 + retry-exempt-status-codes: 400,401 + github-token: ${{ secrets.CLERK_COOKIE_PAT }} + script: | + const isMember = await github.rest.orgs.checkMembershipForUser({ + org: 'clerk', + username: context.actor + }); + if (!isMember) { + core.setFailed(`@${actor} is not a member of the Clerk organization`); + } + + - name: Checkout repo + uses: actions/checkout@v4 + with: + ref: refs/pull/${{ github.event.issue.number }}/head + + - name: Ensure the PR hasn't changed since initiating the !run-integration-tests command + uses: actions/github-script@v7 + with: + result-encoding: string + retries: 3 + retry-exempt-status-codes: 400,401 + github-token: ${{ secrets.CLERK_COOKIE_PAT }} + script: | + const commentCreated = new Date(context.payload.comment.created_at); + + const pr = await github.rest.pulls.get({ + owner: 'clerk', + repo: 'javascript', + pull_number: context.issue.number, + }); + + const prLastUpdated = new Date(pr.updated_at); + + if (prLastUpdated > commentCreated) { + core.setFailed("The PR has been updated since !run-integration-tests was initiated. Please review the changes and re-run the !run-integration-tests command."); + } + + - name: Trigger Integration Tests + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.CLERK_COOKIE_PAT }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: 'clerk', + repo: 'javascript', + workflow_id: 'ci.yml', + ref: context.payload.pull_request.head.ref, + inputs: { + run_integration_tests: 'true' + } + }); + + - name: Update Comment + uses: peter-evans/create-or-update-comment@v3.0.0 + with: + token: ${{ secrets.CLERK_COOKIE_PAT }} + comment-id: ${{ github.event.comment.id }} + reactions: heart