Do not run int tests on push #773
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration Tests | |
on: | |
pull_request: | |
branches: | |
- main | |
paths: | |
- .github/workflows/integration-test*.yml | |
- earthaccess/** | |
- scripts/integration-test.sh | |
- tests/** | |
- uv.lock | |
pull_request_target: | |
branches: | |
- main | |
paths: | |
- .github/workflows/integration-test*.yml | |
- earthaccess/** | |
- scripts/integration-test.sh | |
- tests/** | |
- uv.lock | |
# When this workflow is queued, automatically cancel any previous running | |
# or pending jobs from the same branch | |
concurrency: | |
group: integration-tests-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
integration-tests: | |
# | |
# This condition prevents DUPLICATE attempts to run integration tests for | |
# PRs coming from FORKS. | |
# | |
# When a PR originates from a fork, both a pull_request and a | |
# pull_request_target event are triggered. This means that without a | |
# condition, GitHub will attempt to run integration tests TWICE, once for | |
# each event. | |
# | |
# To prevent this, this condition ensures that integration tests are run | |
# in only ONE of the following cases: | |
# | |
# 1. The event is NOT a pull_request (it's a pull_request_target) and the base | |
# repo is NOT the head repo (i.e., the PR is from a fork). | |
# 2. The event IS a pull_request AND the base repo IS the head repo | |
# (i.e., the PR is not from a fork). | |
# | |
if: (github.event_name != 'pull_request') == github.event.pull_request.head.repo.fork | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: ["3.9", "3.10", "3.11", "3.12"] | |
fail-fast: false | |
steps: | |
- name: Fetch user permission | |
if: github.event_name == 'pull_request_target' | |
id: permission | |
uses: actions-cool/check-user-permission@v2 | |
with: | |
require: write | |
username: ${{ github.triggering_actor }} | |
- name: Check user permission | |
# The name of the output require-result is a bit confusing, but when its value | |
# is 'false', it means that the triggering actor does NOT have the required | |
# permission. | |
if: github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false' | |
# If the triggering actor does not have write permission (i.e., this is a | |
# PR from a fork), then we exit, otherwise most of the integration tests will | |
# fail because they require access to secrets. In this case, a maintainer | |
# will need to make sure the PR looks safe, and if so, manually re-run the | |
# failed pull_request_target jobs. | |
run: | | |
echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY | |
echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY | |
echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY | |
exit 1 | |
- name: Checkout source | |
uses: actions/checkout@v4 | |
with: | |
# Getting the correct commit for a pull_request_target event appears to be | |
# a known, problematic issue: https://github.com/actions/checkout/issues/518 | |
# It seems that ideally, we want github.event.pull_request.merge_commit_sha, | |
# but that it is not reliable, and can sometimes be a null values. It | |
# appears that the most reasonable way to ensure that we are pulling the same | |
# code that triggered things is shown in this issue comment: | |
# https://github.com/actions/checkout/issues/518#issuecomment-1661941548 | |
# However, attempts to get that working resulted in getting an empty | |
# github.event.number, so we're resorting to this simpler approach, which | |
# is apparently less than ideal, but seems to be the best we can muster at | |
# this point. | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Install package with dependencies | |
uses: ./.github/actions/install-pkg | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Run integration tests | |
env: | |
EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }} | |
EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }} | |
run: ./scripts/integration-test.sh | |
- name: Upload coverage report | |
# Don't upload coverage when using the `act` tool to run the workflow locally | |
if: ${{ !env.ACT }} | |
uses: codecov/codecov-action@v4 |