-
Notifications
You must be signed in to change notification settings - Fork 90
125 lines (114 loc) · 4.92 KB
/
integration-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Integration Tests
on:
push:
branches:
- main
paths:
- .github/workflows/integration-test*.yml
- earthaccess/**
- scripts/integration-test.sh
- tests/**
- uv.lock
pull_request:
branches:
- main
paths:
- .github/workflows/integration-test*.yml
- earthaccess/**
- scripts/integration-test.sh
- tests/**
- uv.lock
pull_request_target:
branches:
- main
paths:
- .github/workflows/integration-test*.yml
- earthaccess/**
- scripts/integration-test.sh
- tests/**
- uv.lock
# When this workflow is queued, automatically cancel any previous running
# or pending jobs from the same branch
concurrency:
group: integration-tests-${{ github.ref }}
cancel-in-progress: true
jobs:
integration-tests:
#
# This condition prevents DUPLICATE attempts to run integration tests for
# PRs coming from FORKS.
#
# When a PR originates from a fork, both a pull_request and a
# pull_request_target event are triggered. This means that without a
# condition, GitHub will attempt to run integration tests TWICE, once for
# each event.
#
# To prevent this, this condition ensures that integration tests are run
# in only ONE of the following cases:
#
# 1. The event is NOT a pull_request (it's a pull_request_target) and the base
# repo is NOT the head repo (i.e., the PR is from a fork).
# 2. The event IS a pull_request AND the base repo IS the head repo
# (i.e., the PR is not from a fork).
#
if: (github.event_name != 'pull_request') == github.event.pull_request.head.repo.fork
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
fail-fast: false
steps:
- name: Fetch user permission
if: github.event_name == 'pull_request_target'
id: permission
uses: actions-cool/check-user-permission@v2
with:
require: write
username: ${{ github.triggering_actor }}
- name: Check user permission
# The name of the output require-result is a bit confusing, but when its value
# is 'false', it means that the triggering actor does NOT have the required
# permission.
if: github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false'
# If the triggering actor does not have write permission (i.e., this is a
# PR from a fork), then we exit, otherwise most of the integration tests will
# fail because they require access to secrets. In this case, a maintainer
# will need to make sure the PR looks safe, and if so, manually re-run the
# failed pull_request_target jobs.
run: |
echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
exit 1
- name: Checkout source
uses: actions/checkout@v4
with:
# Getting the correct commit for a pull_request_target event appears to be
# a known, problematic issue: https://github.com/actions/checkout/issues/518
# It seems that ideally, we want github.event.pull_request.merge_commit_sha,
# but that it is not reliable, and can sometimes be a null values. It
# appears that the most reasonable way to ensure that we are pulling the same
# code that triggered things is shown in this issue comment:
# https://github.com/actions/checkout/issues/518#issuecomment-1661941548
# However, attempts to get that working resulted in getting an empty
# github.event.number, so we're resorting to this simpler approach, which
# is apparently less than ideal, but seems to be the best we can muster at
# this point.
ref: ${{ github.event.pull_request.head.sha }}
- name: Install uv
uses: astral-sh/[email protected]
with:
enable-cache: true
- name: Setup nox
uses: wntrblm/[email protected]
with:
python-versions: ${{ matrix.python-version }}
- name: Run integration tests
env:
EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }}
EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }}
run: nox -s integration-tests -- --cov=earthaccess --cov-report=term-missing --capture=no --tb=native --log-cli-level=INFO
- name: Upload coverage report
# Don't upload coverage when using the `act` tool to run the workflow locally
if: ${{ !env.ACT }}
uses: codecov/codecov-action@v4