diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index cb013525..fba60ccc 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -2,6 +2,7 @@ name: Integration Tests on: pull_request: + pull_request_target: push: branches: - main @@ -19,6 +20,25 @@ concurrency: jobs: integration-tests: + # + # This condition prevents DUPLICATE attempts to run integration tests for + # PRs coming from FORKS. + # + # When a PR originates from a fork, both a pull_request and a + # pull_request_target event are triggered. This means that without a + # condition, GitHub will attempt to run integration tests TWICE, once for + # each event. + # + # To prevent this, this condition ensures that integration tests are run + # in only ONE of the following cases: + # + # 1. The event is NOT a pull_request. This covers the case when the event + # is a pull_request_target (i.e., a PR from a fork), as well as all + # other cases listed in the "on" block at the top of this file. + # 2. The event IS a pull_request AND the base repo and head repo are the + # same (i.e., the PR is NOT from a fork). + # + if: github.event_name != 'pull_request' || github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest strategy: matrix: @@ -26,13 +46,35 @@ jobs: fail-fast: false steps: - - uses: actions/checkout@v4 + - name: Fetch user permission + id: permission + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + + - name: Check user permission + if: ${{ steps.permission.outputs.require-result == 'false' }} + # If the triggering actor does not have write permission (i.e., this is a + # PR from a fork), then we exit, otherwise most of the integration tests will + # fail because they require access to secrets. In this case, a maintainer + # will need to make sure the PR looks safe, and if so, manually re-run the + # failed pull_request_target jobs. + run: | + echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY + echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY + echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY + exit 1 + + - name: Checkout source + uses: actions/checkout@v4 - - uses: ./.github/actions/install-pkg + - name: Install package with dependencies + uses: ./.github/actions/install-pkg with: python-version: ${{ matrix.python-version }} - - name: Test + - name: Run integration tests env: EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }} EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }} @@ -40,7 +82,7 @@ jobs: EARTHACCESS_TEST_PASSWORD: ${{ secrets.EDL_PASSWORD }} run: ./scripts/integration-test.sh - - name: Upload coverage + - name: Upload coverage report # Don't upload coverage when using the `act` tool to run the workflow locally if: ${{ !env.ACT }} uses: codecov/codecov-action@v4