From 3a9691576a4d8288e328f36af8f8dbbc40c3821c Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Fri, 5 Sep 2025 13:45:29 -0500 Subject: [PATCH 01/10] Add ok to test workflow --- .github/workflows/ok-to-test.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/ok-to-test.yml diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml new file mode 100644 index 0000000..b4c22a0 --- /dev/null +++ b/.github/workflows/ok-to-test.yml @@ -0,0 +1,22 @@ +# Write comments "/ok-to-test " on a pull request. This will emit a repository_dispatch event. +name: Ok To Test + +on: + issue_comment: + types: [created] + +jobs: + ok-to-test: + runs-on: ubuntu-latest + # Only run for PRs, not issue comments + if: ${{ github.event.issue.pull_request }} + steps: + - name: Slash Command Dispatch + uses: peter-evans/slash-command-dispatch@v4 + with: + token: ${{ secrets.PAT }} + reaction-token: ${{ secrets.PAT }} + issue-type: pull-request + commands: ok-to-test + # The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this. + permission: write From 35e476230c10ffc16d57de8eac14806fa07e52ff Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 10:52:53 -0500 Subject: [PATCH 02/10] Add ok-to-test workflow --- .github/workflows/ok-to-test.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml index b4c22a0..304afca 100644 --- a/.github/workflows/ok-to-test.yml +++ b/.github/workflows/ok-to-test.yml @@ -8,14 +8,17 @@ on: jobs: ok-to-test: runs-on: ubuntu-latest + permissions: + pull-requests: write # For adding reactions to the pull request comments + contents: write # For executing the repository_dispatch event # Only run for PRs, not issue comments if: ${{ github.event.issue.pull_request }} steps: - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@v4 + uses: volodymyrZotov/slash-command-dispatch@7c1b623a2b0eba93f684c34f689a441f0be84cf1 # TODO: use peter-evans/slash-command-dispatch when fix for team permissions is released https://github.com/peter-evans/slash-command-dispatch/pull/424 with: - token: ${{ secrets.PAT }} - reaction-token: ${{ secrets.PAT }} + token: ${{ secrets.GITHUB_TOKEN }} + reaction-token: ${{ secrets.GITHUB_TOKEN }} issue-type: pull-request commands: ok-to-test # The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this. From 460742869b4a34b401f480d4f267f22c0ca9e527 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 11:14:10 -0500 Subject: [PATCH 03/10] Add workflow to run e2e tests on contributor's branch --- .github/workflows/test-e2e-fork.yml | 57 +++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/test-e2e-fork.yml diff --git a/.github/workflows/test-e2e-fork.yml b/.github/workflows/test-e2e-fork.yml new file mode 100644 index 0000000..cc86473 --- /dev/null +++ b/.github/workflows/test-e2e-fork.yml @@ -0,0 +1,57 @@ +name: Run Test E2E tests [fork] + +on: + repository_dispatch: + types: [ ok-to-test-command ] + +permissions: + contents: read + +concurrency: + group: e2e-fork-${{ github.event.client_payload.pull_request.number || github.run_id }} + cancel-in-progress: true # cancel previous job runs for the same branch + +jobs: + run-e2e-tests: + name: E2E (fork) + runs-on: ubuntu-latest + if: | + github.event_name == 'repository_dispatch' && + github.event.client_payload.slash_command.args.named.sha != '' && + contains( + github.event.client_payload.pull_request.head.sha, + github.event.client_payload.slash_command.args.named.sha + ) + steps: + - uses: actions/checkout@v5 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Install dependencies + run: go mod tidy + + - name: Create kind cluster + uses: helm/kind-action@v1 + with: + cluster_name: onepassword-operator-test-e2e + + # Install 1Password CLI to support testhelper/op usage + - name: Install 1Password CLI + uses: 1password/install-cli-action@v2 + with: + version: 2.32.0 + + - name: Create '1password-credentials.json' file + env: + OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} + run: | + echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json + + - name: Run E2E tests + run: make test-e2e + env: + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file From d8734c9ae3048e8892a8a89424a8adda66e11c6a Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 11:16:47 -0500 Subject: [PATCH 04/10] Run e2e tests when pusing to main and bump actions to the latest --- .github/workflows/test-e2e.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 65f3a3e..39a0384 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -1,6 +1,8 @@ name: Test E2E on: + push: + branches: [main] pull_request: types: [opened, synchronize, reopened] branches: ['**'] # run for PRs targeting any branch (main and others) @@ -14,10 +16,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod From 6769e25a98454972621703b9cb5a3aaf0ce2376b Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 11:49:09 -0500 Subject: [PATCH 05/10] Do not run e2e tests when making a change on documentation or not realted to the operator files --- .github/workflows/test-e2e.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 39a0384..bc6192d 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -3,9 +3,23 @@ name: Test E2E on: push: branches: [main] + paths-ignore: + - 'docs/**' + - '*.md' + - '.golangci.yml' + - '.gitignore' + - '.dockerignore' + - 'LICENSE' pull_request: types: [opened, synchronize, reopened] branches: ['**'] # run for PRs targeting any branch (main and others) + paths-ignore: + - 'docs/**' + - '*.md' + - '.golangci.yml' + - '.gitignore' + - '.dockerignore' + - 'LICENSE' concurrency: group: e2e-${{ github.event.pull_request.head.ref }} From 3ebc536dd72b333d764b297bc34f3327a3725fe5 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 11:50:02 -0500 Subject: [PATCH 06/10] Add empty line at the end of the file --- .github/workflows/test-e2e-fork.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-e2e-fork.yml b/.github/workflows/test-e2e-fork.yml index cc86473..bbbe874 100644 --- a/.github/workflows/test-e2e-fork.yml +++ b/.github/workflows/test-e2e-fork.yml @@ -54,4 +54,4 @@ jobs: run: make test-e2e env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} From de62e07bcfad242c64a7b587ce503568c1ad771d Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 11 Sep 2025 12:20:40 -0500 Subject: [PATCH 07/10] Bump action versions in other workflows --- .github/workflows/build.yml | 4 ++-- .github/workflows/lint.yml | 4 ++-- .github/workflows/release-pr.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78d80e0..dd75e54 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone the code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 764f661..7658346 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone the code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 10c93c8..a464497 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -43,7 +43,7 @@ jobs: name: Create Release Pull Request runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Parse release version id: get_version diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 22e87bc..589412f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: DOCKER_CLI_EXPERIMENTAL: "enabled" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 71724cf..e784e85 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone the code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod From 49bc9cb3296ac9fbb7f69b74f895060923edc539 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Tue, 30 Sep 2025 21:37:11 -0500 Subject: [PATCH 08/10] Use workflow anchors --- .github/workflows/test-e2e.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index bc6192d..fa849cd 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -3,7 +3,7 @@ name: Test E2E on: push: branches: [main] - paths-ignore: + paths-ignore: &ignore_paths - 'docs/**' - '*.md' - '.golangci.yml' @@ -13,13 +13,7 @@ on: pull_request: types: [opened, synchronize, reopened] branches: ['**'] # run for PRs targeting any branch (main and others) - paths-ignore: - - 'docs/**' - - '*.md' - - '.golangci.yml' - - '.gitignore' - - '.dockerignore' - - 'LICENSE' + paths-ignore: *ignore_paths concurrency: group: e2e-${{ github.event.pull_request.head.ref }} From 63e3f29be95ead4ee850ae0c48eb8b0f196bc568 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Tue, 30 Sep 2025 21:44:16 -0500 Subject: [PATCH 09/10] Refactor e2e test workflows --- .github/workflows/e2e-tests.yml | 52 ++++++++++++++++++++++ .github/workflows/test-e2e-fork.yml | 67 ++++++++++++++--------------- .github/workflows/test-e2e.yml | 63 +++++++++++---------------- 3 files changed, 109 insertions(+), 73 deletions(-) create mode 100644 .github/workflows/e2e-tests.yml diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml new file mode 100644 index 0000000..c36e254 --- /dev/null +++ b/.github/workflows/e2e-tests.yml @@ -0,0 +1,52 @@ +name: E2E Tests + +on: + workflow_call: + secrets: + OP_CONNECT_CREDENTIALS: + description: '1Password Connect credentials' + required: true + OP_CONNECT_TOKEN: + description: '1Password Connect token' + required: true + OP_SERVICE_ACCOUNT_TOKEN: + description: '1Password service account token' + required: true + +jobs: + e2e-test: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Install dependencies + run: go mod tidy + + - name: Create kind cluster + uses: helm/kind-action@v1 + with: + cluster_name: onepassword-operator-test-e2e + + # install cli to interact with item in 1Password to update/read using `testhelper/op` package + - name: Install 1Password CLI + uses: 1password/install-cli-action@v2 + with: + version: 2.32.0 + + - name: Create '1password-credentials.json' file + env: + OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} + run: | + echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json + + - name: Run E2E tests + run: make test-e2e + env: + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/test-e2e-fork.yml b/.github/workflows/test-e2e-fork.yml index bbbe874..e0ceb08 100644 --- a/.github/workflows/test-e2e-fork.yml +++ b/.github/workflows/test-e2e-fork.yml @@ -1,4 +1,4 @@ -name: Run Test E2E tests [fork] +name: E2E tests [fork] on: repository_dispatch: @@ -6,15 +6,15 @@ on: permissions: contents: read + checks: write concurrency: group: e2e-fork-${{ github.event.client_payload.pull_request.number || github.run_id }} cancel-in-progress: true # cancel previous job runs for the same branch jobs: - run-e2e-tests: - name: E2E (fork) - runs-on: ubuntu-latest + e2e-tests: + uses: ./.github/workflows/e2e-tests.yml if: | github.event_name == 'repository_dispatch' && github.event.client_payload.slash_command.args.named.sha != '' && @@ -22,36 +22,35 @@ jobs: github.event.client_payload.pull_request.head.sha, github.event.client_payload.slash_command.args.named.sha ) + secrets: + OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + + update-check-status: + needs: e2e-tests + runs-on: ubuntu-latest + if: always() && github.event_name == 'repository_dispatch' steps: - - uses: actions/checkout@v5 - - - name: Set up Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Install dependencies - run: go mod tidy - - - name: Create kind cluster - uses: helm/kind-action@v1 - with: - cluster_name: onepassword-operator-test-e2e - - # Install 1Password CLI to support testhelper/op usage - - name: Install 1Password CLI - uses: 1password/install-cli-action@v2 - with: - version: 2.32.0 - - - name: Create '1password-credentials.json' file + - uses: actions/github-script@v6 env: - OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} - run: | - echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json + ref: ${{ github.event.client_payload.pull_request.head.sha }} + conclusion: ${{ needs.e2e-tests.result }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { data: checks } = await github.rest.checks.listForRef({ + ...context.repo, + ref: process.env.ref + }); - - name: Run E2E tests - run: make test-e2e - env: - OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + const check = checks.check_runs.filter(c => c.name === 'e2e-test'); + + const { data: result } = await github.rest.checks.update({ + ...context.repo, + check_run_id: check[0].id, + status: 'completed', + conclusion: process.env.conclusion + }); + + return result; diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index fa849cd..cc5897f 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -1,8 +1,9 @@ -name: Test E2E +name: E2E Tests on: - push: - branches: [main] + pull_request: + types: [opened, synchronize, reopened] + branches: ['**'] # run for PRs targeting any branch (main and others) paths-ignore: &ignore_paths - 'docs/**' - '*.md' @@ -10,49 +11,33 @@ on: - '.gitignore' - '.dockerignore' - 'LICENSE' - pull_request: - types: [opened, synchronize, reopened] - branches: ['**'] # run for PRs targeting any branch (main and others) + push: + branches: [main] paths-ignore: *ignore_paths concurrency: group: e2e-${{ github.event.pull_request.head.ref }} - cancel-in-progress: true # cancel previous job runs for the same branch + cancel-in-progress: true # cancel previous job runs for the same branch jobs: - e2e-test: + check-external-pr: runs-on: ubuntu-latest + if: github.event_name == 'pull_request' steps: - - name: Checkout code - uses: actions/checkout@v5 - - - name: Set up Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Install dependencies - run: go mod tidy - - - name: Create kind cluster - uses: helm/kind-action@v1 - with: - cluster_name: onepassword-operator-test-e2e - - # install cli to interact with item in 1Password to update/read using `testhelper/op` package - - name: Install 1Password CLI - uses: 1password/install-cli-action@v2 - with: - version: 2.32.0 - - - name: Create '1password-credentials.json' file - env: - OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} + - name: Check if PR is from external contributor run: | - echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json + if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then + echo "❌ External PR detected. This workflow requires approval from a maintainer." + echo "Please ask a maintainer to run '/ok-to-test' command to trigger the fork workflow." + exit 1 + fi + echo "✅ Internal PR detected. Proceeding with tests." - - name: Run E2E tests - run: make test-e2e - env: - OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + e2e-test: + needs: check-external-pr + if: always() && (needs.check-external-pr.result == 'success' || github.event_name != 'pull_request') + uses: ./.github/workflows/e2e-tests.yml + secrets: + OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} + OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} From 3f52bb284046fcee6152d63ef5356f55fe7d9806 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Thu, 2 Oct 2025 08:09:04 -0500 Subject: [PATCH 10/10] Add new line at the end of the file --- .github/workflows/e2e-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index c36e254..da71477 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -49,4 +49,4 @@ jobs: run: make test-e2e env: OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} \ No newline at end of file + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}