Compare commits

..

29 Commits

Author SHA1 Message Date
Volodymyr Zotov
8d16fccdbc Update e2e status check based on result of run-e2e-tests-fork step 2025-10-24 12:38:04 -05:00
Volodymyr Zotov
5fb44ba7eb Update fork tests job name so we can update status for the correct 'run-e2e-tests' check 2025-10-22 12:35:44 -05:00
Volodymyr Zotov
3eae7f3e7e Return a list of update results if successfully updated 2025-10-22 11:08:20 -05:00
Volodymyr Zotov
04edd4dbfa Always set status for check as succesfull as we were able to start a job
Which means it passed hash check and e2e tests passed, so we can update those 2 checks to 'success'
2025-10-22 11:06:48 -05:00
Volodymyr Zotov
bb4f5bdcb0 Update docs 2025-10-22 10:54:33 -05:00
Volodymyr Zotov
d403a29fdc Update documentation 2025-10-02 15:34:51 -05:00
Volodymyr Zotov
d30ed0b9d7 Name the jobs 'run-e2e-tests' 2025-10-02 15:31:23 -05:00
Volodymyr Zotov
db2053fde4 Update status for e2e-test check as well 2025-10-02 15:28:48 -05:00
Volodymyr Zotov
316f605680 Update docs 2025-10-02 13:18:05 -05:00
Volodymyr Zotov
7135f439a5 Update check-external-pr check when e2e test success 2025-10-02 13:14:04 -05:00
Volodymyr Zotov
625297c1fb Add doc explaining how to test forked PR 2025-10-02 12:41:01 -05:00
Volodymyr Zotov
e967f7ce1e Revert job name 2025-10-02 12:40:35 -05:00
Volodymyr Zotov
5199e9f350 Revert "Update status check to 'success' only if e2e tests are passed"
This reverts commit 878b38deac.
2025-10-02 12:37:04 -05:00
Volodymyr Zotov
878b38deac Update status check to 'success' only if e2e tests are passed 2025-10-02 12:36:27 -05:00
Volodymyr Zotov
1a40b4fb95 Pass jobm name as env 2025-10-02 12:35:06 -05:00
Volodymyr Zotov
4b5d3c5f1a Use propper job name e2e-tests 2025-10-02 12:34:10 -05:00
Volodymyr Zotov
8d4908fb72 Updated comment to mention sha= portion to dispatch the event 2025-10-02 11:50:15 -05:00
Volodymyr Zotov
6cf52a7bfc Use process.env.job instead of hardcoding job name 2025-10-02 11:29:31 -05:00
Volodymyr Zotov
7ef9ec6de7 Update e2e job names to avoid confustion and fix updating check status 2025-10-02 08:35:37 -05:00
Volodymyr Zotov
3f52bb2840 Add new line at the end of the file 2025-10-02 08:09:04 -05:00
Volodymyr Zotov
63e3f29be9 Refactor e2e test workflows 2025-09-30 21:44:16 -05:00
Volodymyr Zotov
49bc9cb329 Use workflow anchors 2025-09-30 21:37:11 -05:00
Volodymyr Zotov
de62e07bcf Bump action versions in other workflows 2025-09-11 12:20:40 -05:00
Volodymyr Zotov
3ebc536dd7 Add empty line at the end of the file 2025-09-11 11:50:02 -05:00
Volodymyr Zotov
6769e25a98 Do not run e2e tests when making a change on documentation or not realted to the operator files 2025-09-11 11:49:09 -05:00
Volodymyr Zotov
d8734c9ae3 Run e2e tests when pusing to main and bump actions to the latest 2025-09-11 11:16:47 -05:00
Volodymyr Zotov
460742869b Add workflow to run e2e tests on contributor's branch 2025-09-11 11:14:10 -05:00
Volodymyr Zotov
35e476230c Add ok-to-test workflow 2025-09-11 10:52:53 -05:00
Volodymyr Zotov
3a9691576a Add ok to test workflow 2025-09-05 13:45:29 -05:00
10 changed files with 290 additions and 42 deletions

View File

@@ -11,10 +11,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version-file: go.mod

52
.github/workflows/e2e-tests.yml vendored Normal file
View File

@@ -0,0 +1,52 @@
name: E2E Tests [reusable]
on:
workflow_call:
secrets:
OP_CONNECT_CREDENTIALS:
description: '1Password Connect credentials'
required: true
OP_CONNECT_TOKEN:
description: '1Password Connect token'
required: true
OP_SERVICE_ACCOUNT_TOKEN:
description: '1Password service account token'
required: true
jobs:
e2e-test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: Install dependencies
run: go mod tidy
- name: Create kind cluster
uses: helm/kind-action@v1
with:
cluster_name: onepassword-operator-test-e2e
# install cli to interact with item in 1Password to update/read using `testhelper/op` package
- name: Install 1Password CLI
uses: 1password/install-cli-action@v2
with:
version: 2.32.0
- name: Create '1password-credentials.json' file
env:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
run: |
echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
- name: Run E2E tests
run: make test-e2e
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

View File

@@ -11,10 +11,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version-file: go.mod

25
.github/workflows/ok-to-test.yml vendored Normal file
View File

@@ -0,0 +1,25 @@
# Write comments "/ok-to-test sha=<hash>" on a pull request. This will emit a repository_dispatch event.
name: Ok To Test
on:
issue_comment:
types: [created]
jobs:
ok-to-test:
runs-on: ubuntu-latest
permissions:
pull-requests: write # For adding reactions to the pull request comments
contents: write # For executing the repository_dispatch event
# Only run for PRs, not issue comments
if: ${{ github.event.issue.pull_request }}
steps:
- name: Slash Command Dispatch
uses: volodymyrZotov/slash-command-dispatch@7c1b623a2b0eba93f684c34f689a441f0be84cf1 # TODO: use peter-evans/slash-command-dispatch when fix for team permissions is released https://github.com/peter-evans/slash-command-dispatch/pull/424
with:
token: ${{ secrets.GITHUB_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
issue-type: pull-request
commands: ok-to-test
# The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this.
permission: write

View File

@@ -43,7 +43,7 @@ jobs:
name: Create Release Pull Request
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
- name: Parse release version
id: get_version

View File

@@ -12,7 +12,7 @@ jobs:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
with:
fetch-depth: 0

67
.github/workflows/test-e2e-fork.yml vendored Normal file
View File

@@ -0,0 +1,67 @@
name: E2E tests [fork]
on:
repository_dispatch:
types: [ ok-to-test-command ]
permissions:
contents: read
checks: write
concurrency:
group: e2e-fork-${{ github.event.client_payload.pull_request.number || github.run_id }}
cancel-in-progress: true # cancel previous job runs for the same branch
jobs:
run-e2e-tests-fork:
uses: ./.github/workflows/e2e-tests.yml
if: |
github.event_name == 'repository_dispatch' &&
github.event.client_payload.slash_command.args.named.sha != '' &&
contains(
github.event.client_payload.pull_request.head.sha,
github.event.client_payload.slash_command.args.named.sha
)
secrets:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
update-check-status:
needs: run-e2e-tests-fork
runs-on: ubuntu-latest
if: always() && github.event_name == 'repository_dispatch'
steps:
- uses: actions/github-script@v6
env:
ref: ${{ github.event.client_payload.pull_request.head.sha }}
conclusion: ${{ needs.run-e2e-tests-fork.result }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { data: checks } = await github.rest.checks.listForRef({
...context.repo,
ref: process.env.ref
});
// update the 'check-external-pr' check run
const externalCheck = checks.check_runs.filter(c => c.name === 'check-external-pr');
const { data: externalCheckUpdateResult } = await github.rest.checks.update({
...context.repo,
check_run_id: externalCheck[0].id,
status: 'completed',
conclusion: 'success'
});
// update the 'run-e2e-tests' check run from 'test-e2e.yml' workflow
const e2eTestCheck = checks.check_runs.filter(c => c.name === 'run-e2e-tests');
const { data: e2eTestCheckResult } = await github.rest.checks.update({
...context.repo,
check_run_id: e2eTestCheck[0].id,
status: 'completed',
conclusion: process.env.conclusion
});
return [externalCheckUpdateResult, e2eTestCheckResult];

View File

@@ -1,48 +1,43 @@
name: Test E2E
name: E2E Tests
on:
pull_request:
types: [opened, synchronize, reopened]
branches: ['**'] # run for PRs targeting any branch (main and others)
paths-ignore: &ignore_paths
- 'docs/**'
- '*.md'
- '.golangci.yml'
- '.gitignore'
- '.dockerignore'
- 'LICENSE'
push:
branches: [main]
paths-ignore: *ignore_paths
concurrency:
group: e2e-${{ github.event.pull_request.head.ref }}
cancel-in-progress: true # cancel previous job runs for the same branch
cancel-in-progress: true # cancel previous job runs for the same branch
jobs:
e2e-test:
check-external-pr:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install dependencies
run: go mod tidy
- name: Create kind cluster
uses: helm/kind-action@v1
with:
cluster_name: onepassword-operator-test-e2e
# install cli to interact with item in 1Password to update/read using `testhelper/op` package
- name: Install 1Password CLI
uses: 1password/install-cli-action@v2
with:
version: 2.32.0
- name: Create '1password-credentials.json' file
env:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
- name: Check if PR is from external contributor
run: |
echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json
if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
echo "❌ External PR detected. This workflow requires approval from a maintainer."
echo "Please ask a maintainer to run '/ok-to-test' command to trigger the fork workflow."
exit 1
fi
echo "✅ Internal PR detected. Proceeding with tests."
- name: Run E2E tests
run: make test-e2e
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
run-e2e-tests:
needs: check-external-pr
if: always() && (needs.check-external-pr.result == 'success' || github.event_name != 'pull_request')
uses: ./.github/workflows/e2e-tests.yml
secrets:
OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }}
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}

View File

@@ -11,10 +11,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Clone the code
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version-file: go.mod

109
docs/fork-pr-testing.md Normal file
View File

@@ -0,0 +1,109 @@
# Fork PR Testing Guide
This document explains how to test external pull requests using the dispatch action workflow system.
## Overview
The testing system consists of three main workflows:
1. **E2E Tests** (`test-e2e.yml`) - Runs automatically for internal PRs, requires approval for external PRs
2. **Ok To Test** (`ok-to-test.yml`) - Processes slash commands to trigger fork testing
3. **E2E tests [fork]** (`test-e2e-fork.yml`) - Triggered manually via slash commands for external PRs
## How It Works
### 1. Initial PR State
When a PR is created or updated:
- The `test-e2e.yml` workflow automatically runs
- For **external PRs**: The `check-external-pr` job detects it's from a fork and **fails intentionally**
- For **internal PRs**: The workflow proceeds normally with e2e tests
- External PRs show ❌ for the check-external-pr job with a message asking for maintainer approval
### 2. Manual Approval Required
**Important**: External PRs require manual approval before workflows can run.
**Steps for maintainers:**
1. Go to the PR page
2. Click **"Approve workflow to run"** button. For contributors who have made more than one contribution, workflows will start automatically after approval.
3. The workflow will then execute
**Note**: The `test-e2e.yml` workflow will still fail for external PRs even after approval, as it's designed to prevent automatic execution. Need to use the slash command instead.
### 3. Testing External PRs
Once the initial checks have run (and failed), maintainers can test the PR using slash commands:
#### Step-by-Step Process:
1. **Navigate to the PR**
- Go to the pull request you want to test
2. **Add a comment with slash command**
```
/ok-to-test sha=<commit-sha>
```
Replace `<commit-sha>` with the latest commit SHA from the PR.
**Note**: Use the short SHA.
3. **Dispatch Action Triggers**
- The `ok-to-test.yml` workflow processes the slash command
- It triggers a `repository_dispatch` event with type `ok-to-test-command`
- The `test-e2e-fork.yml` workflow starts
4. **Workflow Execution**
The fork workflow runs two jobs:
**a) `run-e2e-tests` job** (conditional)
- Only runs if:
- Event is `repository_dispatch`
- SHA parameter is not empty
- PR head SHA contains the provided SHA
- Calls the reusable `run-e2e-tests.yml` workflow
- Runs the actual E2E tests if conditions are met
**b) `update-check-status` job** (conditional)
- Runs after `e2e-tests` completes
- Updates the existing check for job named "run-e2e-tests" from 'test-e2e.yml' workflow
- Sets the conclusion based on `run-e2e-tests` result:
- ✅ **Success** if tests pass
- ❌ **Failure** if tests fail
## Troubleshooting
### Workflow Not Running
- **Check**: Ensure you've approved the workflow to run
- **Action**: Click "Approve workflow to run" in the PR checks tab
### SHA Not Found
- **Check**: Verify the SHA exists in the PR commits
- **Action**: Use `git log --oneline` to find valid commit SHAs
### Dispatch Not Triggering
- **Check**: Ensure the slash command format is correct
- **Action**: Use exact format: `/ok-to-test sha=<sha>`
### Check Runs Not Updating
- **Note**: The fork workflow updates the existing "E2E Tests [reusable]" check run
- **Behavior**: The same check run is updated with new results rather than creating a new one
## Security Notes
- Only users with **write** permissions can trigger dispatch commands
- The fork workflow runs in the main repository context, allowing it to update check runs
- Manual approval is required for external PR workflows
- External PRs are automatically detected and prevented from running tests automatically
## Workflow Files
- **`.github/workflows/ok-to-test.yml`** - Ok To Test - Slash command processor
- **`.github/workflows/test-e2e.yml`** - E2E Tests - Initial PR checks
- **`.github/workflows/test-e2e-fork.yml`** - E2E tests [fork] - Dispatch action handler
- **`.github/workflows/e2e-tests.yml`** - E2E Tests [reusable] - Reusable workflow for actual testing
## Testing Checklist
- [ ] PR created with failing check-external-pr check (for external PRs)
- [ ] Workflow approved to run (if required)
- [ ] Slash command posted with valid SHA
- [ ] Dispatch action triggered successfully
- [ ] `check-external-pr` check run updated with correct conclusion