-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PR test runner #4140
base: master
Are you sure you want to change the base?
PR test runner #4140
Conversation
The trigger for running tests is disabled until we want to enable them. In order to run, these scripts (like other workflow scripts) must be in the main branch (master).
- Deploy now depends on successful tests. - Action processing tests now fails on inconclusive or failure.
Ok looks like need to address https://github.com/EnricoMi/publish-unit-test-result-action/blob/v2.18.0/README.md#support-fork-repositories-and-dependabot-branches before the tests will run on PRs from separate repos. Will check this soon. Anyways can use review already. |
Haven't had much of a chance to review things (sorry!), but FYI the previous PR (#2626) was set up to handle fork PRs as described in that link. Could probably steal the setup from there at least as inspiration. |
Yeah I totally based on that one, I think I removed smth related when merging workflows into one file tho. Thx for the tip! |
Ok I think it's working now but the secondary workflows need to be in master for them to work. Difficult to tell tbh XD. I did try at saurtron#9 and still seems to work. Anyways I'll still tweak a bit since some things need to be changed when in 2 files and not sure everything is tuned right now. I tried before with 3 separate workflows (like yours + deploy), also with 2, so I'll review. |
bd43a2e, 139 more lines to read and maintain. Why? |
Seems we overlooked this: https://github.com/EnricoMi/publish-unit-test-result-action/blob/v2.18.0/README.md#support-fork-repositories-and-dependabot-branches Its just ~40 lines more btw, anyways doesn't seem to be much we can do about it, can't fix without some extra lines, sorry. |
A bit more background, after having checked the issue, that required those changes: This seems to be a security mechanism to avoid getting hacked through github actions, check this: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/. These parts are the most interesting: "Since, by definition, a PR supplies code to any build or test logic in place for your project, attackers can achieve arbitrary code execution in a workflow runner operating on a malicious PR in a variety of ways." "Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository." |
Also, having read all that, I'd say the original three workflow way would be the most secure in order to avoid getting hacked by https://github.com/EnricoMi/publish-unit-test-result-action itself, although we could avoid that by having a private copy of that, or pinning some specific commit maybe. Not totally sure though, would have to read more about the permissions... also I think disabling comments for that action makes it not require write access to the repo. |
name: Run Tests | ||
|
||
on: | ||
# pull_request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does more than pull request. I know I am being picky lol
To keep code pretty, maybe add a linter? (I didn't see one being used) Just found this action available, but I am sure there are others. |
Work done
More details
for convenience, from #2626:
This uses https://github.com/EnricoMi/publish-unit-test-result-action to publish test results for PRs, including forks. It uses roughly the setup described here to do so. This means there is an action that runs on the PR branch that runs the tests, and an action that runs on the master branch that publishes the results.
Remarks
depends: {"gl"}
at info