pulumi/.github/workflows/pr-test-acceptance-on-dispa...

77 lines
2.6 KiB
YAML

# SECURITY: This PR run on untrusted branches when a maintainer comments "/run-acceptance-tests".
#
# Changes "permissions" and "secrets" should be narrowly scoped and carefully reviewed.
#
# Reusable workflows, "uses" jobs, *must* specify the main branch.
name: dispatched-acceptance-test
on:
repository_dispatch:
types: [run-acceptance-tests-command]
permissions:
contents: read
# Only the 'changelog-comment' job should use this permission.
pull-requests: write
# To sign artifacts.
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }}
cancel-in-progress: true
jobs:
info:
name: info
uses: pulumi/pulumi/.github/workflows/ci-info.yml@master
permissions:
contents: read
with:
ref: ${{ github.ref }}
is-snapshot: true
secrets: inherit
comment-notification:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'repository_dispatch' }}
permissions:
contents: read
pull-requests: write
steps:
- name: Update with Result
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ secrets.PULUMI_BOT_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
body: |
Please view the results of the acceptance tests [Here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
ci:
name: CI
needs: [info]
uses: pulumi/pulumi/.github/workflows/ci.yml@master
permissions:
contents: read
# To sign artifacts.
id-token: write
with:
ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge
version: ${{ needs.info.outputs.version }}
lint: true
test-version-sets: current
integration-test-platforms: ubuntu-latest
acceptance-test-platforms: 'windows-latest'
# We'll only upload coverage artifacts with the periodic-coverage cron workflow.
enable-coverage: false
secrets:
# Scope secrets to the minimum required:
PULUMI_PROD_ACCESS_TOKEN: ${{ secrets.PULUMI_PROD_ACCESS_TOKEN }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_STORAGE_SAS_TOKEN: ${{ secrets.AZURE_STORAGE_SAS_TOKEN }}
GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}