Skip to content

Commit a239cae

Browse files
[Internal] Always write message for manual test integration (#374)
## Changes Old script could not be run from master due to security restrictions and there is no reliable way to detect if a user as secrets. ## Tests Run as pull_request.
1 parent 2f08742 commit a239cae

File tree

2 files changed

+10
-67
lines changed

2 files changed

+10
-67
lines changed

.github/workflows/external-message.yml

Lines changed: 5 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -11,81 +11,22 @@ on:
1111
branches:
1212
- main
1313

14-
1514
jobs:
1615
comment-on-pr:
1716
runs-on: ubuntu-latest
1817
permissions:
1918
pull-requests: write
2019

2120
steps:
22-
# NOTE: The following checks may not be accurate depending on Org or Repo settings.
23-
- name: Check user and potential secret access
24-
id: check-secrets-access
25-
env:
26-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
27-
run: |
28-
USER_LOGIN="${{ github.event.pull_request.user.login }}"
29-
REPO_OWNER="${{ github.repository_owner }}"
30-
REPO_NAME="${{ github.event.repository.name }}"
31-
32-
echo "Pull request opened by: $USER_LOGIN"
33-
34-
# Check if PR is from a fork
35-
IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
36-
37-
HAS_ACCESS="false"
38-
39-
# Check user's permission level on the repository
40-
USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
41-
42-
if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
43-
HAS_ACCESS="true"
44-
elif [[ "$USER_PERMISSION" == "read" ]]; then
45-
# For read access, we need to check if the user has been explicitly granted secret access
46-
# This information is not directly available via API, so we'll make an assumption
47-
# that read access does not imply secret access
48-
HAS_ACCESS="false"
49-
fi
50-
51-
# Check if repo owner is an organization
52-
IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
53-
54-
if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
55-
# Check if user is a member of any team with write or admin access to the repo
56-
TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
57-
for team in $TEAMS_WITH_ACCESS; do
58-
IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
59-
if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
60-
HAS_ACCESS="true"
61-
break
62-
fi
63-
done
64-
fi
65-
66-
# If it's a fork, set HAS_ACCESS to false regardless of other checks
67-
if [[ "$IS_FORK" == "true" ]]; then
68-
HAS_ACCESS="false"
69-
fi
70-
71-
echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
72-
if [[ "$HAS_ACCESS" == "true" ]]; then
73-
echo "User $USER_LOGIN likely has access to secrets"
74-
else
75-
echo "User $USER_LOGIN likely does not have access to secrets"
76-
fi
77-
78-
7921
- uses: actions/checkout@v4
8022

8123
- name: Delete old comments
82-
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
8324
env:
8425
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
8526
run: |
8627
# Delete previous comment if it exists
8728
previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
88-
--jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
29+
--jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
8930
echo "Previous comment IDs: $previous_comment_ids"
9031
# Iterate over each comment ID and delete the comment
9132
if [ ! -z "$previous_comment_ids" ]; then
@@ -96,14 +37,15 @@ jobs:
9637
fi
9738
9839
- name: Comment on PR
99-
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
10040
env:
10141
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
10242
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
10343
run: |
10444
gh pr comment ${{ github.event.pull_request.number }} --body \
105-
"<!-- INTEGRATION_TESTS -->
106-
Run integration tests manually:
45+
"<!-- INTEGRATION_TESTS_MANUAL -->
46+
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
47+
48+
Trigger:
10749
[go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java)
10850
10951
Inputs:

.github/workflows/integration-tests.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,17 +10,18 @@ jobs:
1010
check-token:
1111
name: Check secrets access
1212
runs-on: ubuntu-latest
13+
environment: "test-trigger-is"
1314
outputs:
1415
has_token: ${{ steps.set-token-status.outputs.has_token }}
1516
steps:
16-
- name: Check if GITHUB_TOKEN is set
17+
- name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
1718
id: set-token-status
1819
run: |
19-
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
20-
echo "GITHUB_TOKEN is empty. User has no access to tokens."
20+
if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
21+
echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
2122
echo "::set-output name=has_token::false"
2223
else
23-
echo "GITHUB_TOKEN is set. User has no access to tokens."
24+
echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
2425
echo "::set-output name=has_token::true"
2526
fi
2627

0 commit comments

Comments
 (0)