[Internal] Always write message for manual integration test trigger (#1874)

## Changes
Old script could not be run from master due to security restrictions and
there is no reliable way to detect if a user as secrets.


## Tests
Opened a PR in SDK Java from fork
https://github.com/databricks/databricks-sdk-java/pull/375
This commit is contained in:
hectorcast-db 2024-10-31 15:29:08 +01:00 committed by GitHub
parent 4a2d866f9a
commit 2bbdd04217
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 67 deletions

View File

@ -11,7 +11,6 @@ on:
branches: branches:
- main - main
jobs: jobs:
comment-on-pr: comment-on-pr:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -19,73 +18,15 @@ jobs:
pull-requests: write pull-requests: write
steps: steps:
# NOTE: The following checks may not be accurate depending on Org or Repo settings.
- name: Check user and potential secret access
id: check-secrets-access
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
USER_LOGIN="${{ github.event.pull_request.user.login }}"
REPO_OWNER="${{ github.repository_owner }}"
REPO_NAME="${{ github.event.repository.name }}"
echo "Pull request opened by: $USER_LOGIN"
# Check if PR is from a fork
IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
HAS_ACCESS="false"
# Check user's permission level on the repository
USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
HAS_ACCESS="true"
elif [[ "$USER_PERMISSION" == "read" ]]; then
# For read access, we need to check if the user has been explicitly granted secret access
# This information is not directly available via API, so we'll make an assumption
# that read access does not imply secret access
HAS_ACCESS="false"
fi
# Check if repo owner is an organization
IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
# Check if user is a member of any team with write or admin access to the repo
TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
for team in $TEAMS_WITH_ACCESS; do
IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
HAS_ACCESS="true"
break
fi
done
fi
# If it's a fork, set HAS_ACCESS to false regardless of other checks
if [[ "$IS_FORK" == "true" ]]; then
HAS_ACCESS="false"
fi
echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
if [[ "$HAS_ACCESS" == "true" ]]; then
echo "User $USER_LOGIN likely has access to secrets"
else
echo "User $USER_LOGIN likely does not have access to secrets"
fi
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Delete old comments - name: Delete old comments
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
# Delete previous comment if it exists # Delete previous comment if it exists
previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
--jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id') --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
echo "Previous comment IDs: $previous_comment_ids" echo "Previous comment IDs: $previous_comment_ids"
# Iterate over each comment ID and delete the comment # Iterate over each comment ID and delete the comment
if [ ! -z "$previous_comment_ids" ]; then if [ ! -z "$previous_comment_ids" ]; then
@ -96,14 +37,15 @@ jobs:
fi fi
- name: Comment on PR - name: Comment on PR
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
run: | run: |
gh pr comment ${{ github.event.pull_request.number }} --body \ gh pr comment ${{ github.event.pull_request.number }} --body \
"<!-- INTEGRATION_TESTS --> "<!-- INTEGRATION_TESTS_MANUAL -->
Run integration tests manually: If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
Trigger:
[go/deco-tests-run/cli](https://go/deco-tests-run/cli) [go/deco-tests-run/cli](https://go/deco-tests-run/cli)
Inputs: Inputs:

View File

@ -11,17 +11,18 @@ on:
jobs: jobs:
check-token: check-token:
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: "test-trigger-is"
outputs: outputs:
has_token: ${{ steps.set-token-status.outputs.has_token }} has_token: ${{ steps.set-token-status.outputs.has_token }}
steps: steps:
- name: Check if GITHUB_TOKEN is set - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
id: set-token-status id: set-token-status
run: | run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
echo "GITHUB_TOKEN is empty. User has no access to tokens." echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
echo "::set-output name=has_token::false" echo "::set-output name=has_token::false"
else else
echo "GITHUB_TOKEN is set. User has no access to tokens." echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
echo "::set-output name=has_token::true" echo "::set-output name=has_token::true"
fi fi