Skip to content

Commit

Permalink
Update PR tests to use pull_request_target (#2087)
Browse files Browse the repository at this point in the history 
This grants external PRs access to secrets in order to be able to run database tests. For security purposes external PRs will not automatically run tests, tests must be triggered by someone with write permissions to the repo (the core Malloy team).

This changes the names of the tests that are run, so older PRs will need to be updated to include these changes in order to pass the required test checks.
  • Loading branch information
@whscullin
whscullin authored Jan 13, 2025
1 parent d7856cc commit 8216876
Show file tree
Hide file tree
Showing 12 changed files with 66 additions and 88 deletions.
11 changes: 3 additions & 8 deletions .github/workflows/db-bigquery.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: "DB:BigQuery"
name: 'DB:BigQuery'

on:
pull_request:
workflow_call:
secrets:
BIGQUERY_KEY:
Expand All @@ -11,18 +10,14 @@ jobs:
test-bigquery:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: GCloud auth
uses: 'google-github-actions/auth@v2'
with:
Expand Down
12 changes: 4 additions & 8 deletions .github/workflows/db-duckdb-wasm.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,19 @@
name: "DB:DuckDB(WASM)"
name: 'DB:DuckDB(WASM)'

on: [pull_request, workflow_call]
on: workflow_call

jobs:
test-duckdb-wasm:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
12 changes: 4 additions & 8 deletions .github/workflows/db-duckdb.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,19 @@
name: "DB:DuckDB"
name: 'DB:DuckDB'

on: [pull_request, workflow_call]
on: workflow_call

jobs:
test-duckdb:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/db-motherduck.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: "DB:MotherDuck"
name: 'DB:MotherDuck'

on:
pull_request:
workflow_call:
secrets:
MOTHERDUCK_TOKEN_10:
Expand All @@ -11,18 +10,14 @@ jobs:
test-motherduck:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
12 changes: 4 additions & 8 deletions .github/workflows/db-mysql.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,20 @@
name: "DB:MySQL"
name: 'DB:MySQL'

on: [pull_request, workflow_call]
on: workflow_call

jobs:
# Label of the container job
test-mysql:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
12 changes: 4 additions & 8 deletions .github/workflows/db-postgres.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,12 @@
name: "DB:Postgres"
name: 'DB:Postgres'

on: [pull_request, workflow_call]
on: workflow_call

jobs:
# Label of the container job
test-postgres:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

services:
postgres:
image: postgres
Expand All @@ -29,10 +25,10 @@ jobs:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/db-presto.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: "DB:Presto"
name: 'DB:Presto'

on:
pull_request:
workflow_call:
secrets:
BQ_PRESTO_TRINO_KEY:
Expand All @@ -12,18 +11,14 @@ jobs:
test-presto:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/db-snowflake.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: "DB:Snowflake"
name: 'DB:Snowflake'

on:
pull_request:
workflow_call:
secrets:
SNOWFLAKE_CONNECTION:
Expand All @@ -11,18 +10,14 @@ jobs:
test-snowflake:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/db-trino.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: "DB:Trino"
name: 'DB:Trino'

on:
pull_request:
workflow_call:
secrets:
BQ_PRESTO_TRINO_KEY:
Expand All @@ -12,18 +11,14 @@ jobs:
test-trino:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

steps:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: npm install, build, and test
run: |
npm ci --loglevel error
Expand Down
11 changes: 3 additions & 8 deletions .github/workflows/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,15 @@
name: Core

on:
pull_request:
workflow_call:
secrets:
BIGQUERY_KEY:
required: true

jobs:
test-all:
main:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [18.x]

services:
postgres:
image: postgres
Expand All @@ -37,10 +32,10 @@ jobs:
- uses: actions/checkout@v4
with:
submodules: 'true'
- name: Use Node.js ${{ matrix.node-version }}
- name: Use Node.js 18.x
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: 18.x
- name: GCloud auth
uses: 'google-github-actions/auth@v2'
with:
Expand Down
24 changes: 22 additions & 2 deletions .github/workflows/run-tests.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,53 @@
name: Malloy Tests

on: [workflow_dispatch]
on: [workflow_dispatch, pull_request]

jobs:
check-permission:
runs-on: ubuntu-latest
steps:
- name: Permission Check
uses: malloydata/check-ci-permissions@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
username: ${{ github.triggering_actor }}
error_message: |
User does not have write access to this repository. Refer to CONTRIBUTING.md instructions on how to contribute to Malloy.
# *** IMPORTANT ***
# When modifying these, make sure that needs: check-permission
# is part of any job that requires secrets.
main:
needs: check-permission
uses: './.github/workflows/main.yaml'
secrets:
BIGQUERY_KEY: ${{ secrets.BIGQUERY_KEY }}
db-trino:
needs: check-permission
uses: './.github/workflows/db-trino.yaml'
secrets:
BQ_PRESTO_TRINO_KEY: ${{ secrets.BQ_PRESTO_TRINO_KEY }}
db-presto:
needs: check-permission
uses: './.github/workflows/db-presto.yaml'
secrets:
BQ_PRESTO_TRINO_KEY: ${{ secrets.BQ_PRESTO_TRINO_KEY }}
db-duckdb:
uses: './.github/workflows/db-duckdb.yaml'
db-bigquery:
needs: check-permission
uses: './.github/workflows/db-bigquery.yaml'
secrets:
BIGQUERY_KEY: ${{ secrets.BIGQUERY_KEY }}
db-motherduck:
needs: check-permission
uses: './.github/workflows/db-motherduck.yaml'
secrets:
MOTHERDUCK_TOKEN_10: ${{ secrets.MOTHERDUCK_TOKEN_10 }}
db-postgres:
uses: './.github/workflows/db-postgres.yaml'
db-snowflake:
needs: check-permission
uses: './.github/workflows/db-snowflake.yaml'
secrets:
SNOWFLAKE_CONNECTION: ${{ secrets.SNOWFLAKE_CONNECTION }}
Expand All @@ -37,7 +57,7 @@ jobs:
uses: './.github/workflows/db-duckdb-wasm.yaml'

# I think I have the sorted roughly longest to shortest
# so the longer running jobs get wrokers sooner, not sure
# so the longer running jobs get workers sooner, not sure
# that is the right plan
malloy-tests:
needs:
Expand Down
Loading

0 comments on commit 8216876

Please sign in to comment.