Skip to content
Trusted integration

Trusted integration #83

Sign in to view logs

Trusted integration

Trusted integration #83

Workflow file for this run

.github/workflows/integration-trust.yml at 3153c8f
---
# Integration tests that need access to secrets.
name: Trusted integration
on:
pull_request_target:
types:
# not for "labeled" to prevent two builds for "labeled" and "unlabeled" when labels are changed
- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
- opened
- reopened
- synchronize
push:
branches:
- main
schedule:
- cron: "12 2 * * *" # after integration workflow to reuse cache
# Do not run this workflow in parallel for any PR change or branch/tag push
# to save some resources.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
env:
GOPATH: /home/runner/go
GOCACHE: /home/runner/go/cache
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint
GOMODCACHE: /home/runner/go/mod
GOPROXY: https://proxy.golang.org
jobs:
test:
name: Test ${{ matrix.name }}
runs-on:
group: paid
timeout-minutes: 30
if: >
github.event_name != 'pull_request_target' ||
(
contains(github.event.pull_request.labels.*.name, 'trust') &&
!contains(github.event.pull_request.labels.*.name, 'not ready')
)
strategy:
fail-fast: false
matrix:
include:
- { name: "Hana", task: "hana" }
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0 # for `git describe` to work
lfs: false # LFS is used only by website
- name: Checkout pull request code
if: github.event_name == 'pull_request_target'
uses: actions/checkout@v3
with:
fetch-depth: 0
lfs: false
ref: ${{ github.event.pull_request.head.sha }}
# for branch.txt on pull_request_target; `main` is already checked out on push / schedule
- name: Name branch
if: github.event_name == 'pull_request_target'
env:
BRANCH: ${{ github.head_ref }} # see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
run: git checkout -b $BRANCH
- name: Setup Go
uses: FerretDB/github-actions/setup-go@main
with:
cache-key: integration
- name: Install Task
run: go generate -x
working-directory: tools
- name: Start environment
run: bin/task env-up-detach
- name: Run init
run: bin/task init
- name: Wait for and setup environment
run: bin/task env-setup
- name: Run ${{ matrix.task }} tests
run: bin/task test-integration-${{ matrix.task }}
env:
FERRETDB_HANA_URL: ${{ secrets.FERRETDB_HANA_URL }}
# The token is not required but should make uploads more stable.
# If secrets are unavailable (for example, for a pull request from a fork), it fallbacks to the tokenless uploads.
#
# Unfortunately, it seems that tokenless uploads fail too often.
# See https://github.com/codecov/codecov-action/issues/837.
#
# We also can't use ${{ vars.CODECOV_TOKEN }}: https://github.com/orgs/community/discussions/44322
- name: Upload coverage information to codecov
uses: codecov/codecov-action@v3
with:
token: 22159d7c-856d-4fe9-8fdb-5d9ecff35514
files: ./integration/integration-${{ matrix.task }}.txt
flags: integration,${{ matrix.task }}
fail_ci_if_error: true
verbose: true
- name: Upload coverage information to coveralls
uses: coverallsapp/github-action@v2
with:
file: ./integration/integration-${{ matrix.task }}.txt
flag-name: integration-${{ matrix.task }}
parallel: true
# we don't want them on CI
- name: Clean test and fuzz caches
if: always()
run: go clean -testcache -fuzzcache
- name: Check dirty
run: |
git status
git diff --exit-code
submit-coveralls:
name: Submit coveralls
runs-on: ubuntu-22.04
needs: test
if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'not ready')
steps:
- name: Submit coveralls
uses: coverallsapp/github-action@v2
with:
parallel-finished: true
carryforward: unit # workaround for https://github.com/lemurheavy/coveralls-public/issues/1636