Trusted integration #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Integration tests that need access to secrets. | |
name: Trusted integration | |
on: | |
pull_request_target: | |
types: | |
# not for "labeled" to prevent two builds for "labeled" and "unlabeled" when labels are changed | |
- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild | |
- opened | |
- reopened | |
- synchronize | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: "12 2 * * *" # after integration workflow to reuse cache | |
# Do not run this workflow in parallel for any PR change or branch/tag push | |
# to save some resources. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} | |
cancel-in-progress: true | |
env: | |
GOPATH: /home/runner/go | |
GOCACHE: /home/runner/go/cache | |
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint | |
GOMODCACHE: /home/runner/go/mod | |
GOPROXY: https://proxy.golang.org | |
jobs: | |
test: | |
name: Test ${{ matrix.name }} | |
runs-on: | |
group: paid | |
timeout-minutes: 30 | |
if: > | |
github.event_name != 'pull_request_target' || | |
( | |
contains(github.event.pull_request.labels.*.name, 'trust') && | |
!contains(github.event.pull_request.labels.*.name, 'not ready') | |
) | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- { name: "Hana", task: "hana" } | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # for `git describe` to work | |
lfs: false # LFS is used only by website | |
- name: Checkout pull request code | |
if: github.event_name == 'pull_request_target' | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
lfs: false | |
ref: ${{ github.event.pull_request.head.sha }} | |
# for branch.txt on pull_request_target; `main` is already checked out on push / schedule | |
- name: Name branch | |
if: github.event_name == 'pull_request_target' | |
env: | |
BRANCH: ${{ github.head_ref }} # see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
run: git checkout -b $BRANCH | |
- name: Setup Go | |
uses: FerretDB/github-actions/setup-go@main | |
with: | |
cache-key: integration | |
- name: Install Task | |
run: go generate -x | |
working-directory: tools | |
- name: Start environment | |
run: bin/task env-up-detach | |
- name: Run init | |
run: bin/task init | |
- name: Wait for and setup environment | |
run: bin/task env-setup | |
- name: Run ${{ matrix.task }} tests | |
run: bin/task test-integration-${{ matrix.task }} | |
env: | |
FERRETDB_HANA_URL: ${{ secrets.FERRETDB_HANA_URL }} | |
# The token is not required but should make uploads more stable. | |
# If secrets are unavailable (for example, for a pull request from a fork), it fallbacks to the tokenless uploads. | |
# | |
# Unfortunately, it seems that tokenless uploads fail too often. | |
# See https://github.com/codecov/codecov-action/issues/837. | |
# | |
# We also can't use ${{ vars.CODECOV_TOKEN }}: https://github.com/orgs/community/discussions/44322 | |
- name: Upload coverage information to codecov | |
uses: codecov/codecov-action@v3 | |
with: | |
token: 22159d7c-856d-4fe9-8fdb-5d9ecff35514 | |
files: ./integration/integration-${{ matrix.task }}.txt | |
flags: integration,${{ matrix.task }} | |
fail_ci_if_error: true | |
verbose: true | |
- name: Upload coverage information to coveralls | |
uses: coverallsapp/github-action@v2 | |
with: | |
file: ./integration/integration-${{ matrix.task }}.txt | |
flag-name: integration-${{ matrix.task }} | |
parallel: true | |
# we don't want them on CI | |
- name: Clean test and fuzz caches | |
if: always() | |
run: go clean -testcache -fuzzcache | |
- name: Check dirty | |
run: | | |
git status | |
git diff --exit-code | |
submit-coveralls: | |
name: Submit coveralls | |
runs-on: ubuntu-22.04 | |
needs: test | |
if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'not ready') | |
steps: | |
- name: Submit coveralls | |
uses: coverallsapp/github-action@v2 | |
with: | |
parallel-finished: true | |
carryforward: unit # workaround for https://github.com/lemurheavy/coveralls-public/issues/1636 |