feat: iac updates and GovCloud setup #12
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Given: I want to use Merge Queue | |
# Given: I don't want to have to run tests twice (default behavior is to require passing tests before adding to the merge queue, then run them again in the merge queue) | |
# Given: I always want tests to run and pass before the PR is merged to main, unless I explicitly grant an exemption | |
# Given: I want to grant an exemption to allow tests to be skipped if the PR consists of only changes to files with extension ".md" | |
# Given: I want to run the tests if I use the "/test" chatops command in a PR | |
# When: Events with name "pull_request" happen | |
# Then: Immediately report success | |
# When: Events with name "merge_group" happen | |
# And: The PR meets the criteria for granting an exemption | |
# Then: Immediately report success | |
# When: Events with name "merge_group" happen | |
# And: The PR does not meet the criteria for granting an exemption | |
# Then: Run the tests | |
# When: I comment "/test all" in a PR | |
# Then: Run all tests | |
# When: I comment "/test <testname>" in a PR | |
# Then: Run just that test | |
name: trigger-tests | |
on: | |
pull_request: | |
merge_group: | |
issue_comment: | |
types: [created] | |
permissions: | |
id-token: write | |
contents: read | |
defaults: | |
run: | |
# We need -e -o pipefail for consistency with GitHub Actions' default behavior | |
shell: bash -e -o pipefail {0} | |
jobs: | |
skip-tests-if-pull-request-event: | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
steps: | |
- name: skip-tests-if-pull-request-event | |
# noinspection YAMLSchemaValidation | |
uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main | |
with: | |
application_id: ${{ secrets.NARWHAL_BOT_APP_ID }} | |
application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }} | |
status-check: test / e2e-all | |
status: success | |
description: "Tests skipped because this is a pull_request event" | |
test-exemption: | |
if: github.event_name == 'merge_group' | |
runs-on: ubuntu-latest | |
outputs: | |
# return 'true' if any files in the PR are not exempt | |
not-exempt: ${{ steps.changed-files.outputs.not-exempt_any_modified }} | |
steps: | |
- name: checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: changed-files | |
id: changed-files | |
uses: tj-actions/changed-files@v41 | |
with: | |
base_sha: ${{ github.event.merge_group.base_sha }} | |
sha: ${{ github.event.merge_group.head_sha }} | |
fail_on_initial_diff_error: true | |
fail_on_submodule_diff_error: true | |
files_yaml: | | |
not-exempt: | |
- '**' | |
- '!**/*.md' | |
- name: Show output | |
run: | | |
echo '${{ toJSON(steps.changed-files.outputs) }}' | |
skip-tests-if-merge-group-event-and-exemption-criteria-met: | |
needs: test-exemption | |
if: github.event_name == 'merge_group' && needs.test-exemption.outputs.not-exempt != 'true' | |
runs-on: ubuntu-latest | |
steps: | |
- name: skip-tests-if-merge-group-event-and-exemption-criteria-met | |
# noinspection YAMLSchemaValidation | |
uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main | |
with: | |
application_id: ${{ secrets.NARWHAL_BOT_APP_ID }} | |
application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }} | |
status-check: test / e2e-all | |
status: success | |
description: "Tests skipped because this is a merge_group event and the PR meets the criteria for granting an exemption" | |
test-e2e-all: | |
needs: test-exemption | |
if: github.event_name == 'merge_group' && needs.test-exemption.outputs.not-exempt == 'true' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.client_payload.pull_request.head.repo.full_name || github.event.pull_request.head.repo.full_name || github.repository }} | |
ref: ${{ github.event.client_payload.pull_request.head.ref || github.event.pull_request.head.ref || github.ref_name }} | |
- name: cache | |
uses: ./.github/actions/cache | |
with: | |
action: restore | |
- name: Run E2E Tests | |
uses: ./.github/actions/e2e | |
with: | |
application_id: ${{ secrets.NARWHAL_BOT_APP_ID }} | |
application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }} | |
role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} | |
region: us-east-1 | |
github-context: test / e2e-all | |
target-to-run: "_test-all" | |
slash-command-dispatch-test: | |
if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '/test') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get token | |
id: get_workflow_token | |
uses: peter-murray/workflow-application-token-action@v2 | |
with: | |
application_id: ${{ secrets.NARWHAL_BOT_APP_ID }} | |
application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }} | |
- name: Slash Command Dispatch | |
uses: peter-evans/slash-command-dispatch@v3 | |
with: | |
token: ${{ steps.get_workflow_token.outputs.token }} | |
reaction-token: ${{ steps.get_workflow_token.outputs.token }} | |
commands: test | |
permission: write | |
issue-type: pull-request |