Skip to content

GH Actions: restrict access to certain GH Actions #3895

GH Actions: restrict access to certain GH Actions

GH Actions: restrict access to certain GH Actions #3895

Workflow file for this run

name: "PR: Test code"
on:
# Trigger on all pull requests
pull_request:
branches:
- "*"
# Trigger when called by another GitHub Action
workflow_call:
inputs:
run_all_tests:
required: false
type: boolean
default: true
# Allow manual triggering
workflow_dispatch:
jobs:
test-java:
runs-on: ubuntu-latest
steps:
- name: "Checkout source code"
uses: actions/checkout@v3
- name: "Set up VRO build env"
uses: ./.github/actions/setup-vro
- name: "Run quick linters"
run: |
./gradlew spotlessCheck shellcheck lintDockerfile
- name: "Python isort"
uses: isort/isort-action@v1
with:
requirementsFiles: "**/requirements.txt \
**/dev-requirements.txt"
- name: "Run tests and checks"
# `check` runs all checks, including spectralLint, hadolint, and shellcheck
run: |
echo "::group::Gradle test check"
./gradlew test check
echo "::endgroup::"
echo "::group::Gradle test check - mocks"
./gradlew -p mocks test check
echo "::endgroup::"
- name: "Check for adequate test coverage"
run: |
./gradlew jacocoLogTestCoverage jacocoTestCoverageVerification
- name: "Publish Test Results as PR comment and GH Check Run"
# Known issue: Associates results to random workflow
# https://github.com/EnricoMi/publish-unit-test-result-action/issues/12
uses: EnricoMi/publish-unit-test-result-action@v2
# Skip if Dependabot created the PR due to check-runs permission error
# https://github.com/EnricoMi/publish-unit-test-result-action#support-fork-repositories-and-dependabot-branches
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events
if: always() && github.actor != 'dependabot[bot]'
with:
files: |
**/build/test-results/*/*.xml
- name: "Aggregate JaCoCo reports"
# `jacocoAggregatedReport` reports aggregated coverage of all the subprojects
# excluding integrationTest and end2endTest (which are run elsewhere)
run: |
./gradlew jacocoAggregatedReport
- name: "Report JaCoCo Coverage as a GH Check Run"
# This takes about 1 minute, so don't run on PRs
# if: github.event_name != 'pull_request'
id: jacoco_reporter
uses: PavanMudigonda/[email protected]
# Skip if Dependabot created the PR due to check-runs permission error
if: github.actor != 'dependabot[bot]'
with:
coverage_results_path: build/reports/jacoco/jacocoAggregatedReport/jacocoAggregatedReport.xml
coverage_report_name: Coverage
coverage_report_title: JaCoCo
github_token: ${{ secrets.GITHUB_TOKEN }}
skip_check_run: false
minimum_coverage: 80
fail_below_threshold: false
publish_only_summary: false
- name: "Add JaCoCo Coverage Report as PR comment"
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
uses: madrapps/[email protected]
with:
paths: ${{ github.workspace }}/build/reports/jacoco/jacocoAggregatedReport/jacocoAggregatedReport.xml
token: ${{ secrets.GITHUB_TOKEN }}
update-comment: true
title: "JaCoCo Test Coverage"
test-ruby:
runs-on: ubuntu-latest
steps:
- name: "Checkout source code"
uses: actions/checkout@v3
with:
# Need to fetch more than 1 deep to see changes
fetch-depth: 2
- name: "Get changed Ruby files"
id: changed-files-specific
if: '! inputs.run_all_tests'
uses: tj-actions/changed-files@v35
with:
files: svc-bgs-api/**
- name: "Set up Ruby"
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true'
uses: ruby/setup-ruby@v1
with:
bundler-cache: true
# Used to resolve .ruby-version, .tool-versions and Gemfile.lock
working-directory: svc-bgs-api/src
- name: "Run rspec tests"
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true'
env:
# https://github.com/rails/spring
DISABLE_SPRING: true
run: |
cd svc-bgs-api/src
bundle exec rspec --format documentation
test-python:
runs-on: ubuntu-latest
steps:
- name: "Checkout source code"
uses: actions/checkout@v3
with:
# Need to fetch more than 1 deep to see changes
fetch-depth: 2
- name: "Get changed files"
if: '! inputs.run_all_tests'
id: changed-files-specific
uses: tj-actions/changed-files@v35
with:
files: domain-cc/**
- name: "Get changed domain-ee files"
if: '! inputs.run_all_tests'
id: ee-changed-files-specific
uses: tj-actions/changed-files@v35
with:
files: domain-ee/**
- name: "Install Python"
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true' || steps.ee-changed-files-specific.any_changed == 'true'
uses: actions/setup-python@v4
with:
python-version: "3.10"
cache: "pip"
- name: "Run contention classification tests"
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true'
run: |
./gradlew :domain-cc:test
- name: "Run Employee Experience tests"
if: inputs.run_all_tests || steps.ee-changed-files-specific.any_changed == 'true'
run: |
./gradlew :domain-ee:test