GH Actions: restrict access to certain GH Actions #3895
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "PR: Test code" | |
on: | |
# Trigger on all pull requests | |
pull_request: | |
branches: | |
- "*" | |
# Trigger when called by another GitHub Action | |
workflow_call: | |
inputs: | |
run_all_tests: | |
required: false | |
type: boolean | |
default: true | |
# Allow manual triggering | |
workflow_dispatch: | |
jobs: | |
test-java: | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Checkout source code" | |
uses: actions/checkout@v3 | |
- name: "Set up VRO build env" | |
uses: ./.github/actions/setup-vro | |
- name: "Run quick linters" | |
run: | | |
./gradlew spotlessCheck shellcheck lintDockerfile | |
- name: "Python isort" | |
uses: isort/isort-action@v1 | |
with: | |
requirementsFiles: "**/requirements.txt \ | |
**/dev-requirements.txt" | |
- name: "Run tests and checks" | |
# `check` runs all checks, including spectralLint, hadolint, and shellcheck | |
run: | | |
echo "::group::Gradle test check" | |
./gradlew test check | |
echo "::endgroup::" | |
echo "::group::Gradle test check - mocks" | |
./gradlew -p mocks test check | |
echo "::endgroup::" | |
- name: "Check for adequate test coverage" | |
run: | | |
./gradlew jacocoLogTestCoverage jacocoTestCoverageVerification | |
- name: "Publish Test Results as PR comment and GH Check Run" | |
# Known issue: Associates results to random workflow | |
# https://github.com/EnricoMi/publish-unit-test-result-action/issues/12 | |
uses: EnricoMi/publish-unit-test-result-action@v2 | |
# Skip if Dependabot created the PR due to check-runs permission error | |
# https://github.com/EnricoMi/publish-unit-test-result-action#support-fork-repositories-and-dependabot-branches | |
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events | |
if: always() && github.actor != 'dependabot[bot]' | |
with: | |
files: | | |
**/build/test-results/*/*.xml | |
- name: "Aggregate JaCoCo reports" | |
# `jacocoAggregatedReport` reports aggregated coverage of all the subprojects | |
# excluding integrationTest and end2endTest (which are run elsewhere) | |
run: | | |
./gradlew jacocoAggregatedReport | |
- name: "Report JaCoCo Coverage as a GH Check Run" | |
# This takes about 1 minute, so don't run on PRs | |
# if: github.event_name != 'pull_request' | |
id: jacoco_reporter | |
uses: PavanMudigonda/[email protected] | |
# Skip if Dependabot created the PR due to check-runs permission error | |
if: github.actor != 'dependabot[bot]' | |
with: | |
coverage_results_path: build/reports/jacoco/jacocoAggregatedReport/jacocoAggregatedReport.xml | |
coverage_report_name: Coverage | |
coverage_report_title: JaCoCo | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
skip_check_run: false | |
minimum_coverage: 80 | |
fail_below_threshold: false | |
publish_only_summary: false | |
- name: "Add JaCoCo Coverage Report as PR comment" | |
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' | |
uses: madrapps/[email protected] | |
with: | |
paths: ${{ github.workspace }}/build/reports/jacoco/jacocoAggregatedReport/jacocoAggregatedReport.xml | |
token: ${{ secrets.GITHUB_TOKEN }} | |
update-comment: true | |
title: "JaCoCo Test Coverage" | |
test-ruby: | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Checkout source code" | |
uses: actions/checkout@v3 | |
with: | |
# Need to fetch more than 1 deep to see changes | |
fetch-depth: 2 | |
- name: "Get changed Ruby files" | |
id: changed-files-specific | |
if: '! inputs.run_all_tests' | |
uses: tj-actions/changed-files@v35 | |
with: | |
files: svc-bgs-api/** | |
- name: "Set up Ruby" | |
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true' | |
uses: ruby/setup-ruby@v1 | |
with: | |
bundler-cache: true | |
# Used to resolve .ruby-version, .tool-versions and Gemfile.lock | |
working-directory: svc-bgs-api/src | |
- name: "Run rspec tests" | |
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true' | |
env: | |
# https://github.com/rails/spring | |
DISABLE_SPRING: true | |
run: | | |
cd svc-bgs-api/src | |
bundle exec rspec --format documentation | |
test-python: | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Checkout source code" | |
uses: actions/checkout@v3 | |
with: | |
# Need to fetch more than 1 deep to see changes | |
fetch-depth: 2 | |
- name: "Get changed files" | |
if: '! inputs.run_all_tests' | |
id: changed-files-specific | |
uses: tj-actions/changed-files@v35 | |
with: | |
files: domain-cc/** | |
- name: "Get changed domain-ee files" | |
if: '! inputs.run_all_tests' | |
id: ee-changed-files-specific | |
uses: tj-actions/changed-files@v35 | |
with: | |
files: domain-ee/** | |
- name: "Install Python" | |
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true' || steps.ee-changed-files-specific.any_changed == 'true' | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.10" | |
cache: "pip" | |
- name: "Run contention classification tests" | |
if: inputs.run_all_tests || steps.changed-files-specific.outputs.any_changed == 'true' | |
run: | | |
./gradlew :domain-cc:test | |
- name: "Run Employee Experience tests" | |
if: inputs.run_all_tests || steps.ee-changed-files-specific.any_changed == 'true' | |
run: | | |
./gradlew :domain-ee:test |