From 6c18387910da5e5b042bcfa814f6ccff70f33925 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 6 Dec 2023 13:25:50 +0100 Subject: [PATCH] tests: add initial testing farm integration This adds initial testing farm integration via a github action. To run jobs on testing farm a token is required that is stored as a repository secret. For security reasons repository secrets are not visible accross forks [0]. There are multiple ways to work around this limiation, this commit goes with the suggestion from [1], i.e.: the workflow is run within the `pull_request_target` trigger which has access to secrets. This means the (potentially untrusted) branch is only checked out if the person triggering the workflow has already write access to the repository (we could make this restriction strong but it seems a reasonable permisson level). In practise the workflow will fail for outside contributions but a re-trigger from anyone in the term should be enough to get it tested inside the testing farm. [0] https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [1] https://michaelheap.com/access-secrets-from-forks/ --- .github/workflows/testingfarm.yml | 43 +++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/testingfarm.yml diff --git a/.github/workflows/testingfarm.yml b/.github/workflows/testingfarm.yml new file mode 100644 index 00000000..bb550290 --- /dev/null +++ b/.github/workflows/testingfarm.yml @@ -0,0 +1,43 @@ +--- +name: Testing farm tests + +on: + pull_request_target: + types: [opened, synchronize] + +# To use testing farm we need the TF_API_KEY secret available inside the +# forked repo which requires the pull_request_target trigger. To protect +# the secrets we need to make sure only our own or reviewed PRs trigger +# a checkout of the untrusted code. +# +# This follows https://michaelheap.com/access-secrets-from-forks/ +jobs: + testingfarm: + name: "Run in testing farm" + runs-on: ubuntu-latest + steps: + - name: Get User Permission + id: checkAccess + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Check User Permission + if: steps.checkAccess.outputs.require-result == 'false' + run: | + echo "${{ github.triggering_actor }} does not have permissions on this repo." + echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" + echo "Job originally triggered by ${{ github.actor }}" + exit 1 + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run the tests + uses: sclorg/testing-farm-as-github-action@v1 + with: + api_key: ${{ secrets.TF_API_KEY }} + git_url: ${{ github.event.pull_request.head.repo.clone_url }} + git_ref: ${{ github.event.pull_request.head.ref }} + pull_request_status_name: "Testing farm"