Add trusted and fork integration tests

Author: AndyTitu

.github/workflows/validate.yml

@@ -2,13 +2,15 @@
 name: Validate
 
 on:
-  push:
-    paths-ignore:
-      - '**.md'
+  pull_request:
+  repository_dispatch:
+    types: [ ok-to-test-command ]
 
 jobs:
 
-  validate:
+  integration-test-trusted:
+    # actions that are trusted by default must only be opened from within the repo, and skipped for forks because they'll fail there
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
@@ -47,12 +49,18 @@ jobs:
           ruff --output-format=github --exclude=src/onepassword/lib/ .
         continue-on-error: true
 
-  # Repo owner has commented /ok-to-test on a (fork-based) pull request
-  integration-fork:
-    runs-on: ubuntu-latest
+  # This action is called by the /ok-to-test command, once the forked PR's code has been security reviewed.
+  # It will checkout the forked (and now trusted) code and it will run the integration tests on it.
+  # If the tests are successful this action will proceed to update the status of the forked PR integration check.
+  integration-test-fork:
+    # must have these permissions to
     permissions:
       pull-requests: write
       checks: write
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
     if: |
       github.event_name == 'repository_dispatch' &&
       github.event.client_payload.slash_command.args.named.sha != '' &&
@@ -64,16 +72,31 @@ jobs:
 
     # Check out merge commit
     - name: Fork based /ok-to-test checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
 
-    # <insert integration tests needing secrets>
+    
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+          
+    - name: Integration Test
+      env:
+        OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TEST_SERVICE_ACCOUNT_TOKEN }}
+      run: |
+        pip install pytest &&
+        pip install pytest-asyncio &&
+        pip install pydantic &&
+        python -m pytest src/onepassword/test_client.py
 
     - run: |
-        echo "Integration tests... success! ;-)"
+        echo "Integration tests completed successfully!"
 
-    # Update check run called "integration-fork"
+    # Update check run called "integration-fork" on the forked PR
     - uses: actions/github-script@v6
       id: update-check-run
       if: ${{ always() }}