Skip to content

Commit 22624ac

Browse files
nickles-leenickles-lee
authored
Merge branch 'main' into nicholas-lee_data/SC-179831
2 parents 58079fb + 52a2955 commit 22624ac

File tree

3 files changed

+197
-0
lines changed

3 files changed

+197
-0
lines changed

.github/workflows/external-message.yml

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
name: PR Comment
2+
3+
# WARNING:
4+
# THIS WORKFLOW ALWAYS RUNS FOR EXTERNAL CONTRIBUTORS WITHOUT ANY APPROVAL.
5+
# THIS WORKFLOW RUNS FROM MAIN BRANCH, NOT FROM THE PR BRANCH.
6+
# DO NOT PULL THE PR OR EXECUTE ANY CODE FROM THE PR.
7+
8+
on:
9+
pull_request_target:
10+
types: [opened, reopened, synchronize]
11+
branches:
12+
- main
13+
14+
15+
jobs:
16+
comment-on-pr:
17+
runs-on: ubuntu-latest
18+
permissions:
19+
pull-requests: write
20+
21+
steps:
22+
# NOTE: The following checks may not be accurate depending on Org or Repo settings.
23+
- name: Check user and potential secret access
24+
id: check-secrets-access
25+
env:
26+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
27+
run: |
28+
USER_LOGIN="${{ github.event.pull_request.user.login }}"
29+
REPO_OWNER="${{ github.repository_owner }}"
30+
REPO_NAME="${{ github.event.repository.name }}"
31+
32+
echo "Pull request opened by: $USER_LOGIN"
33+
34+
# Check if PR is from a fork
35+
IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
36+
37+
HAS_ACCESS="false"
38+
39+
# Check user's permission level on the repository
40+
USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
41+
42+
if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
43+
HAS_ACCESS="true"
44+
elif [[ "$USER_PERMISSION" == "read" ]]; then
45+
# For read access, we need to check if the user has been explicitly granted secret access
46+
# This information is not directly available via API, so we'll make an assumption
47+
# that read access does not imply secret access
48+
HAS_ACCESS="false"
49+
fi
50+
51+
# Check if repo owner is an organization
52+
IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
53+
54+
if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
55+
# Check if user is a member of any team with write or admin access to the repo
56+
TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
57+
for team in $TEAMS_WITH_ACCESS; do
58+
IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
59+
if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
60+
HAS_ACCESS="true"
61+
break
62+
fi
63+
done
64+
fi
65+
66+
# If it's a fork, set HAS_ACCESS to false regardless of other checks
67+
if [[ "$IS_FORK" == "true" ]]; then
68+
HAS_ACCESS="false"
69+
fi
70+
71+
echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
72+
if [[ "$HAS_ACCESS" == "true" ]]; then
73+
echo "User $USER_LOGIN likely has access to secrets"
74+
else
75+
echo "User $USER_LOGIN likely does not have access to secrets"
76+
fi
77+
78+
79+
- uses: actions/checkout@v4
80+
81+
- name: Delete old comments
82+
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
83+
env:
84+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
85+
run: |
86+
# Delete previous comment if it exists
87+
previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
88+
--jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
89+
echo "Previous comment IDs: $previous_comment_ids"
90+
# Iterate over each comment ID and delete the comment
91+
if [ ! -z "$previous_comment_ids" ]; then
92+
echo "$previous_comment_ids" | while read -r comment_id; do
93+
echo "Deleting comment with ID: $comment_id"
94+
gh api "repos/${{ github.repository }}/issues/comments/$comment_id" -X DELETE
95+
done
96+
fi
97+
98+
- name: Comment on PR
99+
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
100+
env:
101+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
102+
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
103+
run: |
104+
gh pr comment ${{ github.event.pull_request.number }} --body \
105+
"<!-- INTEGRATION_TESTS -->
106+
Run integration tests manually:
107+
[go/deco-tests-run/sdk-py](https://go/deco-tests-run/sdk-py)
108+
109+
Inputs:
110+
* PR number: ${{github.event.pull_request.number}}
111+
* Commit SHA: \`${{ env.COMMIT_SHA }}\`
112+
113+
Checks will be approved automatically on success.
114+
"

.github/workflows/integration-tests.yml

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
name: Integration Tests
2+
3+
on:
4+
5+
pull_request:
6+
types: [opened, synchronize]
7+
8+
merge_group:
9+
10+
11+
jobs:
12+
check-token:
13+
name: Check secrets access
14+
runs-on: ubuntu-latest
15+
outputs:
16+
has_token: ${{ steps.set-token-status.outputs.has_token }}
17+
steps:
18+
- name: Check if GITHUB_TOKEN is set
19+
id: set-token-status
20+
run: |
21+
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
22+
echo "GITHUB_TOKEN is empty. User has no access to tokens."
23+
echo "::set-output name=has_token::false"
24+
else
25+
echo "GITHUB_TOKEN is set. User has no access to tokens."
26+
echo "::set-output name=has_token::true"
27+
fi
28+
29+
trigger-tests:
30+
name: Trigger Tests
31+
runs-on: ubuntu-latest
32+
needs: check-token
33+
if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true'
34+
environment: "test-trigger-is"
35+
36+
steps:
37+
- uses: actions/checkout@v3
38+
39+
- name: Generate GitHub App Token
40+
id: generate-token
41+
uses: actions/create-github-app-token@v1
42+
with:
43+
app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
44+
private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
45+
owner: ${{ secrets.ORG_NAME }}
46+
repositories: ${{secrets.REPO_NAME}}
47+
48+
- name: Trigger Workflow in Another Repo
49+
env:
50+
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
51+
run: |
52+
gh workflow run sdk-py-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
53+
--ref main \
54+
-f pull_request_number=${{ github.event.pull_request.number }} \
55+
-f commit_sha=${{ github.event.pull_request.head.sha }}
56+
57+
# Statuses and checks apply to specific commits (by hash).
58+
# Enforcement of required checks is done both at the PR level and the merge queue level.
59+
# In case of multiple commits in a single PR, the hash of the squashed commit
60+
# will not match the one for the latest (approved) commit in the PR.
61+
# We auto approve the check for the merge queue for two reasons:
62+
# * Queue times out due to duration of tests.
63+
# * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
64+
auto-approve:
65+
if: github.event_name == 'merge_group'
66+
runs-on: ubuntu-latest
67+
steps:
68+
- name: Mark Check
69+
env:
70+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
71+
shell: bash
72+
run: |
73+
gh api -X POST -H "Accept: application/vnd.github+json" \
74+
-H "X-GitHub-Api-Version: 2022-11-28" \
75+
/repos/${{ github.repository }}/statuses/${{ github.sha }} \
76+
-f 'state=success' \
77+
-f 'context=Integration Tests Check'

tests/test_model_serving_auth.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,12 @@ def test_model_serving_auth(env_values, del_env_values, oauth_file_name, monkeyp
5656
])
5757
@raises(default_auth_base_error_message)
5858
def test_model_serving_auth_errors(env_values, oauth_file_name, monkeypatch):
59+
# Guarantee that the tests defaults to env variables rather than config file.
60+
#
61+
# TODO: this is hacky and we should find a better way to tell the config
62+
# that it should not read from the config file.
63+
monkeypatch.setenv('DATABRICKS_CONFIG_FILE', 'x')
64+
5965
for (env_name, env_value) in env_values:
6066
monkeypatch.setenv(env_name, env_value)
6167
monkeypatch.setattr(

0 commit comments

Comments
 (0)