gitlabhq
diff --git a/‎.github/workflows/pr-acceptance.yml
Lines changed: 93 additions & 0 deletions b/‎.github/workflows/pr-acceptance.yml
Lines changed: 93 additions & 0 deletions
diff --git a/‎.github/workflows/pr-lint.yml
Lines changed: 66 additions & 0 deletions b/‎.github/workflows/pr-lint.yml
Lines changed: 66 additions & 0 deletions
diff --git a/‎.github/workflows/push.yml
Lines changed: 133 additions & 0 deletions b/‎.github/workflows/push.yml
Lines changed: 133 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/release.yml
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,93 @@
+# This workflow runs acceptance tests on pull requests (both CE and EE). It needs to be run in the
+# target project instead of the fork in order to use secrets. This is why the actions/checkout
+# action regularly has to specify the pull request sha.
+#
+# SECURITY ADVISORY
+# Be careful while making changes to this file.
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: pr-acceptance
+
+on:
+  # The pull_request_target event type fires for pull requests, but in the context of the target
+  # project.
+  pull_request_target:
+    # Acceptance tests are unnecessary to run on some types of PRs.
+    paths-ignore:
+      - 'docs/**'
+      - 'examples/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'CONTRIBUTING.md'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.go-version.outputs.go-version }}
+    steps:
+      # Check out the pull request code (as opposed to the target project).
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      # Read the .go-version file and output it for other jobs to use.
+      - id: go-version
+        run: echo "::set-output name=go-version::$(cat .go-version)"
+
+  acceptance-ce:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      # Check out the pull request code (as opposed to the target project).
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      # CAUTION: EXECUTING UNTRUSTED CODE.
+      # This is made safe because we have not referenced any secrets or GitHub tokens.
+      - run: make testacc-up
+      - run: make testacc
+
+  acceptance-ee:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      # Check out the target project (as opposed to the pull request code).
+      # Yes, this is intentional. We are using trusted code while working with the GitLab license.
+      - uses: actions/checkout@v2
+      - name: Decrypt license
+        run: |
+          openssl version
+          openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in Gitlab-license.encrypted -out Gitlab-license.txt -pass "pass:${{ secrets.LICENSE_ENCRYPTION_PASSWORD }}"
+      - run: make testacc-up SERVICE=gitlab-ee
+      # Check out the pull request code (as opposed to the target project).
+      # This overwrites the entire directory and deleted the unencrypted GitLab license file. The
+      # service has already started and continues using the license even though the file is deleted.
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      # CAUTION: EXECUTING UNTRUSTED CODE.
+      # This is made safe because we have already cleaned up the unencrypted GitLab license file,
+      # we have no other secrets, and we are not using GitHub tokens.
+      - run: make testacc
@@ -0,0 +1,66 @@
+# This workflow runs basic checks for pull requests that do not need secrets.
+
+name: pr-lint
+
+on: [pull_request]
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@v2
+      # Read the .go-version file and output it for other jobs to use.
+      - id: go-version
+        run: echo "::set-output name=go-version::$(cat .go-version)"
+
+  lint:
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    strategy:
+      fail-fast: false
+      # Run all lint targets.
+      matrix:
+        target:
+          - lint-golangci
+          - lint-tfprovider
+          - lint-examples-tf
+          - lint-examples-sh
+          - lint-generated
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules and compiled tools for the specific lint target.
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            bin
+          key: ${{ github.job }}-${{ matrix.target }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make ${{ matrix.target }}
+
+  unit-test:
+    runs-on: ${{ matrix.os }}
+    needs: [go-version]
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make test
@@ -0,0 +1,133 @@
+# This workflow runs all checks when code is pushed. It does NOT run for pull requests.
+
+name: push
+
+on:
+  # The workflow_dispatch event type is for manual workflow execution.
+  workflow_dispatch: {}
+  push: {}
+  # In addition to pushes, run the workflow weekly to detect issues with the latest GitLab version.
+  schedule:
+    #         ┌───────────── minute (0 - 59)
+    #         │ ┌───────────── hour (0 - 23)
+    #         │ │ ┌───────────── day of the month (1 - 31)
+    #         │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
+    #         │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
+    #         * * * * *
+    - cron:  '0 0 * * 3'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@v2
+      # Read the .go-version file and output it for other jobs to use.
+      - id: go-version
+        run: echo "::set-output name=go-version::$(cat .go-version)"
+
+  lint:
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    strategy:
+      fail-fast: false
+      # Run all lint targets.
+      matrix:
+        target:
+          - lint-golangci
+          - lint-tfprovider
+          - lint-examples-tf
+          - lint-examples-sh
+          - lint-generated
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules and compiled tools for the specific lint target.
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            bin
+          key: ${{ github.job }}-${{ matrix.target }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make ${{ matrix.target }}
+
+  unit-test:
+    runs-on: ${{ matrix.os }}
+    needs: [go-version]
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make test
+
+  # Check whether the LICENSE_ENCRYPTION_PASSWORD secret exists.
+  # Workaround for https://github.com/actions/runner/issues/520.
+  license-encryption-password:
+    runs-on: ubuntu-latest
+    outputs:
+      defined: ${{ steps.defined.outputs.defined }}
+    steps:
+      - id: defined
+        env:
+          LICENSE_ENCRYPTION_PASSWORD: ${{ secrets.LICENSE_ENCRYPTION_PASSWORD }}
+        if: ${{ env.LICENSE_ENCRYPTION_PASSWORD != '' }}
+        run: echo "::set-output name=defined::true"
+
+  acceptance-ce:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make testacc-up
+      - run: make testacc
+
+  acceptance-ee:
+    # Only run EE tests if the LICENSE_ENCRYPTION_PASSWORD secret exists, so that the workflow
+    # doesn't fail when code is pushed to a fork.
+    if: ${{ needs.license-encryption-password.outputs.defined }}
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version, license-encryption-password]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - name: Decrypt license
+        run: |
+          openssl version
+          openssl enc -d -aes-256-cbc -pbkdf2 -iter 20000 -in Gitlab-license.encrypted -out Gitlab-license.txt -pass "pass:${{ secrets.LICENSE_ENCRYPTION_PASSWORD }}"
+      # Note we specifically launch the gitlab-ee service.
+      - run: make testacc-up SERVICE=gitlab-ee
+      - run: make testacc
@@ -21,6 +21,7 @@ jobs:
       go-version: ${{ steps.go-version.outputs.go-version }}
     steps:
       - uses: actions/checkout@v2
+      # Read the .go-version file and output it for other jobs to use.
       - id: go-version
         run: echo "::set-output name=go-version::$(cat .go-version)"