diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml index 48234efcd..80dcd4c18 100644 --- a/.github/workflows/build_test_ci.yml +++ b/.github/workflows/build_test_ci.yml @@ -1,12 +1,10 @@ -name: Build and Test CI +name: Coverage and E2E on: push: branches: - main - pull_request: - branches: - - "*" + pull_request_target: workflow_dispatch: permissions: @@ -15,7 +13,7 @@ permissions: actions: read concurrency: - group: build-test-ci-${{ github.ref }} + group: build-test-ci-${{ github.event.pull_request.number || github.ref_name }} cancel-in-progress: true jobs: @@ -26,6 +24,8 @@ jobs: paths: ${{ steps.filter.outputs.changes }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Harden Runner uses: step-security/harden-runner@v2 with: @@ -39,16 +39,8 @@ jobs: with: filters: .github/filters.yml - yamllint: - runs-on: ubuntu-latest - needs: changes - if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} - steps: - - uses: actions/checkout@v4 - - name: Validate YAML file - run: yamllint templates - go-build-test: + environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }} runs-on: ubuntu-latest needs: changes if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} @@ -72,6 +64,8 @@ jobs: raw.githubusercontent.com:443 - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go uses: actions/setup-go@v5 @@ -79,12 +73,6 @@ jobs: go-version-file: 'go.mod' check-latest: true - - name: Build - run: make build - - - name: Check for generated diff - run: make check-gen-diff - - name: Test run: make test @@ -99,6 +87,7 @@ jobs: e2e-test: needs: changes + environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }} strategy: fail-fast: false matrix: @@ -112,39 +101,3 @@ jobs: with: e2e-selector: ${{ matrix.flavor }} e2e-flags: ${{ matrix.flavor == 'quick' && '' || '--assert-timeout 20m0s'}} - - - docker-build: - runs-on: ubuntu-latest - needs: changes - if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - proxy.golang.org:443 - sum.golang.org:443 - go.dev:443 - dl.google.com:443 - golang.org:443 - objects.githubusercontent.com:443 - registry-1.docker.io:443 - auth.docker.io:443 - production.cloudflare.docker.com:443 - gcr.io:443 - storage.googleapis.com:443 - - - uses: actions/checkout@v4 - - - name: Docker cache - uses: ScribeMD/docker-cache@0.5.0 - with: - key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} - - - name: Build the Docker image - run: make docker-build diff --git a/.github/workflows/pull_request_ci.yaml b/.github/workflows/pull_request_ci.yaml new file mode 100644 index 000000000..162cf3ad8 --- /dev/null +++ b/.github/workflows/pull_request_ci.yaml @@ -0,0 +1,119 @@ +name: Build and Test PR + +on: + pull_request: + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + actions: read + +concurrency: + group: pull-request-ci-${{ github.ref }} + cancel-in-progress: true + +jobs: + changes: + runs-on: ubuntu-latest + outputs: + # Expose matched filters as job 'src' output variable + paths: ${{ steps.filter.outputs.changes }} + steps: + - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: .github/filters.yml + + yamllint: + runs-on: ubuntu-latest + needs: changes + if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} + steps: + - uses: actions/checkout@v4 + - name: Validate YAML file + run: yamllint templates + + go-build-test: + runs-on: ubuntu-latest + needs: changes + if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + golang.org:443 + proxy.golang.org:443 + sum.golang.org:443 + objects.githubusercontent.com:443 + storage.googleapis.com:443 + cli.codecov.io:443 + api.codecov.io:443 + ingest.codecov.io:443 + raw.githubusercontent.com:443 + + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + check-latest: true + + - name: Build + run: make build + + - name: Check for generated diff + run: make check-gen-diff + + - name: Test + run: make test + + docker-build: + runs-on: ubuntu-latest + needs: changes + if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + go.dev:443 + dl.google.com:443 + golang.org:443 + objects.githubusercontent.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + gcr.io:443 + storage.googleapis.com:443 + + - uses: actions/checkout@v4 + + - name: Docker cache + uses: ScribeMD/docker-cache@0.5.0 + with: + key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }} + + - name: Build the Docker image + run: make docker-build