Refactor workflows to add reusable functional testing and clear token scopes (#538)

Signed-off-by: Jose R. Gonzalez <[email protected]>

Author: komish

.github/workflows/build.yaml

@@ -1,49 +1,31 @@
-name: Build, Test, Automerge and Tag
-
-# This workflow runs on all PRs that are targetting the main branch.
-#
-# It runs the test suite. If the PR is a release PR, it automerges and tags the main branch with
-# the corresonding new version.
-
+name: Unit Tests
 on:
-    pull_request_target:
+    pull_request:
         types: [opened, synchronize, reopened]
         branches: [ main ]
 
 jobs:
-    build-test-release:
-        name: Build artifacts
+    unit-tests:
+        name: Unit Tests
         runs-on: ubuntu-latest
 
         steps:
-            - name: Checkout main branch
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-              with:
-                persist-credentials: false
-            
-            - name: Checkout PR branch
+            - name: Checkout changes
               uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
-                ref: ${{ github.event.pull_request.head.ref }}
-                repository: ${{ github.event.pull_request.head.repo.full_name }}
-                path: "chart-verifier"
                 persist-credentials: false
-
             - name: Setup Go
               uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
               with:
-                go-version-file: ./chart-verifier/go.mod
+                go-version-file: go.mod
 
             - name: Ensure Modules
-              working-directory: ./chart-verifier
               run: make tidy
 
             - name: Build Binary
-              working-directory: ./chart-verifier
               run: make bin
 
             - name: Run tests
-              working-directory: ./chart-verifier
               run: |
                   # Run go tests
                   make test
@@ -52,176 +34,3 @@ jobs:
                     echo "go test - errors running go tests : $(git status -s)"
                     exit 1
                   fi
-
-            - name: Set up Python 3.x
-              uses: ./.github/actions/setup-python
-
-            - name: Set up Python scripts on PR branch
-              working-directory: ./chart-verifier
-              run: |
-                # set up python requirements and scripts on PR branch
-                python3 -m venv ve1
-                cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
-                cd scripts && ../ve1/bin/pip3 install . && cd ..
-
-            - name: Check if only release file in PR
-              working-directory: ./chart-verifier
-              id: check_version_in_PR
-              env:
-                API_URL: ${{ github.event.pull_request._links.self.href }}
-              run: |
-                # check if release file only is included in PR
-                ve1/bin/release-checker --api-url="${API_URL}"
-
-            - name: Get Date
-              id: get-date
-              run: |
-                echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a $GITHUB_OUTPUT
-              shell: bash
-
-            - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-              id: cache
-              with:
-                  path: ./chart-verifier/oc
-                  key: ${{ steps.get-date.outputs.date }}
-
-            - name: Install oc
-              working-directory: ./chart-verifier
-              id: install-oc
-              run: |
-                  # install oc
-                  curl -sLO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz
-                  tar zxvf openshift-client-linux.tar.gz -C /usr/local/bin/
-                  which oc
-                  oc version --client=true
-
-            - name: Build podman Image
-              working-directory: ./chart-verifier
-              id: build_podman_image
-              run: |
-                  # build a podman image
-                  image_tag="test"
-                  echo "Building container image using podman for the tests, tagging as ${image_tag}"
-                  make build-image "IMAGE_TAG=${image_tag}"
-                  podman build -t "quay.io/redhat-certification/chart-verifier:${image_tag}" .
-                  echo "podman_image_tag=${image_tag}" | tee -a $GITHUB_OUTPUT
-
-            - name: Create tarfile
-              id: create-tarfile
-              working-directory: ./chart-verifier
-              run: |
-                # create test tarball for the tests
-                ve1/bin/tar-file --release="test"
-
-            - name: Login to oc
-              working-directory: ./chart-verifier
-              env:
-                  KUBECONFIG: /tmp/ci-kubeconfig
-                  EVENT_NUMBER: ${{ github.event.number }}
-              run: |
-                  # oc login
-                  API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
-                  gpg --version
-                  curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-                  if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then
-                    # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates
-                    # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place.
-                    oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
-                  else
-                    oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
-                  fi
-                  ve1/bin/sa-for-chart-testing --create "charts-${EVENT_NUMBER}" --token token.txt --server "${API_SERVER}"
-
-            - name: Run the tests
-              working-directory: ./chart-verifier
-              env:
-                  KUBECONFIG: /tmp/ci-kubeconfig
-                  VERIFIER_TARBALL_NAME : ${{ steps.create-tarfile.outputs.tarball_full_name }}
-                  PODMAN_IMAGE_TAG : ${{ steps.build_podman_image.outputs.podman_image_tag }}
-              id: run_test
-              run: |
-                  # run pytest
-                  ve1/bin/pytest -v --log-cli-level=WARNING --tb=short
-
-            - name: Delete Namespace
-              if: ${{ always() && steps.install-oc.conclusion == 'success' }}
-              working-directory: ./chart-verifier
-              env:
-                  KUBECONFIG: /tmp/ci-kubeconfig
-                  EVENT_NUMBER: ${{ github.event.number }}
-              run: |
-                  # delete the namespace
-                  API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
-                  oc login --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
-                  ve1/bin/sa-for-chart-testing --delete "charts-${EVENT_NUMBER}"
-
-            - name: Set up Python scripts on main branch
-              run: |
-                # set up python requirements and scripts on main branch
-                echo $(pwd)
-                python3 -m venv ve1
-                cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
-                cd scripts && ../ve1/bin/pip3 install . && cd ..
-
-            - name: Check for restricted files and user permissiom
-              id: check_authorization
-              env:
-                API_URL: ${{ github.event.pull_request._links.self.href }}
-                API_USER: ${{ github.event.pull_request.user.login }}
-              run: |
-                # check for a restricted file and, if found, check user has permissiom
-                ve1/bin/check-user --api-url="${API_URL}" --user="${API_USER}"
-
-            - name: Check if version updated
-              id: check_version_updated
-              if: ${{ steps.check_version_in_PR.outputs.PR_includes_release == 'true' }}
-              env:
-                PR_VERSION: ${{ steps.check_version_in_PR.outputs.PR_version }}
-              run: |
-                # check if version file was changed
-                ve1/bin/release-checker --version="${PR_VERSION}"
-
-            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
-            # relying on a third-party action.
-            - name: Approve PR
-              id: approve_pr
-              if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
-              with:
-                  github-token: ${{ secrets.GITHUB_TOKEN }}
-
-            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
-            # relying on a third-party action.
-            - name: Merge PR
-              id: merge_pr
-              if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4
-              env:
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                MERGE_METHOD: squash
-                MERGE_LABELS: ""
-
-            - name: Get main branch sha
-              id: main_sha
-              if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              run: |
-                git fetch
-                export ORIGIN_MAIN_SHA=$(git rev-parse origin/main)
-                echo "origin_main_sha=$ORIGIN_MAIN_SHA" | tee -a $GITHUB_OUTPUT
-
-            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
-            # relying on a third-party action.
-            - name: Create release tag
-              id: create_release_tag
-              if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
-              with:
-                # It is necessary to use a Personal Access Token here rather than the usual GITHUB_TOKEN, as this
-                # step should trigger the release.yaml workflow, and events (such as tags) triggered by the
-                # GITHUB_TOKEN cannot create a new workflow run. See:
-                # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
-                # This Personal Access Token belongs to the openshift-helm-charts-bot account.
-                github_token: ${{ secrets.GH_HELM_BOT_TOKEN }}
-                custom_tag: ${{ steps.check_version_in_PR.outputs.PR_version }}
-                tag_prefix: ""
-                commit_sha: ${{ steps.main_sha.outputs.origin_main_sha }}

.github/workflows/dev_release.yaml

@@ -13,10 +13,13 @@ on:
             - main
 env:
     DEV_RELEASE: 0.1.0
+
 jobs:
     release:
         name: Create Dev Release
         runs-on: ubuntu-latest
+        permissions:
+          contents: write
         steps:
             - name: Checkout code
               uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

.github/workflows/functional-tests.yaml

@@ -0,0 +1,135 @@
+name: Run Functional Tests
+
+# Runs functional testing against the specified checkout-ref.
+# Note that this workflow runs and installs software from the checkout-ref, 
+# and so untrusted content should be verified as safe to install
+
+on:
+  workflow_call:
+    inputs:
+      event-identifier:
+        type: string
+        required: true
+        description: |
+          Used to generate a working environment unique to this identifier.
+          Common use case would be a pull request number
+          (e.g. github.event.pull_request.number, etc.)
+      checkout-repository:
+        type: string
+        required: false
+        default: ""
+        description: |
+          repository flag to actions/checkout.
+          
+          If setting to a pull request, caller is responsible 
+          for verifying the user is a trusted user.
+      checkout-ref:
+        type: string
+        required: false
+        default: ""
+        description: |
+          ref flag to actions/checkout
+          
+          If setting to a pull request, caller is responsible 
+          for verifying the user is a trusted user.
+
+          For security, this checkout-ref should generally be a commit hash
+          for untrusted content.
+jobs:
+  run-functional-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ inputs.checkout-ref }}
+          repository: ${{ inputs.checkout-repository }}
+          persist-credentials: false
+
+      - name: Set up Python 3.x
+        uses: ./.github/actions/setup-python
+
+      - name: Set up Python scripts on PR branch
+        run: |
+          # set up python requirements and scripts on PR branch
+          python3 -m venv ve1
+          cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
+          cd scripts && ../ve1/bin/pip3 install . && cd ..
+
+      - name: Get Date
+        id: get-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a $GITHUB_OUTPUT
+        shell: bash
+
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        id: cache-oc
+        with:
+          path: /usr/local/bin/oc
+          key: "oc-${{ steps.get-date.outputs.date }}"
+
+      - name: Install oc
+        id: install-oc
+        if: steps.cache-oc.outputs.cache-hit != 'true'
+        run: |
+          # install oc
+          curl -sLO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz
+          tar zxvf openshift-client-linux.tar.gz -C /usr/local/bin/
+          which oc
+          oc version --client=true
+          rm openshift-client-linux.tar.gz
+
+      - name: Build podman Image
+        id: build_podman_image
+        run: |
+          # build a podman image
+          image_tag="test"
+          echo "Building container image using podman for the tests, tagging as ${image_tag}"
+          make build-image "IMAGE_TAG=${image_tag}"
+          podman build -t "quay.io/redhat-certification/chart-verifier:${image_tag}" .
+          echo "podman_image_tag=${image_tag}" | tee -a $GITHUB_OUTPUT
+
+      - name: Create tarfile
+        id: create-tarfile
+        run: |
+          # create test tarball for the tests
+          ve1/bin/tar-file --release="test"
+
+      - name: Login to oc
+        env:
+          KUBECONFIG: /tmp/ci-kubeconfig
+          EVENT_NUMBER: ${{ inputs.event-identifier }}
+        run: |
+          # oc login
+          API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
+          gpg --version
+          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+          if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then
+            # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates
+            # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place.
+            oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
+          else
+            oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
+          fi
+          ve1/bin/sa-for-chart-testing --create "charts-${EVENT_NUMBER}" --token token.txt --server "${API_SERVER}"
+
+      - name: Run the tests
+        env:
+          KUBECONFIG: /tmp/ci-kubeconfig
+          VERIFIER_TARBALL_NAME: ${{ steps.create-tarfile.outputs.tarball_full_name }}
+          PODMAN_IMAGE_TAG: ${{ steps.build_podman_image.outputs.podman_image_tag }}
+        id: run_test
+        run: |
+          # run pytest
+          ve1/bin/pytest -v --log-cli-level=WARNING --tb=short
+
+      - name: Delete Namespace
+        if: ${{ always() && steps.install-oc.conclusion == 'success' }}
+        env:
+          KUBECONFIG: /tmp/ci-kubeconfig
+          EVENT_NUMBER: ${{ inputs.event-identifier }}
+        run: |
+          # delete the namespace
+          API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
+          oc login --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}"
+          ve1/bin/sa-for-chart-testing --delete "charts-${EVENT_NUMBER}"