avoid using pull_request_target in workflows #4031
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Test operator | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| branches: | |
| - main | |
| - rhdh-1.[0-9]+ | |
| - 1.[0-9]+.x | |
| - release-1.[0-9]+ | |
| jobs: | |
| pr-validate: | |
| name: PR Validate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| fetch-depth: 0 | |
| # check changes in this commit for regex include and exclude matches | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 | |
| with: | |
| files: | | |
| .github/workflows/pr.yaml | |
| Makefile | |
| **/*.go | |
| bundle/** | |
| config/** | |
| go.mod | |
| go.sum | |
| files_ignore: | | |
| **/*.md | |
| **/*.adoc | |
| .rhdh/** | |
| - name: List all changed files (for troubleshooting) | |
| env: | |
| ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| run: | | |
| for file in ${ALL_CHANGED_FILES}; do | |
| echo "$file was changed" | |
| done | |
| - name: Setup Go | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Store build timestamp | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: echo "BUILD_TIME=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV | |
| # gosec needs a "build" stage so connect it to the lint step which we always do | |
| - name: Build | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: make lint | |
| - name: Test | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: make test | |
| - name: Create Kind cluster | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 | |
| with: | |
| cluster_name: test-cluster | |
| ignore_failed_clean: true | |
| - name: Run Controller | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: | | |
| # Need to 'make install' first, so that the necessary tool binaries (like controller-gen) can be downloaded locally. | |
| # Otherwise, we might end up with a race condition where the tool binary is not yet downloaded, | |
| # but the `make test` command tries to use it. | |
| make manifests generate fmt vet install | |
| make run & | |
| - name: Generic Integration test | |
| # perform it on backstage.io for speed | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: make integration-test PROFILE=backstage.io USE_EXISTING_CLUSTER=true USE_EXISTING_CONTROLLER=true | |
| - name: RHDH specific Integration test | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: make integration-test ARGS='--focus "create default rhdh"' USE_EXISTING_CLUSTER=true USE_EXISTING_CONTROLLER=true | |
| - name: Run Gosec Security Scanner | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| run: make gosec | |
| # Gosec results are available in workflow logs | |
| # SonarCloud provides Code Scanning integration in the Security tab |