|
| 1 | +# .github/workflows/pr-validate.yml |
| 2 | +name: PR Validation via OIDC |
| 3 | + |
| 4 | +on: |
| 5 | + pull_request_target: |
| 6 | + types: [opened, synchronize] |
| 7 | + |
| 8 | +permissions: |
| 9 | + id-token: write # enable OIDC token issuance |
| 10 | + contents: read # allow checkout of code |
| 11 | + |
| 12 | +env: |
| 13 | + CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} |
| 14 | + API_BASE: ${{ secrets.SENTINEL_CONTENT_API_URL }} |
| 15 | + |
| 16 | +jobs: |
| 17 | + pr-validate: |
| 18 | + runs-on: ubuntu-latest |
| 19 | + |
| 20 | + steps: |
| 21 | + - name: Checkout PR code |
| 22 | + uses: actions/checkout@v3 |
| 23 | + with: |
| 24 | + fetch-depth: 0 |
| 25 | + ref: ${{ github.event.pull_request.head.ref }} |
| 26 | + repository: ${{ github.event.pull_request.head.repo.full_name }} |
| 27 | + |
| 28 | + - name: Get changed JSON files and contents to send to API endpoint |
| 29 | + id: prepare_json_files |
| 30 | + run: | |
| 31 | + echo "Collecting changed JSON files..." |
| 32 | + BASE="${{ github.event.pull_request.base.sha }}" |
| 33 | + HEAD="${{ github.event.pull_request.head.sha }}" |
| 34 | +
|
| 35 | + mapfile -t files < <(git diff --name-only "$BASE" "$HEAD" | grep '\.json$') |
| 36 | + echo "Changed JSON files: ${files[@]}" |
| 37 | +
|
| 38 | + if [ ${#files[@]} -eq 0 ]; then |
| 39 | + echo "No JSON files changed in this PR." |
| 40 | + echo "JSON_PAYLOAD_PATH=empty" >> $GITHUB_ENV |
| 41 | + exit 0 |
| 42 | + fi |
| 43 | +
|
| 44 | + json_array="[" |
| 45 | + for file in "${files[@]}"; do |
| 46 | + if [ -f "$file" ]; then |
| 47 | + if jq -e . "$file" > /dev/null 2>&1; then |
| 48 | + content=$(jq -c . < "$file") |
| 49 | + json_array+="{\"filename\": \"${file}\", \"content\": $content}," |
| 50 | + else |
| 51 | + echo "β Invalid JSON structure in file: $file" |
| 52 | + exit 1 |
| 53 | + fi |
| 54 | + fi |
| 55 | + done |
| 56 | + json_array="${json_array%,}]" |
| 57 | + echo "$json_array" > files_payload.json |
| 58 | + echo "JSON_PAYLOAD_PATH=files_payload.json" >> $GITHUB_ENV |
| 59 | +
|
| 60 | + - name: π Request OIDC token from GitHub |
| 61 | + id: fetch_token |
| 62 | + run: | |
| 63 | + echo "π Requesting OIDC token..." |
| 64 | + raw=$(curl -s \ |
| 65 | + -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ |
| 66 | + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://${CLIENT_ID}") |
| 67 | + echo "π Raw token response JSON: $raw" |
| 68 | + token=$(echo "$raw" | jq -r '.value') |
| 69 | + echo "βοΈ Token length: ${#token}" |
| 70 | + echo "TOKEN=$token" >> $GITHUB_ENV |
| 71 | +
|
| 72 | + # 3. Send a simple GET request to "/" |
| 73 | + - name: π‘ Send GET request to protected root endpoint |
| 74 | + run: | |
| 75 | + echo "π GET $API_BASE/" |
| 76 | + response=$(curl -s -H "Authorization: Bearer $TOKEN" "$API_BASE/") |
| 77 | + echo "π GET response:" |
| 78 | + echo "$response" | jq . || true |
| 79 | +
|
| 80 | +
|
| 81 | + # 5. Send POST request with JSON payload to "/" |
| 82 | + - name: π Send POST request with JSON payload to root |
| 83 | + run: | |
| 84 | + echo "π POST $API_BASE/" |
| 85 | + echo "π Payload contents:" |
| 86 | + cat "$JSON_PAYLOAD_PATH" || { echo "β files_payload.json not found"; exit 1; } |
| 87 | + echo |
| 88 | +
|
| 89 | + response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/" \ |
| 90 | + -H "Authorization: Bearer $TOKEN" \ |
| 91 | + -H "Content-Type: application/json" \ |
| 92 | + --data-binary "@$JSON_PAYLOAD_PATH") |
| 93 | +
|
| 94 | + body=$(echo "$response" | head -n -1) |
| 95 | + status_code=$(echo "$response" | tail -n1) |
| 96 | + echo "π HTTP status: $status_code" |
| 97 | + echo "π Response body:" |
| 98 | + echo "$body" | jq . || true |
| 99 | +
|
| 100 | + status=$(jq -r '.status' <<< "$response") |
| 101 | + message=$(jq -r '.message' <<< "$response") |
| 102 | +
|
| 103 | + if [ "$status" != "passed" ]; then |
| 104 | + echo "β Test Fail : $message" |
| 105 | + exit 1 |
| 106 | + fi |
| 107 | +
|
| 108 | + echo "β
$message" |
0 commit comments