fix: Fix jobs for secrets inherit (#15532)

2025-12-17 01:56:46 +00:00 · 2025-05-20 09:57:11 +01:00
parent 4d037ca68a
commit cf29b5f188
3 changed files with 88 additions and 78 deletions
--- a/.github/workflows/test-workflows-nightly.yml
+++ b/.github/workflows/test-workflows-nightly.yml
@@ -11,35 +11,16 @@ on:
        type: string
        default: 'master'
 permissions:
  contents: read
 jobs:
-  run_tests:
+  run_workflow_tests:
    name: Run Workflow Tests
-    runs-on: blacksmith-2vcpu-ubuntu-2204
+    uses: ./.github/workflows/test-workflows-callable.yml
-    timeout-minutes: 10
+    with:
-
+      git_ref: ${{ github.event_name == 'schedule' && 'master' || github.event.inputs.git_ref_to_test }}
-    steps:
+      send_webhook_report: false
-      - name: Determine Git Ref for Testing
+      pr_number: ''
-        id: determine_ref
+    secrets: inherit
        shell: bash
        run: |
          if [[ "${{ github.event_name }}" == "schedule" ]]; then
            echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT
            echo "Scheduled run: Using 'master' branch."
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo "EFFECTIVE_GIT_REF=${{ github.event.inputs.git_ref_to_test }}" >> $GITHUB_OUTPUT
            echo "Manual dispatch: Using ref '${{ github.event.inputs.git_ref_to_test }}'."
          else
            echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT
            echo "Warning: Unknown event type '${{ github.event_name }}', defaulting to 'master'."
          fi
      - name: Call Reusable Test Workflow
        uses: ./.github/workflows/run-test-workflows.yml
        with:
          git_ref: ${{ steps.determine_ref.outputs.EFFECTIVE_GIT_REF }}
          send_webhook_report: false
          pr_number: ''
        secrets: inherit
--- a/.github/workflows/test-workflows-pr-approved.yml
+++ b/.github/workflows/test-workflows-pr-approved.yml
@@ -9,17 +9,12 @@ permissions:
  pull-requests: read
 jobs:
-  run_tests_after_approval:
+  run_workflow_tests_after_approval:
    name: Run Tests on Approved PR
    if: github.event.review.state == 'approved'
-    runs-on: blacksmith-2vcpu-ubuntu-2204
+    uses: ./.github/workflows/test-workflows-callable.yml
-    timeout-minutes: 10
+    with:
-
+      git_ref: ${{ github.event.pull_request.head.sha }}
-    steps:
+      send_webhook_report: true
-      - name: Call Reusable Test Workflow on Approved PR
+      pr_number: ${{ github.event.pull_request.number }}
-        uses: ./.github/workflows/test-workflows-callable.yml
+    secrets: inherit
        with:
          git_ref: ${{ github.event.pull_request.head.sha }}
          send_webhook_report: true
          pr_number: ${{ github.event.pull_request.number }}
        secrets: inherit
--- a/.github/workflows/test-workflows-pr-comment.yml
+++ b/.github/workflows/test-workflows-pr-comment.yml
@@ -9,70 +9,104 @@ permissions:
  contents: read
 jobs:
-  trigger_tests_on_comment:
+  handle_comment_command:
-    name: Handle /test-workflows command
+    name: Handle /test-workflows Command
    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/test-workflows')
    runs-on: ubuntu-latest
    outputs:
      permission_granted: ${{ steps.pr_check_and_details.outputs.permission_granted }}
      git_ref: ${{ steps.pr_check_and_details.outputs.head_sha }}
      pr_number: ${{ steps.pr_check_and_details.outputs.pr_number_string }}
    steps:
-      - name: Check User Permission and Get PR Details
+      - name: Validate User, Get PR Details, and React
-        id: pr_check
+        id: pr_check_and_details
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          result-encoding: json
          script: |
            const commenter = context.actor;
-            const issue = context.issue;
+            const issueOwner = context.repo.owner;
-            let hasPermission = false;
+            const issueRepo = context.repo.repo;
-            let prDetails = null;
+            const commentId = context.payload.comment.id;
            const prNumber = context.issue.number; // In issue_comment on a PR, issue.number is the PR number
            // Function to add a reaction to the comment
            async function addReaction(content) {
              try {
                await github.rest.reactions.createForIssueComment({
                  owner: issueOwner,
                  repo: issueRepo,
                  comment_id: commentId,
                  content: content
                });
              } catch (reactionError) {
                // Log if reaction fails but don't fail the script for this
                console.log(`Failed to add reaction '${content}': ${reactionError.message}`);
              }
            }
            // Initialize outputs to a non-triggering state
            core.setOutput('permission_granted', 'false');
            core.setOutput('head_sha', '');
            core.setOutput('pr_number_string', '');
            // 1. Check user permissions
            try {
              const { data: permissions } = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: issue.owner,
+                owner: issueOwner,
-                repo: issue.repo,
+                repo: issueRepo,
                username: commenter
              });
              const allowedPermissions = ['admin', 'write', 'maintain'];
-              if (allowedPermissions.includes(permissions.permission)) {
+              if (!allowedPermissions.includes(permissions.permission)) {
-                console.log(`User @${commenter} has '${permissions.permission}' permission.`);
+                console.log(`User @${commenter} has '${permissions.permission}' permission. Needs 'admin', 'write', or 'maintain'.`);
-                hasPermission = true;
+                await addReaction('-1'); // User does not have permission
-              } else {
+                return; // Exit script, tests will not be triggered
                core.setFailed(`User @${commenter} does not have sufficient permissions (admin/write/maintain) to trigger workflows.`);
              }
              console.log(`User @${commenter} has '${permissions.permission}' permission.`);
            } catch (error) {
-              core.setFailed(`Could not verify permissions for @${commenter}: ${error.message}`);
+              console.log(`Could not verify permissions for @${commenter}: ${error.message}`);
              await addReaction('confused'); // Error checking permissions
              return; // Exit script
            }
-            if (!hasPermission) {
+            // 2. Fetch PR details (if permission check passed)
-              return { permission_granted: false };
+            let headSha;
            }
            const prNumber = issue.number;
            try {
              const { data: pr } = await github.rest.pulls.get({
-                owner: context.repo.owner,
+                owner: issueOwner,
-                repo: context.repo.repo,
+                repo: issueRepo,
                pull_number: prNumber,
              });
-              prDetails = {
+              headSha = pr.head.sha;
-                head_sha: pr.head.sha,
+              console.log(`Workspaced PR details: SHA - ${headSha}, PR Number - ${prNumber}`);
-                pr_number_string: prNumber.toString()
+
-              };
+              // Set outputs for the next job
-              console.log(`Workspaceed PR details: SHA - ${prDetails.head_sha}, PR Number - ${prDetails.pr_number_string}`);
+              core.setOutput('permission_granted', 'true');
              core.setOutput('head_sha', headSha);
              core.setOutput('pr_number_string', prNumber.toString());
              await addReaction('+1'); // Command accepted, tests will be triggered
            } catch (error) {
-              core.setFailed(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`);
+              console.log(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`);
-              return { permission_granted: true, pr_fetch_error: true };
+              core.setOutput('permission_granted', 'false'); // Ensure this is false if PR fetch fails
              await addReaction('confused'); // Error fetching PR details
            }
-            return { permission_granted: true, ...prDetails };
+  trigger_reusable_tests:
    name: Trigger Reusable Test Workflow
    needs: handle_comment_command
-      - name: Call Reusable Test Workflow
+    if: >
-        if: steps.pr_check.outcome == 'success' && fromJson(steps.pr_check.outputs.result).permission_granted == true && fromJson(steps.pr_check.outputs.result).head_sha
+      always() &&
-        uses: ./.github/workflows/test-workflows-callable.yml
+      needs.handle_comment_command.result != 'skipped' &&
-        with:
+      needs.handle_comment_command.outputs.permission_granted == 'true' &&
-          git_ref: ${{ fromJson(steps.pr_check.outputs.result).head_sha }}
+      needs.handle_comment_command.outputs.git_ref != ''
-          send_webhook_report: true
+    uses: ./.github/workflows/test-workflows-callable.yml
-          pr_number: ${{ fromJson(steps.pr_check.outputs.result).pr_number_string }}
+    with:
-        secrets: inherit
+      git_ref: ${{ needs.handle_comment_command.outputs.git_ref }}
      send_webhook_report: true
      pr_number: ${{ needs.handle_comment_command.outputs.pr_number }}
    secrets: inherit