Skip to content

Test / Fork PRs

Test / Fork PRs #10353

Workflow file for this run

# Description: This workflow runs test suite against fork PRs when approver
# has write/admin permissions and 'Receive Fork Review' workflow
# has completed successfully.
#
# Triggered by: maintainer approves PR from forks
name: Test / Fork PRs
# This is to let only one instance of this workflow run against the same PR.
concurrency:
group: test-fork-prs-${{ github.event.workflow_run.head_branch }}-${{ github.event.sender.login }} # This is to make the group name unique for a PR.
cancel-in-progress: true
on:
workflow_run:
workflows: [Receive Fork Review]
types:
- completed
jobs:
# check if approver has write/admin permissions
check-write-access:
runs-on: ubuntu-latest
# check if receive-fork-review workflow completed successfully
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Get user permissions to check if it is either "write" or "admin"
id: get-permissions
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
env:
owner: ${{ github.event.repository.owner.login }}
repo: ${{ github.event.repository.name }}
username: ${{ github.event.sender.login }}
with:
result-encoding: string
script: |
const { owner, repo, username } = process.env;
const { data: { permission } } = await github.rest.repos.getCollaboratorPermissionLevel({
owner,
repo,
username
});
return permission;
- name: Fail this workflow if user does not have write permissions
env:
PERMISSION: ${{ steps.get-permissions.outputs.result }}
if: ${{ steps.get-permissions.outputs.result != 'write' && steps.get-permissions.outputs.result != 'admin' }}
run: |
echo "Insufficient permission: $PERMISSION"
exit 1
setup:
needs: check-write-access
runs-on: ubuntu-latest
permissions:
statuses: write # This is required for running set-status actions
outputs:
commit_id: ${{ steps.read-commit-id.outputs.result }}
pr_number: ${{ steps.read-pr-number.outputs.result }}
base_sha: ${{ steps.read-base-sha.outputs.result }}
steps:
- name: Download artifact
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
env:
owner: ${{ github.event.repository.owner.login }}
repo: ${{ github.event.repository.name }}
run_id: ${{ github.event.workflow_run.id }}
with:
script: |
const { owner, repo, run_id } = process.env;
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner,
repo,
run_id,
});
const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "commit"
})[0];
const { data } = await github.rest.actions.downloadArtifact({
owner,
repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
const fs = require('fs');
fs.writeFileSync('${{github.workspace}}/commit.zip', Buffer.from(data));
- name: Unzip commit.zip
run: unzip commit.zip
- name: Read commit id from artifact zip
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
id: read-commit-id
with:
result-encoding: string
script: |
const fs = require('fs');
const commit_id = fs.readFileSync('./commit_id', 'utf-8');
return commit_id
.replace(/(\r\n|\n|\r)/gm, '') // remove last new line character
.replace(/[^A-Za-z0-9]/g, ''); // remove non-alphanumeric characters
- name: Read PR number from artifact
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
id: read-pr-number
with:
result-encoding: string
script: |
const fs = require('fs');
const pr_number = fs.readFileSync('./pr_number', 'utf-8');
return pr_number
.replace(/(\r\n|\n|\r)/gm, '') // remove last new line character
.replace(/[^0-9]/g, ''); // remove non-numeric characters
- name: Read base sha from artifact
uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
id: read-base-sha
with:
result-encoding: string
script: |
const fs = require('fs');
const base_sha = fs.readFileSync('./base_sha', 'utf-8');
return base_sha
.replace(/(\r\n|\n|\r)/gm, '') // remove last new line character
.replace(/[^A-Za-z0-9]/g, ''); // remove non-alphanumeric characters
- uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
- name: Set status to commit sha
uses: aws-amplify/amplify-ui/.github/actions/set-status@main
with:
sha: ${{ steps.read-commit-id.outputs.result }}
state: 'pending'
context: 'Run PR checks'
description: 'PR checks are now running'
# URL below is a link to the current workflow run to allow users to see the status of the workflow.
target-url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}
codeql:
needs: setup
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # required to write security findings
strategy:
fail-fast: false
matrix:
language: [javascript]
steps:
- name: Remove run-codeql label, if applicable
if: github.event.label.name == 'run-codeql'
env:
ISSUE_NUMBER: ${{ github.event.pull_request.number }}
REPO_OWNER: ${{ github.repository_owner }}
REPO_NAME: ${{ github.event.repository.name }}
LABEL_NAME: 'run-codeql'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/commit/60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { ISSUE_NUMBER, REPO_OWNER, REPO_NAME, LABEL_NAME } = process.env
github.rest.issues.removeLabel({ owner: REPO_OWNER, repo: REPO_NAME, issue_number: ISSUE_NUMBER, name: LABEL_NAME })
- name: Checkout
uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
with:
ref: ${{ needs.setup.outputs.commit_id }}
- name: Initialize CodeQL
uses: github/codeql-action/init@423a04bb2cb7cd2643007122588f1387778f14d0 # v3.24.9 https://github.com/github/codeql-action/commit/423a04bb2cb7cd2643007122588f1387778f14d0
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@423a04bb2cb7cd2643007122588f1387778f14d0 # v3.24.9 https://github.com/github/codeql-action/commit/423a04bb2cb7cd2643007122588f1387778f14d0
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@423a04bb2cb7cd2643007122588f1387778f14d0 # v3.24.9 https://github.com/github/codeql-action/commit/423a04bb2cb7cd2643007122588f1387778f14d0
with:
# ref should target refs/pull/<number>/head
ref: refs/pull/${{ needs.setup.outputs.pr_number }}/head
sha: ${{ needs.setup.outputs.commit_id }}
category: '/language:${{ matrix.language }}'
dependency-review:
needs: setup
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
with:
ref: ${{ needs.setup.outputs.commit_id }}
repository: ${{ github.repository }}
- name: 'Dependency Review'
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # https://github.com/actions/dependency-review-action/commit/[HASH]
with:
base-ref: ${{ needs.setup.outputs.base_sha }}
head-ref: ${{ needs.setup.outputs.commit_id }}
config-file: '.github/dependency-review/config.yml'
setup-cache:
needs: setup
uses: aws-amplify/amplify-ui/.github/workflows/reusable-setup-cache.yml@main
with:
commit: ${{ needs.setup.outputs.commit_id }}
repository: ${{ github.repository }}
e2e:
uses: aws-amplify/amplify-ui/.github/workflows/reusable-e2e.yml@main
needs: [setup, setup-cache]
permissions:
pull-requests: write # used to remove label
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
with:
commit: ${{ needs.setup.outputs.commit_id }}
repository: ${{ github.repository }}
secrets:
AUTH_E2E_ROLE_ARN: ${{ secrets.AUTH_E2E_ROLE_ARN }}
DATASTORE_E2E_ROLE_ARN: ${{ secrets.DATASTORE_E2E_ROLE_ARN }}
GEO_E2E_ROLE_ARN: ${{ secrets.GEO_E2E_ROLE_ARN }}
STORAGE_E2E_ROLE_ARN: ${{ secrets.STORAGE_E2E_ROLE_ARN }}
LIVENESS_E2E_ROLE_ARN: ${{ secrets.LIVENESS_E2E_ROLE_ARN }}
IN_APP_MESSAGING_E2E_ROLE_ARN: ${{ secrets.IN_APP_MESSAGING_E2E_ROLE_ARN }}
AI_E2E_ROLE_ARN: ${{ secrets.AI_E2E_ROLE_ARN }}
DOMAIN: ${{ secrets.DOMAIN }}
PHONE_NUMBER: ${{ secrets.PHONE_NUMBER }}
USERNAME: ${{ secrets.USERNAME }}
NEW_PASSWORD: ${{ secrets.NEW_PASSWORD }}
VALID_PASSWORD: ${{ secrets.VALID_PASSWORD }}
SITE_URL: ${{ secrets.SITE_URL }}
DOCSEARCH_DOCS_APP_ID: ${{ secrets.DOCSEARCH_DOCS_APP_ID }}
DOCSEARCH_DOCS_API_KEY: ${{ secrets.DOCSEARCH_DOCS_API_KEY }}
DOCSEARCH_DOCS_INDEX_NAME: ${{ secrets.DOCSEARCH_DOCS_INDEX_NAME }}
# update status on success
update-success-status:
if: ${{ success() }}
needs: [setup, e2e, codeql, dependency-review]
runs-on: ubuntu-latest
permissions:
statuses: write # This is required for running set-status actions
steps:
- uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
- name: Update status when tests are successful
uses: aws-amplify/amplify-ui/.github/actions/set-status@main
with:
sha: ${{ needs.setup.outputs.commit_id }}
state: 'success'
context: 'Run PR checks'
description: 'PR checks have finished running'
target-url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}
# update status on failure
update-failure-status:
if: ${{ failure() }}
needs: [setup, e2e, codeql, dependency-review]
runs-on: ubuntu-latest
permissions:
statuses: write # This is required for running set-status actions
steps:
- uses: actions/checkout@b80ff79f1755d06ba70441c368a6fe801f5f3a62 # v4.1.3 https://github.com/actions/checkout/commit/cd7d8d697e10461458bc61a30d094dc601a8b017
- name: Update status when PR tests are not successful
uses: aws-amplify/amplify-ui/.github/actions/set-status@main
with:
sha: ${{ needs.setup.outputs.commit_id }}
state: 'failure'
context: 'Run PR checks'
description: 'PR checks have failed'
target-url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}