-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update CI to use Github Environments #326
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments, overall looks good to me. Thanks for this!
uses: ./.github/workflows/e2e-tests.yaml | ||
with: | ||
environment: "untrusted" | ||
ref: ${{ github.sha }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like were using ${{ github.event_name == 'push' && github.sha || github.event.pull_request.head.sha }}
previously to get sha
from pull requests. Not sure what was the reason for that. Is github.sha
fine now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've not actually tried this from PRs - I'll try testing it
permissions: | ||
id-token: write | ||
contents: read | ||
env: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! It's much better than exporting variables in each step.
on: | ||
push: | ||
branches: [ "main", "feature/**", "release-**", "workflow/**" ] | ||
merge_group: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if that was possible before but seems like we can also use merge queues now. That's great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not completely certain if this works, it was actually in the previous thing as well. I think merge queues are a thing we need to enable in the repository settings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, but this definition in the workflow ensures that the checks will run and then when we switch it on in repo settings, it will then allow the merge queue to run and read those workflows.
Deduplicate repeated environment variables in e2e-tests.yaml Mark image as passed CI on passing CI
f6098d4
to
15c5bfc
Compare
15c5bfc
to
a77b225
Compare
Issue #, if available: N/A
Description of changes:
Use github environments to separate the different security boundaries we have: an 'untrusted' account for third party forks, and a 'trusted' account for direct pushes and merges. The 'trusted' account is then used as a source for releases, and it will only run code that's already merged into the main repository.
Testing E2E: https://github.com/muddyfish/mountpoint-s3-csi-driver/actions/runs/12412282111
Testing release: https://github.com/muddyfish/mountpoint-s3-csi-driver/actions/runs/12411681334
Before Merging: Need to create GitHub environments on main repository.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.