Skip to content

Use temp .netrc file for integration tests and support NETRC environment variable #584

Use temp .netrc file for integration tests and support NETRC environment variable

Use temp .netrc file for integration tests and support NETRC environment variable #584

name: Integration Tests
on:
pull_request:
pull_request_target:
push:
branches:
- main
paths:
- earthaccess/**
- tests/**
- docs/**
- binder/**
# When this workflow is queued, automatically cancel any previous running
# or pending jobs from the same branch
concurrency:
group: integration-tests-${{ github.ref }}
cancel-in-progress: true
jobs:
integration-tests:
#
# This condition prevents DUPLICATE attempts to run integration tests for
# PRs coming from FORKS.
#
# When a PR originates from a fork, both a pull_request and a
# pull_request_target event are triggered. This means that without a
# condition, GitHub will attempt to run integration tests TWICE, once for
# each event.
#
# To prevent this, this condition ensures that integration tests are run
# in only ONE of the following cases:
#
# 1. The event is NOT a pull_request. This covers the case when the event
# is a pull_request_target (i.e., a PR from a fork), as well as all
# other cases listed in the "on" block at the top of this file.
# 2. The event IS a pull_request AND the base repo and head repo are the
# same (i.e., the PR is NOT from a fork).
#
if: github.event_name != 'pull_request' || github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.9", "3.10", "3.11", "3.12"]
fail-fast: false
steps:
- name: Fetch user permission
if: github.event_name == 'pull_request_target'
id: permission
uses: actions-cool/check-user-permission@v2
with:
require: write
username: ${{ github.triggering_actor }}
- name: Check user permission
# The name of the output require-result is a bit confusing, but when its value
# is 'false', it means that the triggering actor does NOT have the required
# permission.
if: github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false'
# If the triggering actor does not have write permission (i.e., this is a
# PR from a fork), then we exit, otherwise most of the integration tests will
# fail because they require access to secrets. In this case, a maintainer
# will need to make sure the PR looks safe, and if so, manually re-run the
# failed pull_request_target jobs.
run: |
echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
exit 1
- name: Checkout source
uses: actions/checkout@v4
- name: Install package with dependencies
uses: ./.github/actions/install-pkg
with:
python-version: ${{ matrix.python-version }}
- name: Run integration tests
env:
EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }}
EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }}
run: ./scripts/integration-test.sh
- name: Upload coverage report
# Don't upload coverage when using the `act` tool to run the workflow locally
if: ${{ !env.ACT }}
uses: codecov/codecov-action@v4