Allow maintainers to run integration tests on PR from a fork #818
Conversation
If a user has either the `PIP_REQUIRE_VENV` or `PIP_REQUIRE_VIRTUALENV` environment variable set to a "truthy" value, and no virtual environment is active, `pip install` will fail with a message indicating as such. However, when a conda environment is active, we want to allow `pip install` to run without an active virtual environment because it will install packages within the active conda environment.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #818 +/- ##
=======================================
Coverage ? 68.00%
=======================================
Files ? 22
Lines ? 1466
Branches ? 0
=======================================
Hits ? 997
Misses ? 469
Partials ? 0 ☔ View full report in Codecov by Sentry. |
|
Looks like |
chuckwondo
changed the title
|
@mfisher87, @betolink, or @jhkennedy, any chance of getting eyes on this so we can resolve the integration tests problem? It's a rather small PR. |
|
I can take a look now @chuckwondo |
| @@ -9,3 +9,7 @@ dependencies: | |||
| - pip | |||
| - pip: | |||
| - --editable .[dev,test,docs] | |||
| variables: | |||
There was a problem hiding this comment.
Nice, I didn't know about this
| @@ -8,7 +8,7 @@ | |||
| DIR = Path(__file__).parent.resolve() | |||
|
|
|||
| nox.needs_version = ">=2024.3.2" | |||
| nox.options.sessions = ["typecheck", "test_unit"] | |||
| nox.options.sessions = ["typecheck", "tests"] | |||
There was a problem hiding this comment.
Maybe we need to add a comment in the docs that for now nox tests will only run unit tests?
There was a problem hiding this comment.
This actually better matches my expectations -- I generally would expect pytest/nox to only run unit tests unless explicitly told to run integration tests as they are larger and require integrations. It's pretty common for unit tests to just be called "tests".
There was a problem hiding this comment.
@betolink, we can clarify the docs when we add integration tests to the mix with nox as per the recent issue you opened.
@jhkennedy, yep, agreed.
Perhaps the yet-to-be-added nox session could be named integration_tests (or integration-tests, if nox supports kebab-case names -- not sure if it does).
| @@ -8,7 +8,7 @@ | |||
| DIR = Path(__file__).parent.resolve() | |||
|
|
|||
| nox.needs_version = ">=2024.3.2" | |||
| nox.options.sessions = ["typecheck", "test_unit"] | |||
| nox.options.sessions = ["typecheck", "tests"] | |||
There was a problem hiding this comment.
This actually better matches my expectations -- I generally would expect pytest/nox to only run unit tests unless explicitly told to run integration tests as they are larger and require integrations. It's pretty common for unit tests to just be called "tests".
|
Thanks @betolink and @jhkennedy. Here goes nothin'! |
| run: | | ||
| echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY | ||
| echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY | ||
| echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY |
There was a problem hiding this comment.
@chuckwondo I could have sworn i commented on this and a couple other things, but I don't see those comments anywhere! Can you help me out? I was thinking we could link directly to the build log for the job that needs to be re-run.
There was a problem hiding this comment.
Hey @mfisher87, sorry for the confusion. I think your comment was on my duplicate PR from a branch within the earthaccess repo instead of from my fork. I had initially created that other draft PR to make sure things would work for a PR within the repo, but once confirmed, closed it in favor of this one from my fork, as this is the other case we need to cover.
Regarding your "missing" comment, I tweaked your suggestion (from the other PR) here in 2 ways:
- I replaced
GITHUB_OUTPUTwithGITHUB_STEP_SUMMARY, as I believe this is perhaps what you intended (GITHUB_OUTPUTis for a different purpose -- i.e., to pass output between steps, not for any UI output) - I did not include the link that you had suggested because in order to see the message produced by these lines, you must actually be on the relevant build page, so the link would simply refer to the page on which this message appears (i.e., it would be redundant). In other words, the only place this message appears is on the very page given by the link. It would really only make sense to include the link in the message if the message appeared on some other page.
There was a problem hiding this comment.
Thanks for getting me back on track! (1) Exactly, thank you :) I think for (2) I was thinking of text we could have a bot post into the PR as a comment but I didn't explain myself. Apologies! That might be a fun future improvement :)
There was a problem hiding this comment.
Thanks for getting me back on track! (1) Exactly, thank you :) I think for (2) I was thinking of text we could have a bot post into the PR as a comment but I didn't explain myself. Apologies! That might be a fun future improvement :)
I totally agree with you on having a bot post a PR comment. That would be fantastic. I'll create a new issue for that improvement.
This PR fixes the problem of failing integration tests on PRs from forked repos by allowing maintainers to review such PRs for potential security issues (which should be minimal for trusted/known contributors) and then re-running the failed jobs such that they may successfully run.
The result is the following:
Since this change must land on the
mainbranch before it takes effect, I tested this with a fork from my fork to confirm that it does indeed work as expected. This should mean that this PR should be the last PR a maintainer will have to bypass failing integration tests to merge it.Pull Request (PR) draft checklist - click to expand
contributing documentation
before getting started.
title such as "Add testing details to the contributor section of the README".
example
closes #1. SeeGitHub docs - Linking a pull request to an issue.
CHANGELOG.mdwith details about your change in a section titled## Unreleased. If such a section does not exist, please create one. FollowCommon Changelog for your additions.
README.mdwith details of changes to theearthaccess interface, if any. Consider new environment variables, function names,
decorators, etc.
Click the "Ready for review" button at the bottom of the "Conversation" tab in GitHub
once these requirements are fulfilled. Don't worry if you see any test failures in
GitHub at this point!
Pull Request (PR) merge checklist - click to expand
Please do your best to complete these requirements! If you need help with any of these
requirements, you can ping the
@nsidc/earthaccess-supportteam in a comment and wewill help you out!
Request containing "pre-commit.ci autofix" to automate this.
Fixes #810
📚 Documentation preview 📚: https://earthaccess--818.org.readthedocs.build/en/818/