github.com/0xPolygon/supernets2-node@v0.0.0-20230711153321-2fe574524eaa/docs/ci/ok-to-test.md

github.com/0xPolygon/supernets2-node@v0.0.0-20230711153321-2fe574524eaa/docs/ci/ok-to-test.md (about)

     1  # ok-to-test workflow
     2  
     3  By default, when proposing a PR from a fork, the secrets won't be available in
     4  the actions executed for that PR. This can be problematic if the tests require
     5  secrets to run, in that case the reviewers can't know if the changes proposed
     6  will break the tests or not.
     7  
     8  ## How it works
     9  In order to solve this issue we integrated the [ok-to-test workflow]. It works
    10  as follows:
    11  * The Github actions executed on PRs are split in 3 groups:
    12    * actions that don't require secrets.
    13    * trusted actions, they require secrets and are executed from branches in the
    14    `supernets2-node` repo, secrets are always available to them
    15    * from-fork actions, they require secrets and are executed from forks, secrets
    16    are available after approval from users with write access to the repo.
    17  * When a PR is created from a branch in the `supernets2-node` repo, the actions that
    18  don't require secrets and trusted actions are executed.
    19  * When a PR is created from a fork, the actions that don't require secrets are
    20  executed, and the from-fork actions are executed after a user with write access
    21  comments in the PR `/ok-to-test sha=<commit sha>` with the sha of the commit over
    22  which the actions should run. Before adding this comment the user should have
    23  reviewed the code and verified that it won't suppose a security treat (for
    24  instance, the reviewer should verify that the PR is not adding new actions, or is
    25  not trying to disclose the existing secrets).
    26  
    27  ## Requirements
    28  Our setup relies on the existence of a repo secret called `PERSONAL_ACCESS_TOKEN`
    29  with the value of a personal access token with repo access scope.
    30  
    31  ## How to add the ok-to-test functionality to an existing workflow
    32  In order to transform an existing wokflow into one that use the ok-to-test
    33  functionality it should be changed like this:
    34  * Add the `repository_dispatch` entry like here https://github.com/0xPolygonHermez/supernets2-bridge-service/pull/148/files#diff-107e910e9f2ebfb9a741fa10b2aa7100cc1fc4f5f3aca2dfe78b905cbd73c0d2R9-R10
    35  * Duplicate the job, if it is called `build`, copy it to `from-fork-build` and
    36  rename `build` to `trusted-build`.
    37  * In `trusted-build` add this `if` as the first item:
    38  ```
    39  if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
    40  ```
    41  * In `from-fork-build`:
    42    * Add this `if` as the first item:
    43    ```
    44    if:
    45        github.event_name == 'repository_dispatch' &&
    46        github.event.client_payload.slash_command.sha != '' &&
    47        contains(github.event.client_payload.pull_request.head.sha, github.event.client_payload.slash_command.sha)
    48    ```
    49    * If it has a checkout action, replace it with:
    50    ```
    51    - name: Fork based /ok-to-test checkout
    52      uses: actions/checkout@v3
    53      with:
    54        ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
    55    ```
    56    * Add this code as the last step https://github.com/0xPolygonHermez/supernets2-bridge-service/pull/148/files#diff-107e910e9f2ebfb9a741fa10b2aa7100cc1fc4f5f3aca2dfe78b905cbd73c0d2R60-R88
    57  
    58  [ok-to-test workflow]: https://github.com/imjohnbo/ok-to-test