Update CI to use Github Environments #326
Conversation
| uses: ./.github/workflows/e2e-tests.yaml | ||
| with: | ||
| environment: "untrusted" | ||
| ref: ${{ github.sha }} |
There was a problem hiding this comment.
Seems like were using ${{ github.event_name == 'push' && github.sha || github.event.pull_request.head.sha }} previously to get sha from pull requests. Not sure what was the reason for that. Is github.sha fine now?
There was a problem hiding this comment.
I've not actually tried this from PRs - I'll try testing it
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| env: |
There was a problem hiding this comment.
Thanks for this! It's much better than exporting variables in each step.
| on: | ||
| push: | ||
| branches: [ "main", "feature/**", "release-**", "workflow/**" ] | ||
| merge_group: |
There was a problem hiding this comment.
Not sure if that was possible before but seems like we can also use merge queues now. That's great!
There was a problem hiding this comment.
I'm not completely certain if this works, it was actually in the previous thing as well. I think merge queues are a thing we need to enable in the repository settings
There was a problem hiding this comment.
Yep, but this definition in the workflow ensures that the checks will run and then when we switch it on in repo settings, it will then allow the merge queue to run and read those workflows.
Deduplicate repeated environment variables in e2e-tests.yaml Mark image as passed CI on passing CI
muddyfish
force-pushed
the
feature/ci-update
branch
2 times, most recently
from
f6098d4 to
15c5bfc
Compare
muddyfish
force-pushed
the
feature/ci-update
branch
from
15c5bfc to
a77b225
Compare
Issue #, if available: N/A
Description of changes:
Use github environments to separate the different security boundaries we have: an 'untrusted' account for third party forks, and a 'trusted' account for direct pushes and merges. The 'trusted' account is then used as a source for releases, and it will only run code that's already merged into the main repository.
Testing E2E: https://github.com/muddyfish/mountpoint-s3-csi-driver/actions/runs/12412282111
Testing release: https://github.com/muddyfish/mountpoint-s3-csi-driver/actions/runs/12411681334
Before Merging: Need to create GitHub environments on main repository.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.