-
Notifications
You must be signed in to change notification settings - Fork 107
87 lines (76 loc) · 3.44 KB
/
integration_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: "Integration test"
# NOTE: We're just running the tests that require earthdata login here; we
# don't distinguish between unit and integration tests yet.
on:
pull_request:
branches:
- "main" # Release PRs
- "development" # Feature PRs
pull_request_target:
branches:
- "main" # Release PRs
- "development" # Feature PRs
push:
branches:
- "main" # Releases
- "development" # Feature PR merges
# When this workflow is queued, automatically cancel any previous running
# or pending jobs from the same branch
concurrency:
group: "integration-tests-${{ github.ref }}"
cancel-in-progress: true
jobs:
test:
name: "Integration test"
# This condition prevents DUPLICATE attempts to run integration tests for
# PRs originating from forks.
#
# When a PR originates from a fork, both a pull_request and a
# pull_request_target event are triggered. This means that without a
# condition, GitHub will attempt to run integration tests TWICE, once for
# each event.
#
# To prevent this, this condition ensures that integration tests are run
# in only ONE of the following cases:
#
# 1. The event is NOT a pull_request. This covers the case when the event
# is a pull_request_target (i.e., a PR from a fork), as well as all
# other cases listed in the "on" block at the top of this file.
# 2. The event IS a pull_request AND the base repo and head repo are the
# same (i.e., the PR is NOT from a fork).
if: github.event_name != 'pull_request' || github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name
runs-on: "ubuntu-latest"
steps:
- name: "Fetch user permission"
id: "permission"
uses: "actions-cool/check-user-permission@v2"
with:
require: "write"
username: "${{ github.triggering_actor }}"
- name: "Check user permission"
if: "${{ steps.permission.outputs.require-result == 'false' }}"
# If the triggering actor does not have write permission (i.e., this is a
# PR from a fork), then we exit, otherwise most of the integration tests will
# fail because they require access to secrets. In this case, a maintainer
# will need to make sure the PR looks safe, and if so, manually re-run the
# failed pull_request_target jobs.
run: |
echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
exit 1
- name: "Checkout source"
uses: "actions/checkout@v4"
- uses: "./.github/actions/install-icepyx"
with:
python-version: "3.12"
- name: "Run tests"
env:
EARTHDATA_PASSWORD: "${{ secrets.EARTHDATA_PASSWORD }}"
NSIDC_LOGIN: "${{ secrets.EARTHDATA_PASSWORD }}"
run: |
pytest icepyx/tests/integration --verbose --cov app
- name: "Upload coverage report"
uses: "codecov/[email protected]"
with:
token: "${{ secrets.CODECOV_TOKEN }}"