Finalizing the open-sourcing of the provider #10
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The on.pull_request_target runs on changes to a pull request. Contrary to the on.pull_request, this pipeline has access to secrets and can therefore run e2e tests. | |
| # DANGEROUS: 1) with access to secrets it is possible to steal those by a pull request that executes code that reads the secrets and exfiltrates those. | |
| # DANGEROUS: 2) the GITHUB_TOKEN has read and write permissions by default. Therefore, restrict the permissions with the permissions field | |
| # To adress (1), we use an environment pr-e2e-approval that will only execute the job after an explicit approval from team member (after inspecting the code for non-malicious activity). | |
| # If the author of the PR is OWNER, MEMBER or COLLOBORATOR, the environment pr-e2e-no-approval is used that does not require an explicit approval. | |
| # Requiremenets: | |
| # 1) pr-e2e-approval environment configured to require approval before running | |
| # 2) pr-e2e-no-approval environment configured that does not require approval. | |
| name: PullRequest E2E Test | |
| on: | |
| pull_request_target: | |
| paths-ignore: | |
| - '*.md' | |
| # on pull_request_target, the GITHUB_TOKEN has read/write access to the repository content by default, so restrict it to read only | |
| permissions: | |
| contents: read | |
| jobs: | |
| run-e2e-test: | |
| uses: ./.github/workflows/e2e_test.yaml | |
| with: | |
| checkout-ref: ${{ github.event.pull_request.merge_commit_sha }} | |
| environment: ${{ github.event_name == 'pull_request_target' && contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) && 'pr-e2e-no-approval' || 'pr-e2e-approval' }} | |
| secrets: | |
| CLI_SERVER_URL: ${{ secrets.CLI_SERVER_URL }} | |
| GLOBAL_ACCOUNT: ${{ secrets.GLOBAL_ACCOUNT }} | |
| IDP_URL: ${{ secrets.IDP_URL }} | |
| SECOND_DIRECTORY_ADMIN_EMAIL: ${{ secrets.SECOND_DIRECTORY_ADMIN_EMAIL }} | |
| CIS_CENTRAL_BINDING: ${{ secrets.CIS_CENTRAL_BINDING }} | |
| BTP_TECHNICAL_USER: ${{ secrets.BTP_TECHNICAL_USER }} | |
| TECHNICAL_USER_EMAIL: ${{ secrets.TECHNICAL_USER_EMAIL }} |