pr-e2e.yaml

# The on.pull_request_target runs on changes to a pull request. Contrary to the on.pull_request, this pipeline has access to secrets and can therefore run e2e tests.
# DANGEROUS: 1) with access to secrets it is possible to steal those by a pull request that executes code that reads the secrets and exfiltrates those.
# DANGEROUS: 2) the GITHUB_TOKEN has read and write permissions by default. Therefore, restrict the permissions with the permissions field
# To adress (1), we use an environment pr-e2e-approval that will only execute the job after an explicit approval from team member (after inspecting the code for non-malicious activity).
# If the author of the PR is OWNER, MEMBER or COLLOBORATOR, the environment pr-e2e-no-approval is used that does not require an explicit approval.

# Requiremenets: 
# 1) pr-e2e-approval environment configured to require approval before running
# 2) pr-e2e-no-approval environment configured that does not require approval.

name: PullRequest E2E Test

on:
  pull_request_target:
    paths-ignore:
    - '*.md'

# on pull_request_target, the GITHUB_TOKEN has read/write access to the repository content by default, so restrict it to read only
permissions:
  contents: read

jobs:    
  run-e2e-test:
    uses: ./.github/workflows/e2e_test.yaml
    with:
      checkout-ref: ${{ github.event.pull_request.head.sha }}
      environment: ${{ github.event_name == 'pull_request_target' && contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) && 'pr-e2e-no-approval' || 'pr-e2e-approval' }}
    secrets:
      CLI_SERVER_URL: ${{ secrets.CLI_SERVER_URL }}
      GLOBAL_ACCOUNT: ${{ secrets.GLOBAL_ACCOUNT }}
      IDP_URL: ${{ secrets.IDP_URL }}
      SECOND_DIRECTORY_ADMIN_EMAIL: ${{ secrets.SECOND_DIRECTORY_ADMIN_EMAIL }}
      CIS_CENTRAL_BINDING: ${{ secrets.CIS_CENTRAL_BINDING }}
      BTP_TECHNICAL_USER: ${{ secrets.BTP_TECHNICAL_USER }}
      TECHNICAL_USER_EMAIL: ${{ secrets.TECHNICAL_USER_EMAIL }}