Skip to content

Commit 2e058d1

Browse files
committed
ci: enable fork PR checks against 8.8 and 8.9
This restructures ci.yml to allow fork PR checks. External contributor PRs cannot access repository secrets. This change: - unit-tests and local_integration run on every push and PR. - saas_integration only runs on pushes to main. - Removed 8.7 self-managed jobs requiring DOCKER_PASSWORD.
1 parent 3dbaa67 commit 2e058d1

1 file changed

Lines changed: 50 additions & 136 deletions

File tree

.github/workflows/ci.yml

Lines changed: 50 additions & 136 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,12 @@ name: CI
33
on:
44
push:
55
branches-ignore:
6-
- main
76
- "stable/**"
87
pull_request:
98

109
jobs:
10+
# Runs on every push (non-stable branches) and every pull request, including
11+
# pull requests from forks. No secrets required.
1112
unit-tests:
1213
runs-on: ubuntu-latest
1314
steps:
@@ -28,11 +29,11 @@ jobs:
2829
- name: Run Unit Tests
2930
run: npm run test
3031

31-
local_integration:
32-
if: github.actor != 'dependabot[bot]'
32+
# 8.8 self-managed integration tests. Uses only the public docker-compose
33+
# stack — no secrets required. Runs on every push and every pull request
34+
# (including fork PRs) so external contributors get PR feedback.
35+
local_integration_8_8:
3336
runs-on: ubuntu-latest
34-
environment:
35-
name: selfhosted
3637
steps:
3738
- name: Check out the repo
3839
uses: actions/checkout@v6
@@ -49,37 +50,39 @@ jobs:
4950
- name: Remove mono blocking 8084 port
5051
run: sudo lsof -t -i:8084 | xargs -r sudo kill -9
5152

52-
- name: Set up Docker
53+
- name: Set up Docker Compose
5354
run: |
54-
echo ${{ secrets.DOCKER_PASSWORD }} | docker login --username joshua.wulf --password-stdin registry.camunda.cloud
55+
docker compose -f docker/docker-compose-8.8.yaml up -d
5556
56-
- name: Set up Docker Compose
57+
- name: Wait for Services Healthy
5758
run: |
58-
docker compose -f docker/docker-compose.yaml -f docker/docker-compose-modeler.yaml up -d
59-
timeout-minutes: 10
59+
set -e
60+
attempts=0
61+
max_attempts=60
62+
while [ $attempts -lt $max_attempts ]; do
63+
code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9600/actuator/health/status || true)
64+
[ "$code" = "200" ] && echo "Broker healthy" && break
65+
attempts=$((attempts+1))
66+
sleep 5
67+
done
68+
[ $attempts -ge $max_attempts ] && echo "Broker not healthy" && exit 1 || true
6069
6170
- name: Run Integration Tests
6271
run: |
63-
npm run test:8.7:sm
72+
npm run test:8.8:sm
6473
env:
6574
ZEEBE_GRPC_ADDRESS: grpc://localhost:26500
66-
ZEEBE_CLIENT_ID: zeebe
67-
ZEEBE_CLIENT_SECRET: zecret
68-
CAMUNDA_OAUTH_URL: http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token
69-
CAMUNDA_TASKLIST_BASE_URL: http://localhost:8082
70-
CAMUNDA_OPERATE_BASE_URL: http://localhost:8081
71-
CAMUNDA_OPTIMIZE_BASE_URL: http://localhost:8083
72-
CAMUNDA_MODELER_BASE_URL: http://localhost:8070/api
75+
CAMUNDA_AUTH_STRATEGY: NONE
76+
CAMUNDA_TENANT_ID: <default>
7377

7478
- name: Cleanup
7579
if: always()
76-
run: docker compose -f docker/docker-compose.yaml -f docker/docker-compose-modeler.yaml down
80+
run: docker compose -f docker/docker-compose-8.8.yaml down
7781

78-
local_multitenancy_integration:
79-
if: github.actor != 'dependabot[bot]'
82+
# 8.8 test suite run against an 8.9 self-managed broker. Public stack — no
83+
# secrets required. Runs on every push and every pull request.
84+
local_integration_8_8_against_8_9:
8085
runs-on: ubuntu-latest
81-
environment:
82-
name: selfhosted
8386
steps:
8487
- name: Check out the repo
8588
uses: actions/checkout@v6
@@ -96,36 +99,41 @@ jobs:
9699
- name: Remove mono blocking 8084 port
97100
run: sudo lsof -t -i:8084 | xargs -r sudo kill -9
98101

99-
- name: Set up Docker
102+
- name: Set up Docker Compose
100103
run: |
101-
echo ${{ secrets.DOCKER_PASSWORD }} | docker login --username joshua.wulf --password-stdin registry.camunda.cloud
104+
docker compose -f docker/8.9/docker-compose.yaml up -d
102105
103-
- name: Set up Docker Compose
106+
- name: Wait for Services Healthy
104107
run: |
105-
docker compose -f docker/docker-compose-multitenancy.yaml -f docker/docker-compose-modeler.yaml up -d
106-
timeout-minutes: 10
108+
set -e
109+
attempts=0
110+
max_attempts=60
111+
while [ $attempts -lt $max_attempts ]; do
112+
code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9600/actuator/health/status || true)
113+
[ "$code" = "200" ] && echo "Broker healthy" && break
114+
attempts=$((attempts+1))
115+
sleep 5
116+
done
117+
[ $attempts -ge $max_attempts ] && echo "Broker not healthy" && exit 1 || true
107118
108-
- name: Run Integration Tests
119+
- name: Run Integration Tests (8.8 tests against 8.9 server)
109120
run: |
110-
npm run test:8.7:mt
121+
npm run test:8.8:sm
111122
env:
112123
ZEEBE_GRPC_ADDRESS: grpc://localhost:26500
113-
ZEEBE_CLIENT_ID: zeebe
114-
ZEEBE_CLIENT_SECRET: zecret
115-
CAMUNDA_OAUTH_URL: http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token
116-
CAMUNDA_TASKLIST_BASE_URL: http://localhost:8082
117-
CAMUNDA_OPERATE_BASE_URL: http://localhost:8081
118-
CAMUNDA_OPTIMIZE_BASE_URL: http://localhost:8083
119-
CAMUNDA_MODELER_BASE_URL: http://localhost:8070/api
120-
# Needed for Multi-Tenancy
124+
CAMUNDA_AUTH_STRATEGY: NONE
121125
CAMUNDA_TENANT_ID: <default>
122126

123127
- name: Cleanup
124128
if: always()
125-
run: docker compose -f docker/docker-compose-multitenancy.yaml -f docker/docker-compose-modeler.yaml down
129+
run: docker compose -f docker/8.9/docker-compose.yaml down
126130

131+
# SaaS integration tests hit real SaaS endpoints and require environment
132+
# secrets. To protect secret material and avoid running untrusted code
133+
# against production-like infrastructure, these only run on pushes to
134+
# `main` — i.e. after a PR has been reviewed and merged.
127135
saas_integration:
128-
if: github.actor != 'dependabot[bot]'
136+
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
129137
runs-on: ubuntu-latest
130138
environment: integration
131139
steps:
@@ -160,8 +168,9 @@ jobs:
160168
CAMUNDA_CONSOLE_BASE_URL: ${{ vars.CAMUNDA_CONSOLE_BASE_URL }}
161169
CAMUNDA_CONSOLE_OAUTH_AUDIENCE: ${{ vars.CAMUNDA_CONSOLE_OAUTH_AUDIENCE}}
162170

171+
# SaaS 8.8 integration. Same policy as saas_integration — main pushes only.
163172
saas_integration_8_8:
164-
if: github.actor != 'dependabot[bot]'
173+
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
165174
runs-on: ubuntu-latest
166175
environment: integration-8.8
167176
steps:
@@ -194,98 +203,3 @@ jobs:
194203
CAMUNDA_CONSOLE_CLIENT_ID: ${{ secrets.CAMUNDA_CONSOLE_CLIENT_ID }}
195204
CAMUNDA_CONSOLE_CLIENT_SECRET: ${{ secrets.CAMUNDA_CONSOLE_CLIENT_SECRET }}
196205
CAMUNDA_CONSOLE_BASE_URL: ${{ vars.CAMUNDA_CONSOLE_BASE_URL }}
197-
CAMUNDA_CONSOLE_OAUTH_AUDIENCE: ${{ vars.CAMUNDA_CONSOLE_OAUTH_AUDIENCE }}
198-
199-
local_integration_8_8:
200-
runs-on: ubuntu-latest
201-
steps:
202-
- name: Check out the repo
203-
uses: actions/checkout@v6
204-
205-
- name: Use Node.js
206-
uses: actions/setup-node@v4
207-
with:
208-
node-version: "22"
209-
210-
- name: Install dependencies
211-
run: npm install
212-
213-
# Workaround for https://github.com/actions/runner-images/issues/2821
214-
- name: Remove mono blocking 8084 port
215-
run: sudo lsof -t -i:8084 | xargs -r sudo kill -9
216-
217-
- name: Set up Docker Compose
218-
run: |
219-
docker compose -f docker/docker-compose-8.8.yaml up -d
220-
221-
- name: Wait for Services Healthy
222-
run: |
223-
set -e
224-
attempts=0
225-
max_attempts=60
226-
while [ $attempts -lt $max_attempts ]; do
227-
code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9600/actuator/health/status || true)
228-
[ "$code" = "200" ] && echo "Broker healthy" && break
229-
attempts=$((attempts+1))
230-
sleep 5
231-
done
232-
[ $attempts -ge $max_attempts ] && echo "Broker not healthy" && exit 1 || true
233-
234-
- name: Run Integration Tests
235-
run: |
236-
npm run test:8.8:sm
237-
env:
238-
ZEEBE_GRPC_ADDRESS: grpc://localhost:26500
239-
CAMUNDA_AUTH_STRATEGY: NONE
240-
CAMUNDA_TENANT_ID: <default>
241-
242-
- name: Cleanup
243-
if: always()
244-
run: docker compose -f docker/docker-compose-8.8.yaml down
245-
246-
local_integration_8_8_against_8_9:
247-
runs-on: ubuntu-latest
248-
steps:
249-
- name: Check out the repo
250-
uses: actions/checkout@v6
251-
252-
- name: Use Node.js
253-
uses: actions/setup-node@v4
254-
with:
255-
node-version: "22"
256-
257-
- name: Install dependencies
258-
run: npm install
259-
260-
# Workaround for https://github.com/actions/runner-images/issues/2821
261-
- name: Remove mono blocking 8084 port
262-
run: sudo lsof -t -i:8084 | xargs -r sudo kill -9
263-
264-
- name: Set up Docker Compose
265-
run: |
266-
docker compose -f docker/8.9/docker-compose.yaml up -d
267-
268-
- name: Wait for Services Healthy
269-
run: |
270-
set -e
271-
attempts=0
272-
max_attempts=60
273-
while [ $attempts -lt $max_attempts ]; do
274-
code=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:9600/actuator/health/status || true)
275-
[ "$code" = "200" ] && echo "Broker healthy" && break
276-
attempts=$((attempts+1))
277-
sleep 5
278-
done
279-
[ $attempts -ge $max_attempts ] && echo "Broker not healthy" && exit 1 || true
280-
281-
- name: Run Integration Tests (8.8 tests against 8.9 server)
282-
run: |
283-
npm run test:8.8:sm
284-
env:
285-
ZEEBE_GRPC_ADDRESS: grpc://localhost:26500
286-
CAMUNDA_AUTH_STRATEGY: NONE
287-
CAMUNDA_TENANT_ID: <default>
288-
289-
- name: Cleanup
290-
if: always()
291-
run: docker compose -f docker/8.9/docker-compose.yaml down

0 commit comments

Comments
 (0)