uds-core/.github/workflows/pull-request-conditionals.yaml at 2f3fa497b0bd2122d7a59ead369ffdd262d7fc31 · defenseunicorns/uds-core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# Copyright 2024-2026 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

name: Filter

# This workflow is triggered on pull requests
on:
  pull_request:
    branches:
      - main
      - "release/**"
    # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
    # labeled is added to support renovate-ready labelling on PRs
    types: [milestoned, labeled, opened, reopened, synchronize]
    paths-ignore:
      - "**.md"
      - "**.jpg"
      - "**.png"
      - "**.gif"
      - "**.svg"
      - docs/**
      - .vscode/**
      - .gitignore
      - renovate.json
      - .release-please-config.json
      - .codespellrc
      - release-please-config.json
      - CODEOWNERS
      - LICENSE
      - scripts/renovate/**
      - scripts/root-ca-retriever/**

# Permissions for the GITHUB_TOKEN used by the workflow.
permissions:
  id-token: write # Needed for OIDC-related operations.
  contents: read # Allows reading the content of the repository.
  pull-requests: write # Allows writing pull request metadata.
  packages: read # Allows reading the published GHCR packages

# Default settings for all run commands in the workflow jobs.
defaults:
  run:
    shell: bash -e -o pipefail {0} # Ensures that scripts fail on error and pipefail is set.

# Abort prior jobs in the same workflow / PR
concurrency:
  group: test-${{ github.ref }}
  cancel-in-progress: true

jobs:
  lint-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: lint-check
        uses: ./.github/actions/lint-check

  autogenerated-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: autogenerated-check
        uses: ./.github/actions/autogenerated-check

  unit-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: unit-tests
        uses: ./.github/actions/unit-tests

  # This job checks if there are changes in specific paths source packages.
  check-paths:
    needs: [lint-check, autogenerated-check, unit-tests]
    runs-on: ubuntu-latest
    name: Select Jobs
    outputs:
      combined: ${{ steps.combine-path-filters.outputs.combined }}
      distros: ${{ steps.path-filter-iac.outputs.changes }}
      run_full_tests: ${{ steps.test-routing.outputs.run_full_tests }}

    steps:
      - name: Checkout the code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Check renovate readiness
        if: startsWith(github.event.pull_request.head.ref, 'renovate/') # Only call for Renovate PRs
        uses: ./.github/actions/renovate-readiness
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      # Add a custom filter for all packages that excludes any changes to IaC testing related config
      # Noting that adding `predicate-quantifier` produces a false warning message about an unexpected input, despite still being evaluated by the action
      - name: Check src paths - all
        id: path-filter-all
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
        with:
          predicate-quantifier: "every"
          filters: |
            all:
              - "**"
              - "!.github/workflows/test-aks.yaml"
              - "!.github/workflows/test-eks.yaml"
              - "!.github/workflows/test-rke2.yaml"
              - "!.github/bundles/**"
              - "!.github/test-infra/**"
              - "!tasks/iac.yaml"

      # Uses a custom action to filter paths for source packages.
      - name: Check src paths - packages
        id: path-filter
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
        with:
          filters: .github/filters.yaml

      - name: Merge Path Filter Outputs for Packages
        id: combine-path-filters
        run: |
          allPackageChanges='${{ steps.path-filter-all.outputs.changes }}'
          packageChanges='${{ steps.path-filter.outputs.changes }}'
          COMBINED=$(echo $allPackageChanges $packageChanges | jq -s 'add')
          echo combined=$COMBINED >> $GITHUB_OUTPUT
          echo The following packages will be triggered: $COMBINED

      - name: Compute test routing
        id: test-routing
        uses: ./.github/actions/test-routing
        with:
          event_name: ${{ github.event_name }}
          base_ref: ${{ github.base_ref }}
          head_ref: ${{ github.head_ref }}

  check-multiarch:
    runs-on: ubuntu-latest
    name: Check multi-arch images
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Environment setup
        uses: ./.github/actions/setup
        with:
          ghToken: ${{ secrets.GITHUB_TOKEN }}
          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}

      - name: Check multi-arch images
        uses: ./.github/actions/check-multiarch

  # @lulaStart 11948466-9230-4498-be44-dbac784d86d1
  # This job triggers a separate workflow for each changed source package, if any.
  run-package-test:
    needs: check-paths
    if: ${{ needs.check-paths.outputs.run_full_tests == 'true' && needs.check-paths.outputs.combined != '' && needs.check-paths.outputs.combined != '[]' }}
    name: Schedule
    strategy:
      matrix:
        package: ${{ fromJson(needs.check-paths.outputs.combined) }}
        flavor: [upstream, registry1, unicorn]
        test_type: [install]
        # Upgrade tests are included for all flavors, but ONLY for `all` package tests
        include:
          - package: all
            flavor: registry1
            test_type: upgrade
          - package: all
            flavor: upstream
            test_type: upgrade
          - package: all
            flavor: unicorn
            test_type: upgrade
    uses: ./.github/workflows/test.yaml
    with:
      package: ${{ matrix.package }}
      flavor: ${{ matrix.flavor }}
      test_type: ${{ matrix.test_type }}
    secrets: inherit # Inherits all secrets from the parent workflow.
  # @lulaEnd 11948466-9230-4498-be44-dbac784d86d1

  # Shim required checks for backport PRs to release branches (i.e., non-release-please PRs)
  run-package-test-shim:
    needs: check-paths
    if: ${{ needs.check-paths.outputs.run_full_tests != 'true' && startsWith(github.base_ref, 'release/') }}
    name: Schedule
    strategy:
      matrix:
        package: [all]
        flavor: [upstream, registry1, unicorn]
        test_type: [install, upgrade]
    uses: ./.github/workflows/test-shim.yaml
    with:
      package: ${{ matrix.package }}
      flavor: ${{ matrix.flavor }}
      test_type: ${{ matrix.test_type }}
    secrets: inherit