Big 🫏 PR: IAP-gated single-image deploy with a fully mediated data plane #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Firebase Rules | |
| # Integration tests for firebase/firestore.rules and firebase/storage.rules. | |
| # These run the standalone scripts in firebase/test/, which call the Firebase | |
| # Rules `projects:test` API (server-side evaluation of the rules SOURCE — it | |
| # does NOT deploy or touch any live database/bucket). They need a GCP project | |
| # and an authenticated gcloud, so they only run when the repo is configured | |
| # with the FIREBASE_RULES_TEST_PROJECT + GCP_SA_KEY secrets. Without those, the | |
| # job reports "skipped" and passes. These scripts are NOT collected by pytest | |
| # (they pytest.skip at import unless run as __main__), so this job is the only | |
| # place they execute. | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: [ "main" ] | |
| jobs: | |
| firebase-rules: | |
| name: Firebase rules (integration) | |
| runs-on: ubuntu-latest | |
| env: | |
| FIREBASE_RULES_TEST_PROJECT: ${{ secrets.FIREBASE_RULES_TEST_PROJECT }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check whether rules tests are configured | |
| id: gate | |
| run: | | |
| if [ -n "${FIREBASE_RULES_TEST_PROJECT}" ]; then | |
| echo "configured=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "configured=false" >> "$GITHUB_OUTPUT" | |
| echo "skipped: FIREBASE_RULES_TEST_PROJECT not configured" | |
| fi | |
| - name: Set up Python | |
| if: steps.gate.outputs.configured == 'true' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Authenticate to Google Cloud | |
| if: steps.gate.outputs.configured == 'true' | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCP_SA_KEY }} | |
| - name: Set up gcloud | |
| if: steps.gate.outputs.configured == 'true' | |
| uses: google-github-actions/setup-gcloud@v2 | |
| with: | |
| project_id: ${{ secrets.FIREBASE_RULES_TEST_PROJECT }} | |
| - name: Test Firestore rules | |
| if: steps.gate.outputs.configured == 'true' | |
| run: | | |
| FIREBASE_RULES_TEST_PROJECT="${FIREBASE_RULES_TEST_PROJECT}" \ | |
| python3 firebase/test/test_firestore_rules.py | |
| - name: Test Storage rules | |
| if: steps.gate.outputs.configured == 'true' | |
| run: | | |
| FIREBASE_RULES_TEST_PROJECT="${FIREBASE_RULES_TEST_PROJECT}" \ | |
| python3 firebase/test/test_storage_rules.py |