Redesign e2e workflow with reusable workflow pattern#704
Draft
Redesign e2e workflow with reusable workflow pattern#704
Conversation
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
8 times, most recently
from
7215969 to
3ec4f33
Compare
wikkyk
added
e2e/none
Remove branch filters from pull_request/pull_request_target triggers so that CI runs for PRs opened against any branch (e.g. WIP branches like v1alpha3/wip). Restrict push triggers to main only to avoid duplicate runs when pushing to branches with open PRs. Co-authored-by: Claude <noreply@anthropic.com>
Rework triggers: push only fires on v* tags (no longer on branch pushes), pull_request fires on all PRs with no branch filter. Previously branch pushes to main/release-* would build and push images to GHCR; now only tag releases do. PRs still build the image for validation without pushing. Co-authored-by: Claude <noreply@anthropic.com>
Add a concurrency group keyed by PR number (or commit SHA for push events) with cancel-in-progress. Placed at job level so the old run continues until the new run passes its environment approval gate, then gets cancelled. Co-authored-by: Claude <noreply@anthropic.com>
Replace ${{ env.* }} expression interpolation with quoted shell
variable expansion to prevent potential command injection via
environment variables.
Co-authored-by: Claude <noreply@anthropic.com>
The sonarqube-scan-action only requires SONAR_TOKEN for authentication. GITHUB_TOKEN is not used by the action. Co-authored-by: Claude <noreply@anthropic.com>
Split e2e into three files: - e2e.yml: reusable workflow with all test logic (checkout, test, artifacts, cleanup). Runs Flatcar tests on main, skips on PRs unless e2e/flatcar label is set. Concurrency per-PR, per-SHA for pushes. - e2e-main.yml: triggers for push to main and same-repo PRs. Excludes dependabot (handled by e2e-external). - e2e-external.yml: triggers for fork and dependabot PRs via pull_request_target. This enables testing workflow changes in PRs (pull_request trigger) while keeping pull_request_target for fork/dependabot secret access. Fixes #447. Co-authored-by: Claude <noreply@anthropic.com>
Use github.event.pull_request.user.login instead of github.actor for dependabot detection — actor can change on re-runs. Add fork guard to e2e-main.yml for completeness. Co-authored-by: Claude <noreply@anthropic.com>
Pass secrets to reusable workflow via secrets: inherit. Without this, environment secrets from the e2e environment are not accessible in the called workflow even though it declares environment: e2e. Co-authored-by: Claude <noreply@anthropic.com>
Remove dependabot special-casing from e2e dispatchers. Dependabot has its own secret store and works with pull_request trigger, so it goes through e2e-main.yml like any same-repo PR. e2e-external.yml is now fork-only. Co-authored-by: Claude <noreply@anthropic.com>
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
aa99b2e to
ade227b
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
fixes #447
depends on #702
Description of changes:
Converts the e2e workflow into a reusable workflow with two minimal dispatchers:
e2e-main.yml: triggers onpushto main andpull_requestfor same-repo PRse2e-external.yml: triggers onpull_request_targetfor fork and dependabot PRsSince
e2e-mainis now on apull_requesttrigger, we can actually test workflow changes within a PR.Enables Flatcar tests on main - with the new runner it's feasible to run these more often and we reduce the risk of Flatcar support bitrotting.
Other than that, practical behaviour remains the same.
Testing performed:
CodeQL analyze actions + actionlint
e2e label triggers