|
| 1 | +# 🚀 Continuous Integration and Test Reporting for Cobra Toolbox |
| 2 | + |
| 3 | +## 📌 Overview |
| 4 | + |
| 5 | +This repository implements a GitHub Actions workflow to automate testing and reporting for pull requests. The setup consists of two workflows: |
| 6 | + |
| 7 | +1. **`testAllCI_step1`** - Runs MATLAB tests and uploads the test results as artifacts. |
| 8 | +2. **`testAllCI_step2`** - Retrieves test results and comments on the corresponding pull request. |
| 9 | + |
| 10 | +This design ensures security while allowing test reports to be posted on pull requests, including those from forked repositories. |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## ⚠️ Important Note |
| 15 | + |
| 16 | +These workflows should be implemented on the **default branch** of the repository (either `master` or `main` in newer repositories) to ensure proper execution and integration. Running workflows on other branches may lead to unexpected behavior, security issues, or failure to post comments on pull requests. |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +## 🔐 Handling Forked Repositories: Why Two Workflows? |
| 21 | + |
| 22 | +When a pull request originates from a fork, the `pull_request` event runs in the context of the fork, meaning it does not have permission to write to the base repository. This prevents the workflow from posting comments on the pull request. |
| 23 | + |
| 24 | +Using `pull_request_target` instead of `pull_request` would allow commenting on forked pull requests, but it introduces a significant security risk: the workflow would run with write permissions on the base repository, allowing potential malicious code execution. |
| 25 | + |
| 26 | +To mitigate this, we split the workflow into two: |
| 27 | + |
| 28 | +- **The first workflow (`testAllCI_step1`)** only has read permissions and runs the tests. |
| 29 | +- **The second workflow (`testAllCI_step2`)** is triggered by the first workflow’s completion and runs in the base repository’s context, allowing it to post a comment securely. |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## 🔄 Step-by-Step Workflow Execution |
| 34 | + |
| 35 | +### **1️⃣ testAllCI_step1: Running Tests and Uploading Artifacts** |
| 36 | + |
| 37 | +This workflow is triggered when a pull request is opened, synchronized, or reopened on the `develop` or `master` branches. It performs the following steps: |
| 38 | + |
| 39 | +- **Check out merged PR code**: |
| 40 | + |
| 41 | +```yaml |
| 42 | +- name: Check out merged PR code |
| 43 | + uses: actions/checkout@v4 |
| 44 | +``` |
| 45 | +
|
| 46 | +- **Run MATLAB Tests**: |
| 47 | +
|
| 48 | +```yaml |
| 49 | +- name: Run MATLAB Tests |
| 50 | + run: | |
| 51 | + matlab -batch "run('initCobraToolbox.m'); run('test/testAll.m');" |
| 52 | +``` |
| 53 | +
|
| 54 | +- **Convert JUnit to CTRF format**: |
| 55 | +
|
| 56 | +```yaml |
| 57 | +- name: Convert JUnit to CTRF |
| 58 | + run: | |
| 59 | + npx junit-to-ctrf ./testReport.junit.xml -o ./ctrf/ctrf-report.json |
| 60 | +``` |
| 61 | +
|
| 62 | +- **Upload CTRF Artifact**: |
| 63 | +
|
| 64 | +```yaml |
| 65 | +- name: Upload CTRF Artifact |
| 66 | + uses: actions/upload-artifact@v4 |
| 67 | + with: |
| 68 | + name: testReport |
| 69 | + path: ./ctrf/ctrf-report.json |
| 70 | +``` |
| 71 | +
|
| 72 | +- **Save PR Number and Upload as an Artifact**: |
| 73 | + To ensure that `testAllCI_step2` can correctly comment on the corresponding pull request, we save the PR number as an artifact in `testAllCI_step1`. Since `testAllCI_step2` is triggered by `testAllCI_step1` using `workflow_run`, it does not have direct access to the PR metadata. Uploading the PR number as an artifact allows `testAllCI_step2` to retrieve and use it for posting test results in the correct pull request. |
| 74 | + |
| 75 | + |
| 76 | +```yaml |
| 77 | +- name: Save PR Number |
| 78 | + run: echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV |
| 79 | +
|
| 80 | +- name: Upload PR Number as Artifact |
| 81 | + run: echo $PR_NUMBER > pr_number.txt |
| 82 | + shell: bash |
| 83 | +
|
| 84 | +- name: Upload PR Number Artifact |
| 85 | + uses: actions/upload-artifact@v4 |
| 86 | + with: |
| 87 | + name: pr_number |
| 88 | + path: pr_number.txt |
| 89 | +``` |
| 90 | + |
| 91 | +Since this workflow only requires read permissions, it avoids potential security risks when dealing with external contributions from forked repositories. |
| 92 | + |
| 93 | +--- |
| 94 | + |
| 95 | +### **2️⃣ testAllCI_step2: Downloading Artifacts and Posting Results** |
| 96 | + |
| 97 | +This workflow is triggered when `testAllCI_step1` completes successfully. It follows these steps: |
| 98 | + |
| 99 | +- **Download Test Report Artifact**: |
| 100 | +Since GitHub Actions does not allow direct artifact downloads across workflows using `actions/download-artifact`, we use `dawidd6/action-download-artifact@v8` instead. This repository enables downloading artifacts from a previous workflow run by specifying the `run_id`, which is essential when handling artifacts between separate workflows. It follows these steps: |
| 101 | +```yaml |
| 102 | +- name: Download CTRF Artifact |
| 103 | + uses: dawidd6/action-download-artifact@v8 |
| 104 | + with: |
| 105 | + name: testReport |
| 106 | + run_id: ${{ github.event.workflow_run.id }} |
| 107 | + path: artifacts |
| 108 | +``` |
| 109 | + |
| 110 | +- **Download PR Number Artifact**: |
| 111 | + |
| 112 | +```yaml |
| 113 | +- name: Download PR Number Artifact |
| 114 | + uses: dawidd6/action-download-artifact@v8 |
| 115 | + with: |
| 116 | + name: pr_number |
| 117 | + run_id: ${{ github.event.workflow_run.id }} |
| 118 | + path: pr_number |
| 119 | +``` |
| 120 | + |
| 121 | +- **Read PR Number**: |
| 122 | + |
| 123 | +```yaml |
| 124 | +- name: Read PR Number |
| 125 | + id: read_pr_number |
| 126 | + run: | |
| 127 | + PR_NUMBER=$(cat pr_number/pr_number.txt) |
| 128 | + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV |
| 129 | +``` |
| 130 | + |
| 131 | +- **Publish Test Report**: |
| 132 | + |
| 133 | +The `cobra-report` format is exclusively designed for COBRA Toolbox by COBRA developers and contributed to the `ctrf-io` repository. |
| 134 | + |
| 135 | +```yaml |
| 136 | +- name: Publish Test Report |
| 137 | + |
| 138 | + with: |
| 139 | + report-path: 'artifacts/ctrf-report.json' |
| 140 | + community-report: true |
| 141 | + community-report-name: 'cobra-report' |
| 142 | + issue: ${{ env.PR_NUMBER }} |
| 143 | + env: |
| 144 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 145 | +``` |
| 146 | + |
| 147 | +--- |
| 148 | + |
| 149 | +## ✅ Conclusion |
| 150 | + |
| 151 | +By structuring the workflows this way, we achieve the following: |
| 152 | + |
| 153 | +- **Secure execution** without exposing repository write access to forked pull requests. |
| 154 | +- **Successful test execution** and result upload. |
| 155 | +- **Seamless commenting** on pull requests with test results while mitigating security risks. |
| 156 | + |
| 157 | +This approach balances **security** and **functionality**, making it a robust solution for continuous integration in repositories that accept contributions from forks. 🚀 |
0 commit comments