Skip to content

Commit 21cb7e5

Browse files
vorporealvorporeal
authored
Don't run SSH integration tests for PRs from forks. (#9304)
## Description PRs from external forks have been failing CI because `google-github-actions/auth` cannot complete OIDC auth: our GCP Workload Identity Federation provider only trusts the base repository, so the OIDC token issued for a fork-PR run (which carries the fork's `repository` claim) is rejected. See [run #25071797593](https://github.com/warpdotdev/warp/actions/runs/25071797593/job/73455200680?pr=9280) for an example failure. The auth is only needed by SSH integration tests, which use `gcloud compute start-iap-tunnel` to reach a GCP-hosted Ubuntu VM. As a short-term unblock, this skips the `auth` and `setup-gcloud` steps on fork-PR runs and filters the SSH-dependent tests out of the test runs (they all match `_ssh_` in their test names). All other tests continue to run as before, and SSH integration coverage is unchanged on `master`, `workflow_dispatch`, `workflow_call`, and same-repo PRs — those tests still validate post-merge. A more complete fix (e.g. a `workflow_run`-triggered job that runs SSH tests in the base repo's context against the fork's SHA) is a possible follow-up if we decide fork PRs need full SSH coverage. ## Testing Validated via YAML parse. Will verify behavior on this PR's CI run (same-repo PR — SSH tests should still run) and on a fork PR before relying on it. ## Server API dependencies N/A — CI-only change. ## Agent Mode - [x] Warp Agent Mode - This PR was created via Warp's AI Agent Mode
1 parent fc0ce9f commit 21cb7e5

1 file changed

Lines changed: 21 additions & 6 deletions

File tree

.github/workflows/ci.yml

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,17 @@ jobs:
8787
tests:
8888
name: Run ${{ matrix.name }} tests
8989
timeout-minutes: 25
90+
env:
91+
# When CI runs on a PR from a fork, the GCP OIDC auth used by
92+
# `google-github-actions/auth` fails because our Workload Identity
93+
# Federation provider is configured to only trust the base repository.
94+
# We skip the auth + gcloud install steps in those runs and exclude SSH
95+
# integration tests (which require gcloud to tunnel into a GCP test VM)
96+
# via the filter suffix below. Tests that need gcloud all have `_ssh_`
97+
# in their name. Fork PRs lose SSH integration test coverage; those
98+
# tests still run post-merge against `master`.
99+
HAS_GCP_AUTH: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
100+
EXCLUDE_SSH_TESTS_FILTER: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) && ' and not test(/_ssh_/)' || '' }}
90101
strategy:
91102
fail-fast: false
92103
matrix:
@@ -211,12 +222,16 @@ jobs:
211222
echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> $GITHUB_ENV
212223
213224
- name: Set up gcloud authentication for SSH tests
225+
# Skipped for fork PRs - see HAS_GCP_AUTH definition above.
226+
if: env.HAS_GCP_AUTH == 'true'
214227
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
215228
with:
216229
workload_identity_provider: projects/63595664881/locations/global/workloadIdentityPools/github-pool/providers/github-provider
217230
service_account: github-ci-workflow@warp-ssh-integration-testing.iam.gserviceaccount.com
218231

219232
- name: Install gcloud CLI tool
233+
# Skipped for fork PRs - see HAS_GCP_AUTH definition above.
234+
if: env.HAS_GCP_AUTH == 'true'
220235
uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
221236
with:
222237
version: '>= 397.0.0'
@@ -267,7 +282,7 @@ jobs:
267282
if: matrix.os != 'windows' && (success() || failure())
268283
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
269284
with:
270-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and not test(shell_integration_tests)"
285+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and not test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
271286
env:
272287
# We run shell-agnostic tests against zsh, as it has the shortest
273288
# bootstrap times and tends to be the most reliable.
@@ -292,7 +307,7 @@ jobs:
292307
if: matrix.os != 'windows' && (success() || failure())
293308
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
294309
with:
295-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)"
310+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
296311
env:
297312
WARP_SHELL_PATH: ${{ steps.echo_shells_unix.outputs.default_bash_path }}
298313

@@ -318,7 +333,7 @@ jobs:
318333
if: (success() || failure()) && runner.os == 'macos'
319334
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
320335
with:
321-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)"
336+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
322337
env:
323338
WARP_SHELL_PATH: ${{ steps.echo_shells_unix.outputs.latest_bash_path }}
324339

@@ -341,7 +356,7 @@ jobs:
341356
if: matrix.os != 'windows' && (success() || failure())
342357
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
343358
with:
344-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)"
359+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
345360
env:
346361
WARP_SHELL_PATH: ${{ steps.echo_shells_unix.outputs.fish_path }}
347362

@@ -364,7 +379,7 @@ jobs:
364379
if: matrix.os != 'windows' && (success() || failure())
365380
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
366381
with:
367-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)"
382+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
368383
env:
369384
WARP_SHELL_PATH: ${{ steps.echo_shells_unix.outputs.zsh_path }}
370385

@@ -387,7 +402,7 @@ jobs:
387402
if: matrix.os != 'windows' && (success() || failure())
388403
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
389404
with:
390-
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)"
405+
run: cargo nextest run ${{ env.WORKSPACE_TEST_ARGS }} ${{ matrix.extra_test_args }} -E "package(integration) and test(shell_integration_tests)${{ env.EXCLUDE_SSH_TESTS_FILTER }}"
391406
env:
392407
WARP_SHELL_PATH: ${{ steps.echo_shells_unix.outputs.powershell_path }}
393408

0 commit comments

Comments
 (0)