github/equivalence-test: Ensure inputs are escaped (#38096)

* github/equivalence-test: Ensure inputs are escaped

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>

* Make GH_TOKEN passing more explicit and limited

---------

Co-authored-by: jeevaratnamputla <132266626+jeevaratnamputla@users.noreply.github.com>
sams/feat-targeting
Radek Simko 3 weeks ago committed by GitHub
parent ac3e32b62b
commit 64d8933bb8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -25,18 +25,26 @@ inputs:
message:
description: "Message to include in the commit."
required: true
github-token:
description: "Token to use for PR creation."
required: true
runs:
using: "composite"
steps:
- name: "download equivalence test binary"
shell: bash
env:
TARGET_VERSION: ${{ inputs.target-equivalence-test-version }}
TARGET_OS: ${{ inputs.target-os }}
TARGET_ARCH: ${{ inputs.target-arch }}
run: |
./.github/scripts/equivalence-test.sh download_equivalence_test_binary \
${{ inputs.target-equivalence-test-version }} \
"$TARGET_VERSION" \
./bin/equivalence-tests \
${{ inputs.target-os }} \
${{ inputs.target-arch }}
"$TARGET_OS" \
"$TARGET_ARCH"
- name: Build terraform
shell: bash
@ -50,7 +58,7 @@ runs:
--tests=testing/equivalence-tests/tests \
--goldens=testing/equivalence-tests/outputs \
--binary=$(pwd)/bin/terraform
git add --intent-to-add testing/equivalence-tests/outputs
changed=$(git diff --quiet -- testing/equivalence-tests/outputs || echo true)
echo "changed=$changed" >> "${GITHUB_OUTPUT}"
@ -58,22 +66,31 @@ runs:
- name: "branch, commit, and push changes"
if: steps.execute.outputs.changed == 'true'
shell: bash
env:
NEW_BRANCH: ${{ inputs.new-branch }}
# GitHub token w/ push permissions is inherited from the calling workflow here
run: |
git config user.name "hc-github-team-tf-core"
git config user.email "github-team-tf-core@hashicorp.com"
git checkout -b ${{ inputs.new-branch }}
git checkout -b "$NEW_BRANCH"
git add testing/equivalence-tests/outputs
git commit -m "Update equivalence test golden files."
git push --set-upstream origin ${{ inputs.new-branch }}
git push --set-upstream origin "$NEW_BRANCH"
- name: "create pull request"
if: steps.execute.outputs.changed == 'true'
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
CURRENT_BRANCH: ${{ inputs.current-branch }}
NEW_BRANCH: ${{ inputs.new-branch }}
PR_MESSAGE: ${{ inputs.message }}
PR_REVIEWERS: ${{ inputs.reviewers }}
run: |
gh pr create \
--draft \
--base ${{ inputs.current-branch }} \
--head ${{ inputs.new-branch }} \
--base "$CURRENT_BRANCH" \
--head "$NEW_BRANCH" \
--title "Update equivalence test golden files" \
--body '${{ inputs.message }}' \
--reviewer ${{ inputs.reviewers }}
--body "$PR_MESSAGE" \
--reviewer "$PR_REVIEWERS"

@ -12,9 +12,6 @@ permissions:
contents: read
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
jobs:
equivalence-test-diff:
name: "Equivalence Test Diff"
@ -60,6 +57,8 @@ jobs:
- name: Equivalence tests failed
if: steps.equivalence-tests.outputs.exit-code == 1 # 1 is the exit code for failure
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
gh pr comment ${{ github.event.pull_request.number }} \
--body "The equivalence tests failed. Please investigate [here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."
@ -68,6 +67,8 @@ jobs:
- name: Equivalence tests changed
if: steps.equivalence-tests.outputs.exit-code == 2 # 2 is the exit code for changed
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
gh pr comment ${{ github.event.pull_request.number }} \
--body "The equivalence tests will be updated. Please verify the changes [here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})."

@ -21,9 +21,6 @@ permissions:
contents: write
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
jobs:
run-equivalence-tests:
name: "Run equivalence tests"
@ -52,3 +49,4 @@ jobs:
new-branch: ${{ inputs.new-branch }}
reviewers: ${{ github.actor }}
message: "Update equivalence test golden files."
github-token: ${{ github.token }}

@ -8,9 +8,6 @@ permissions:
contents: write
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
jobs:
check:
name: "Should run equivalence tests?"
@ -23,19 +20,19 @@ jobs:
run: |
merged='${{ github.event.pull_request.merged }}'
target_branch='${{ github.event.pull_request.base.ref }}'
targets_release_branch=false
if [ "$target_branch" == "main" ]; then
targets_release_branch=true
elif [ "$target_branch" =~ ^v[0-9]+\.[0-9]+$ ]; then
targets_release_branch=true
fi
should_run=false
if [ "$merged" == "true" ] && [ "$targets_release_branch" == "true" ]; then
should_run=true
fi
echo "should_run=$should_run" >> ${GITHUB_OUTPUT}
run-equivalence-tests:
name: "Run equivalence tests"
@ -67,3 +64,4 @@ jobs:
new-branch: equivalence-testing/${{ github.event.pull_request.head.ref }}
reviewers: ${{ github.event.pull_request.merged_by.login }}
message: "Update equivalence test golden files after ${{ github.event.pull_request.html_url }}."
github-token: ${{ github.token }}

Loading…
Cancel
Save