Session persistence #240
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secure Integration test | |
| on: | |
| pull_request_target: | |
| branches: main | |
| jobs: | |
| authorization-check: | |
| permissions: read-all | |
| runs-on: ubuntu-latest | |
| outputs: | |
| approval-env: ${{ steps.collab-check.outputs.result }} | |
| steps: | |
| - name: Collaborator Check | |
| uses: actions/github-script@v7 | |
| id: collab-check | |
| with: | |
| result-encoding: string | |
| script: | | |
| try { | |
| const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| username: context.payload.pull_request.user.login, | |
| }); | |
| const permission = permissionResponse.data.permission; | |
| const hasWriteAccess = ['write', 'admin'].includes(permission); | |
| if (!hasWriteAccess) { | |
| console.log(`User ${context.payload.pull_request.user.login} does not have write access to the repository (permission: ${permission})`); | |
| return "manual-approval" | |
| } else { | |
| console.log(`Verifed ${context.payload.pull_request.user.login} has write access. Auto Approving PR Checks.`) | |
| return "auto-approve" | |
| } | |
| } catch (error) { | |
| console.log(`${context.payload.pull_request.user.login} does not have write access. Requiring Manual Approval to run PR Checks.`) | |
| return "manual-approval" | |
| } | |
| check-access-and-checkout: | |
| runs-on: ubuntu-latest | |
| needs: authorization-check | |
| environment: ${{ needs.authorization-check.outputs.approval-env }} | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| steps: | |
| - name: Configure Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.STRANDS_INTEG_TEST_ROLE }} | |
| aws-region: us-east-1 | |
| mask-aws-account-id: true | |
| - name: Checkout head commit | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} # Pull the commit from the forked repo | |
| persist-credentials: false # Don't persist credentials for subsequent actions | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install dependencies | |
| run: | | |
| pip install --no-cache-dir hatch | |
| - name: Run integration tests | |
| env: | |
| AWS_REGION: us-east-1 | |
| AWS_REGION_NAME: us-east-1 # Needed for LiteLLM | |
| id: tests | |
| run: | | |
| hatch test tests-integ |