Trigger integration tests on push to main (#2035)

## Changes The existing workflow already had 2 trigger conditions, so instead of adding a third (and seeing more "skipped" jobs), I split them up into dedicated workflow files, each with their own trigger condition. The integration test status is reported back via commit status. ## Tests We can confirm that everything works as expected as this PR moves from here to the merge group to main.
databricks · Dec 19, 2024 · f939e57 · f939e57
1 parent 965a3fc
commit f939e57
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 78 deletions.
diff --git a/.github/workflows/integration-approve.yml b/.github/workflows/integration-approve.yml
@@ -0,0 +1,32 @@
+name: integration-approve
+
+on:
+  merge_group:
+
+jobs:
+  # Trigger for merge groups.
+  #
+  # Statuses and checks apply to specific commits (by hash).
+  # Enforcement of required checks is done both at the PR level and the merge queue level.
+  # In case of multiple commits in a single PR, the hash of the squashed commit
+  # will not match the one for the latest (approved) commit in the PR.
+  #
+  # We auto approve the check for the merge queue for two reasons:
+  #
+  #   * Queue times out due to duration of tests.
+  #   * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
+  #
+  trigger:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Auto-approve squashed commit
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/statuses/${{ github.sha }} \
+            -f 'state=success' \
+            -f 'context=Integration Tests Check'
diff --git a/.github/workflows/integration-main.yml b/.github/workflows/integration-main.yml
@@ -0,0 +1,33 @@
+name: integration-main
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  # Trigger for pushes to the main branch.
+  #
+  # This workflow triggers the integration test workflow in a different repository.
+  # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
+  trigger:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+          owner: ${{ secrets.ORG_NAME }}
+          repositories: ${{secrets.REPO_NAME}}
+
+      - name: Trigger Workflow in Another Repo
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh workflow run cli-isolated-nightly.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+          --ref main \
+          -f commit_sha=${{ github.event.after }}
diff --git a/.github/workflows/integration-pr.yml b/.github/workflows/integration-pr.yml
@@ -0,0 +1,56 @@
+name: integration-pr
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  check-token:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    outputs:
+      has_token: ${{ steps.set-token-status.outputs.has_token }}
+
+    steps:
+      - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
+        id: set-token-status
+        run: |
+          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
+            echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
+            echo "::set-output name=has_token::false"
+          else
+            echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
+            echo "::set-output name=has_token::true"
+          fi
+
+  # Trigger for pull requests.
+  #
+  # This workflow triggers the integration test workflow in a different repository.
+  # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
+  # It depends on the "check-token" workflow to confirm access to this environment to avoid failures.
+  trigger:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    if: needs.check-token.outputs.has_token == 'true'
+    needs: check-token
+
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+          owner: ${{ secrets.ORG_NAME }}
+          repositories: ${{secrets.REPO_NAME}}
+
+      - name: Trigger Workflow in Another Repo
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh workflow run cli-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+          --ref main \
+          -f pull_request_number=${{ github.event.pull_request.number }} \
+          -f commit_sha=${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml