fix: Fix jobs for secrets inherit (#15532)

shortstacked · web-flow · commit cf29b5f188c8 · 2025-05-20T09:57:11.000+01:00
diff --git a/.github/workflows/test-workflows-nightly.yml b/.github/workflows/test-workflows-nightly.yml
@@ -11,35 +11,16 @@ on:
         type: string
         default: 'master'
 
+
 permissions:
   contents: read
 
 jobs:
-  run_tests:
+  run_workflow_tests:
     name: Run Workflow Tests
-    runs-on: blacksmith-2vcpu-ubuntu-2204
-    timeout-minutes: 10
-
-    steps:
-      - name: Determine Git Ref for Testing
-        id: determine_ref
-        shell: bash
-        run: |
-          if [[ "${{ github.event_name }}" == "schedule" ]]; then
-            echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT
-            echo "Scheduled run: Using 'master' branch."
-          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "EFFECTIVE_GIT_REF=${{ github.event.inputs.git_ref_to_test }}" >> $GITHUB_OUTPUT
-            echo "Manual dispatch: Using ref '${{ github.event.inputs.git_ref_to_test }}'."
-          else
-            echo "EFFECTIVE_GIT_REF=master" >> $GITHUB_OUTPUT
-            echo "Warning: Unknown event type '${{ github.event_name }}', defaulting to 'master'."
-          fi
-
-      - name: Call Reusable Test Workflow
-        uses: ./.github/workflows/run-test-workflows.yml
-        with:
-          git_ref: ${{ steps.determine_ref.outputs.EFFECTIVE_GIT_REF }}
-          send_webhook_report: false
-          pr_number: ''
-        secrets: inherit
+    uses: ./.github/workflows/test-workflows-callable.yml
+    with:
+      git_ref: ${{ github.event_name == 'schedule' && 'master' || github.event.inputs.git_ref_to_test }}
+      send_webhook_report: false
+      pr_number: ''
+    secrets: inherit
diff --git a/.github/workflows/test-workflows-pr-approved.yml b/.github/workflows/test-workflows-pr-approved.yml
@@ -9,17 +9,12 @@ permissions:
   pull-requests: read
 
 jobs:
-  run_tests_after_approval:
+  run_workflow_tests_after_approval:
     name: Run Tests on Approved PR
     if: github.event.review.state == 'approved'
-    runs-on: blacksmith-2vcpu-ubuntu-2204
-    timeout-minutes: 10
-
-    steps:
-      - name: Call Reusable Test Workflow on Approved PR
-        uses: ./.github/workflows/test-workflows-callable.yml
-        with:
-          git_ref: ${{ github.event.pull_request.head.sha }}
-          send_webhook_report: true
-          pr_number: ${{ github.event.pull_request.number }}
-        secrets: inherit
+    uses: ./.github/workflows/test-workflows-callable.yml
+    with:
+      git_ref: ${{ github.event.pull_request.head.sha }}
+      send_webhook_report: true
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit
diff --git a/.github/workflows/test-workflows-pr-comment.yml b/.github/workflows/test-workflows-pr-comment.yml
@@ -9,70 +9,104 @@ permissions:
   contents: read
 
 jobs:
-  trigger_tests_on_comment:
-    name: Handle /test-workflows command
+  handle_comment_command:
+    name: Handle /test-workflows Command
     if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/test-workflows')
     runs-on: ubuntu-latest
+    outputs:
+      permission_granted: ${{ steps.pr_check_and_details.outputs.permission_granted }}
+      git_ref: ${{ steps.pr_check_and_details.outputs.head_sha }}
+      pr_number: ${{ steps.pr_check_and_details.outputs.pr_number_string }}
 
     steps:
-      - name: Check User Permission and Get PR Details
-        id: pr_check
+      - name: Validate User, Get PR Details, and React
+        id: pr_check_and_details
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          result-encoding: json
           script: |
             const commenter = context.actor;
-            const issue = context.issue;
-            let hasPermission = false;
-            let prDetails = null;
+            const issueOwner = context.repo.owner;
+            const issueRepo = context.repo.repo;
+            const commentId = context.payload.comment.id;
+            const prNumber = context.issue.number; // In issue_comment on a PR, issue.number is the PR number
 
+            // Function to add a reaction to the comment
+            async function addReaction(content) {
+              try {
+                await github.rest.reactions.createForIssueComment({
+                  owner: issueOwner,
+                  repo: issueRepo,
+                  comment_id: commentId,
+                  content: content
+                });
+              } catch (reactionError) {
+                // Log if reaction fails but don't fail the script for this
+                console.log(`Failed to add reaction '${content}': ${reactionError.message}`);
+              }
+            }
+
+            // Initialize outputs to a non-triggering state
+            core.setOutput('permission_granted', 'false');
+            core.setOutput('head_sha', '');
+            core.setOutput('pr_number_string', '');
+
+            // 1. Check user permissions
             try {
               const { data: permissions } = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: issue.owner,
-                repo: issue.repo,
+                owner: issueOwner,
+                repo: issueRepo,
                 username: commenter
               });
 
               const allowedPermissions = ['admin', 'write', 'maintain'];
-              if (allowedPermissions.includes(permissions.permission)) {
-                console.log(`User @${commenter} has '${permissions.permission}' permission.`);
-                hasPermission = true;
-              } else {
-                core.setFailed(`User @${commenter} does not have sufficient permissions (admin/write/maintain) to trigger workflows.`);
+              if (!allowedPermissions.includes(permissions.permission)) {
+                console.log(`User @${commenter} has '${permissions.permission}' permission. Needs 'admin', 'write', or 'maintain'.`);
+                await addReaction('-1'); // User does not have permission
+                return; // Exit script, tests will not be triggered
               }
+              console.log(`User @${commenter} has '${permissions.permission}' permission.`);
             } catch (error) {
-              core.setFailed(`Could not verify permissions for @${commenter}: ${error.message}`);
+              console.log(`Could not verify permissions for @${commenter}: ${error.message}`);
+              await addReaction('confused'); // Error checking permissions
+              return; // Exit script
             }
 
-            if (!hasPermission) {
-              return { permission_granted: false };
-            }
-
-            const prNumber = issue.number;
+            // 2. Fetch PR details (if permission check passed)
+            let headSha;
             try {
               const { data: pr } = await github.rest.pulls.get({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
+                owner: issueOwner,
+                repo: issueRepo,
                 pull_number: prNumber,
               });
-              prDetails = {
-                head_sha: pr.head.sha,
-                pr_number_string: prNumber.toString()
-              };
-              console.log(`Workspaceed PR details: SHA - ${prDetails.head_sha}, PR Number - ${prDetails.pr_number_string}`);
+              headSha = pr.head.sha;
+              console.log(`Workspaced PR details: SHA - ${headSha}, PR Number - ${prNumber}`);
+
+              // Set outputs for the next job
+              core.setOutput('permission_granted', 'true');
+              core.setOutput('head_sha', headSha);
+              core.setOutput('pr_number_string', prNumber.toString());
+              await addReaction('+1'); // Command accepted, tests will be triggered
+
             } catch (error) {
-              core.setFailed(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`);
-              return { permission_granted: true, pr_fetch_error: true };
+              console.log(`Failed to fetch PR details for PR #${prNumber}: ${error.message}`);
+              core.setOutput('permission_granted', 'false'); // Ensure this is false if PR fetch fails
+              await addReaction('confused'); // Error fetching PR details
             }
 
-            return { permission_granted: true, ...prDetails };
+  trigger_reusable_tests:
+    name: Trigger Reusable Test Workflow
+    needs: handle_comment_command
 
-      - name: Call Reusable Test Workflow
-        if: steps.pr_check.outcome == 'success' && fromJson(steps.pr_check.outputs.result).permission_granted == true && fromJson(steps.pr_check.outputs.result).head_sha
-        uses: ./.github/workflows/test-workflows-callable.yml
-        with:
-          git_ref: ${{ fromJson(steps.pr_check.outputs.result).head_sha }}
-          send_webhook_report: true
-          pr_number: ${{ fromJson(steps.pr_check.outputs.result).pr_number_string }}
-        secrets: inherit
+    if: >
+      always() &&
+      needs.handle_comment_command.result != 'skipped' &&
+      needs.handle_comment_command.outputs.permission_granted == 'true' &&
+      needs.handle_comment_command.outputs.git_ref != ''
+    uses: ./.github/workflows/test-workflows-callable.yml
+    with:
+      git_ref: ${{ needs.handle_comment_command.outputs.git_ref }}
+      send_webhook_report: true
+      pr_number: ${{ needs.handle_comment_command.outputs.pr_number }}
+    secrets: inherit
