tests: add initial testing farm integration

This adds initial testing farm integration via a github action. To run jobs on testing farm a token is required that is stored as a repository secret. For security reasons repository secrets are not visible accross forks [0]. There are multiple ways to work around this limiation, this commit goes with the suggestion from [1], i.e.: the workflow is run within the `pull_request_target` trigger which has access to secrets. This means the (potentially untrusted) branch is only checked out if the person triggering the workflow has already write access to the repository (we could make this restriction strong but it seems a reasonable permisson level). In practise the workflow will fail for outside contributions but a re-trigger from anyone in the term should be enough to get it tested inside the testing farm. [0] https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [1] https://michaelheap.com/access-secrets-from-forks/
mvo5 · Dec 6, 2023 · 6c18387 · 6c18387
1 parent 66cb1d2
commit 6c18387
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/.github/workflows/testingfarm.yml b/.github/workflows/testingfarm.yml
@@ -0,0 +1,43 @@
+---
+name: Testing farm tests
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+# To use testing farm we need the TF_API_KEY secret available inside the
+# forked repo which requires the pull_request_target trigger. To protect
+# the secrets we need to make sure only our own or reviewed PRs trigger
+# a checkout of the untrusted code.
+#
+# This follows https://michaelheap.com/access-secrets-from-forks/
+jobs:
+  testingfarm:
+    name: "Run in testing farm"
+    runs-on: ubuntu-latest
+    steps:
+    - name: Get User Permission
+      id: checkAccess
+      uses: actions-cool/check-user-permission@v2
+      with:
+        require: write
+        username: ${{ github.triggering_actor }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Check User Permission
+      if: steps.checkAccess.outputs.require-result == 'false'
+      run: |
+        echo "${{ github.triggering_actor }} does not have permissions on this repo."
+        echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+        echo "Job originally triggered by ${{ github.actor }}"
+        exit 1
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Run the tests
+      uses: sclorg/testing-farm-as-github-action@v1
+      with:
+        api_key: ${{ secrets.TF_API_KEY }}
+        git_url: ${{ github.event.pull_request.head.repo.clone_url }}
+        git_ref: ${{ github.event.pull_request.head.ref }}
+        pull_request_status_name: "Testing farm"