Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/integration_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,68 @@

on:
workflow_dispatch:
inputs:
ref:
description: 'Branch or SHA to check out'
required: false
default: ''
repository:
description: 'Fork repository to check out'
required: false
default: ''
push:
branches:
- main
paths-ignore:
- '**/*.md'
- '**/*.jpg'
- '**/README.txt'
- '**/LICENSE.txt'
- 'docs/**'
- 'ISSUE_TEMPLATE/**'
- '**/remove-old-artifacts.yml'
pull_request_target:
branches:
- main
paths-ignore:
- '**/*.md'
- '**/*.jpg'
- '**/README.txt'
- '**/LICENSE.txt'
- 'docs/**'
- 'ISSUE_TEMPLATE/**'
- '**/remove-old-artifacts.yml'

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
approve:
if: >
github.event_name == 'push' ||
github.event_name == 'workflow_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
steps:
- run: echo "Approved — not a fork PR"

approve-fork:
if: >
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository
runs-on: ubuntu-latest
environment: integration-tests
steps:
- run: echo "Fork PR approved by maintainer"

lts-integration-tests:
name: Run LTS Integration Tests
needs: [approve, approve-fork]
if: |
always() &&
(needs.approve.result == 'success' || needs.approve-fork.result == 'success') &&
!(needs.approve.result == 'failure' || needs.approve-fork.result == 'failure')
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand All @@ -23,6 +74,9 @@
steps:
- name: 'Clone repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
repository: ${{ inputs.repository || github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ inputs.ref || github.event.pull_request.head.sha || github.sha }}

- name: 'Set up JDK 8'
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
Expand Down Expand Up @@ -68,6 +122,9 @@
name: Run Latest Integration Tests
runs-on: ubuntu-latest
needs: lts-integration-tests
if: |
always() &&
needs.lts-integration-tests.result == 'success'
strategy:
fail-fast: false
matrix:
Expand All @@ -75,10 +132,13 @@
environment: [ "mysql", "pg" ]

steps:
- name: 'Clone repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
repository: ${{ inputs.repository || github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ inputs.ref || github.event.pull_request.head.sha || github.sha }}

- name: 'Set up JDK 8'

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
pull_request_target
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
pull_request_target
).
Checkout of untrusted code in a privileged workflow with later potential execution (event trigger:
pull_request_target
).
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
distribution: 'corretto'
Expand Down