Skip to content

Allow TestDriver to run on outside contributions #1622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 25, 2024
Merged

Allow TestDriver to run on outside contributions #1622

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
17cf7f7
Allow TestDriver to run on outside contributions
esimkowitz Dec 24, 2024
68d6d49
Try using workflow_run
esimkowitz Dec 24, 2024
b7deb9c
remove pull_request_target
esimkowitz Dec 24, 2024
1bdee09
no longer need to unset github_token
esimkowitz Dec 24, 2024
3ca8c36
update name for ignoring
esimkowitz Dec 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/merge-gatekeeper.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ jobs:
uses: upsidr/merge-gatekeeper@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
ignored: Test Onboarding, Analyze (go), Analyze (javascript-typescript), License Compliance, CodeRabbit
ignored: Build for TestDriver.ai, Analyze (go), Analyze (javascript-typescript), License Compliance, CodeRabbit
74 changes: 74 additions & 0 deletions .github/workflows/testdriver-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: TestDriver.ai Build

on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+*"
pull_request:
branches:
- main
paths-ignore:
- "docs/**"
- ".storybook/**"
- ".vscode/**"
- ".editorconfig"
- ".gitignore"
- ".prettierrc"
- ".eslintrc.js"
- "**/*.md"
schedule:
- cron: 0 21 * * *
workflow_dispatch: null

env:
GO_VERSION: "1.23"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Invalid Go version specified

The Go version "1.23" is incorrect as it doesn't exist. The latest stable version is 1.22.

-    GO_VERSION: "1.23"
+    GO_VERSION: "1.22"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
GO_VERSION: "1.23"
GO_VERSION: "1.22"

NODE_VERSION: 22
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Node.js version 22 is not recommended for this project

The package.json files reveal that:

  • The main project has dependencies on packages like electron v33.2.1 and other modern packages
  • The docs project specifically requires Node.js >= 18.0
  • The project uses advanced development tools and frameworks that are better suited for LTS versions

Using Node.js 22 (which is currently in development) could lead to compatibility issues. Node.js 20 is the current LTS version and would be more appropriate for production use.

🔗 Analysis chain

Verify Node.js version compatibility

Node.js version 22 is currently in development. Consider using the latest LTS version 20.

-    NODE_VERSION: 22
+    NODE_VERSION: 20

Let me verify the Node.js version compatibility by checking the project's dependencies and requirements.

🏁 Scripts executed

The following scripts were executed for the analysis:

Error: No shell scripts found

Script:

#!/bin/bash
# Check for package.json files and their Node.js version requirements
fd package.json --exec cat {}

# Check for .nvmrc or .node-version files
fd -e nvmrc -e node-version --exec cat {}

# Look for any Node.js version specifications in workflow files
fd -e yml -e yaml -p '.github/workflows' --exec cat {}

Length of output: 8150


permissions:
contents: read # To allow the action to read repository contents
pull-requests: write # To allow the action to create/update pull request comments

jobs:
build_and_upload:
name: Build for TestDriver.ai
runs-on: windows-latest
steps:
- uses: actions/checkout@v4

# General build dependencies
- uses: actions/setup-go@v5
with:
go-version: ${{env.GO_VERSION}}
- uses: actions/setup-node@v4
with:
node-version: ${{env.NODE_VERSION}}
- name: Install Yarn
uses: nick-fields/retry@v3
with:
command: |
corepack enable
yarn install
timeout_minutes: 5
max_attempts: 3
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.x
repo-token: ${{ secrets.GITHUB_TOKEN }}

- name: Build
run: task package
env:
USE_SYSTEM_FPM: true # Ensure that the installed version of FPM is used rather than the bundled one.
CSC_IDENTITY_AUTO_DISCOVERY: false # disable codesign
shell: powershell # electron-builder's Windows code signing package has some compatibility issues with pwsh, so we need to use Windows Powershell
Comment on lines +61 to +66
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

⚠️ Potential issue

Enhance security for package task execution

The task package step runs with write permissions and could potentially execute malicious code from external PRs.

  1. Add explicit base ref checkout before this step:
- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.base.sha }}
  1. Consider moving build steps to a separate job with minimal permissions
  2. Add input validation for external PR code before execution


# Upload .exe as an artifact
- name: Upload .exe artifact
id: upload
uses: actions/upload-artifact@v4
with:
name: windows-exe
path: make/*.exe
72 changes: 8 additions & 64 deletions .github/workflows/testdriver.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,10 @@
name: TestDriver.ai
name: TestDriver.ai Run

on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+*"
pull_request:
branches:
- main
paths-ignore:
- "docs/**"
- ".storybook/**"
- ".vscode/**"
- ".editorconfig"
- ".gitignore"
- ".prettierrc"
- ".eslintrc.js"
- "**/*.md"
schedule:
- cron: 0 21 * * *
workflow_dispatch: null
workflow_run:
workflows: ["TestDriver.ai Build"]
types:
- completed

env:
GO_VERSION: "1.23"
Expand All @@ -31,50 +15,10 @@ permissions:
pull-requests: write # To allow the action to create/update pull request comments

jobs:
build_and_upload:
name: Test Onboarding
run_testdriver:
name: Run TestDriver.ai
runs-on: windows-latest
steps:
- uses: actions/checkout@v4

# General build dependencies
- uses: actions/setup-go@v5
with:
go-version: ${{env.GO_VERSION}}
cache-dependency-path: |
go.sum
- uses: actions/setup-node@v4
with:
node-version: ${{env.NODE_VERSION}}
- name: Install Yarn
uses: nick-fields/retry@v3
with:
command: |
corepack enable
yarn install
timeout_minutes: 5
max_attempts: 3
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.x
repo-token: ${{ secrets.GITHUB_TOKEN }}

- name: Build
run: task package
env:
USE_SYSTEM_FPM: true # Ensure that the installed version of FPM is used rather than the bundled one.
CSC_IDENTITY_AUTO_DISCOVERY: false # disable codesign
shell: powershell # electron-builder's Windows code signing package has some compatibility issues with pwsh, so we need to use Windows Powershell

# Upload .exe as an artifact
- name: Upload .exe artifact
id: upload
uses: actions/upload-artifact@v4
with:
name: windows-exe
path: make/*.exe

- uses: testdriverai/action@main
id: testdriver
env:
Expand Down Expand Up @@ -102,7 +46,7 @@ jobs:

# Fetch the artifact upload URL
Write-Host "Fetching the artifact upload URL..."
$artifactUrl = (Invoke-RestMethod -Uri "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts" -Headers $headers).artifacts[0].archive_download_url
$artifactUrl = (Invoke-RestMethod -Uri "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}/artifacts" -Headers $headers).artifacts[0].archive_download_url

if ($artifactUrl) {
Write-Host "Artifact URL successfully fetched: $artifactUrl"
Expand Down
Loading