85 lines
2.5 KiB
Text
85 lines
2.5 KiB
Text
# Setup environment variables used for testscript
|
|
env REPO=${SCRIPT_NAME}-${RANDOM_STRING}
|
|
env2upper SECRET_NAME=${SCRIPT_NAME}_${RANDOM_STRING}
|
|
|
|
# Use gh as a credential helper
|
|
exec gh auth setup-git
|
|
|
|
# Create a repository with a file so it has a default branch
|
|
exec gh repo create $ORG/$REPO --add-readme --private
|
|
|
|
# Defer repo cleanup
|
|
defer gh repo delete --yes $ORG/$REPO
|
|
|
|
# Clone the repo
|
|
exec gh repo clone $ORG/$REPO
|
|
cd $REPO
|
|
|
|
# Confirm organization secret does not exist, will fail admin:org scope missing
|
|
exec gh secret list --org $ORG
|
|
! stdout $SECRET_NAME
|
|
|
|
# Create an organization secret
|
|
exec gh secret set $SECRET_NAME --org $ORG --body 'just an organization secret' --repos $REPO
|
|
|
|
# Defer organization secret cleanup
|
|
defer gh secret delete $SECRET_NAME --org $ORG
|
|
|
|
# Verify new organization secret exists
|
|
exec gh secret list --org $ORG
|
|
stdout $SECRET_NAME
|
|
|
|
# Commit workflow file creating dispatchable workflow able to verify secret matches
|
|
mkdir .github/workflows
|
|
mv ../workflow.yml .github/workflows/workflow.yml
|
|
replace .github/workflows/workflow.yml SECRET_NAME=$SECRET_NAME
|
|
exec git add .github/workflows/workflow.yml
|
|
exec git commit -m 'Create workflow file'
|
|
exec git push -u origin main
|
|
|
|
# Sleep because it takes a second for the workflow to register
|
|
sleep 1
|
|
|
|
# Check the workflow is indeed created
|
|
exec gh workflow list
|
|
stdout 'Test Workflow Name'
|
|
|
|
# Run the workflow
|
|
exec gh workflow run 'Test Workflow Name'
|
|
|
|
# It takes some time for a workflow run to register
|
|
sleep 10
|
|
|
|
# Get the run ID we want to watch & delete
|
|
exec gh run list --json databaseId --jq '.[0].databaseId'
|
|
stdout2env RUN_ID
|
|
|
|
# Wait for workflow to complete
|
|
exec gh run watch $RUN_ID --exit-status
|
|
|
|
# Verify secret matched what was set earlier
|
|
exec gh run view $RUN_ID --log
|
|
stdout 'GitHub Actions secret value matches$'
|
|
|
|
-- workflow.yml --
|
|
# This workflow is intended to assert the value of the GitHub Actions secret was set appropriately
|
|
name: Test Workflow Name
|
|
on:
|
|
# Allow workflow to be dispatched by gh workflow run
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
# This workflow contains a single job called "assert" that should only pass if the GitHub Actions secret value matches
|
|
assert:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Assert secret value matches
|
|
env:
|
|
ORG_SECRET: ${{ secrets.$SECRET_NAME }}
|
|
run: |
|
|
if [[ "$ORG_SECRET" == "just an organization secret" ]]; then
|
|
echo "GitHub Actions secret value matches"
|
|
else
|
|
echo "GitHub Actions secret value does not match"
|
|
exit 1
|
|
fi
|