f4f161c096
This is a bit of a refactor based on the work done in `gh workflow` as a better approach to verify secrets created are what we expect. Changes made: 1. Removed `env2lower` as it wasn't being used in testscripts 2. Added `replace` custom command to deal with testing organization workflow secrets 3. Refactored secret testscripts to create and run workflow that tests the value of the secret provided 4. Minor reordering of test `acceptance` test functions as appending to the end is confusing and adds conflicts 5. Removed stdout TTY assertions
76 lines
2.1 KiB
Text
76 lines
2.1 KiB
Text
# Setup environment variables used for testscript
|
|
env REPO=$SCRIPT_NAME-$RANDOM_STRING
|
|
|
|
# Use gh as a credential helper
|
|
exec gh auth setup-git
|
|
|
|
# Create a repository with a file so it has a default branch
|
|
exec gh repo create $ORG/$REPO --add-readme --private
|
|
|
|
# Defer repo cleanup
|
|
defer gh repo delete --yes $ORG/$REPO
|
|
|
|
# Clone the repo
|
|
exec gh repo clone $ORG/$REPO
|
|
cd $REPO
|
|
|
|
# Create a repository secret
|
|
exec gh secret set TESTSCRIPTS --body 'just a repository secret'
|
|
|
|
# Verify new repository secret exists
|
|
exec gh secret list
|
|
stdout 'TESTSCRIPTS'
|
|
|
|
# Commit workflow file creating dispatchable workflow able to verify secret matches
|
|
mkdir .github/workflows
|
|
mv ../workflow.yml .github/workflows/workflow.yml
|
|
exec git add .github/workflows/workflow.yml
|
|
exec git commit -m 'Create workflow file'
|
|
exec git push -u origin main
|
|
|
|
# Sleep because it takes a second for the workflow to register
|
|
sleep 1
|
|
|
|
# Check the workflow is indeed created
|
|
exec gh workflow list
|
|
stdout 'Test Workflow Name'
|
|
|
|
# Run the workflow
|
|
exec gh workflow run 'Test Workflow Name'
|
|
|
|
# It takes some time for a workflow run to register
|
|
sleep 10
|
|
|
|
# Get the run ID we want to watch & delete
|
|
exec gh run list --json databaseId --jq '.[0].databaseId'
|
|
stdout2env RUN_ID
|
|
|
|
# Wait for workflow to complete
|
|
exec gh run watch $RUN_ID --exit-status
|
|
|
|
# Verify secret matched what was set earlier
|
|
exec gh run view $RUN_ID --log
|
|
stdout 'GitHub Actions secret value matches$'
|
|
|
|
-- workflow.yml --
|
|
# This workflow is intended to assert the value of the GitHub Actions secret was set appropriately
|
|
name: Test Workflow Name
|
|
on:
|
|
# Allow workflow to be dispatched by gh workflow run
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
# This workflow contains a single job called "assert" that should only pass if the GitHub Actions secret value matches
|
|
assert:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Assert secret value matches
|
|
env:
|
|
TESTSCRIPTS: ${{ secrets.TESTSCRIPTS }}
|
|
run: |
|
|
if [[ "$TESTSCRIPTS" == "just a repository secret" ]]; then
|
|
echo "GitHub Actions secret value matches"
|
|
else
|
|
echo "GitHub Actions secret value does not match"
|
|
exit 1
|
|
fi
|