test: add reusable workflow expansion test for secrets (#1351)

Local test: ![image](/attachments/2357b06f-2506-4a31-ae51-a372e4eb4704) Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1351 Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2025-12-30 20:16:02 +00:00 · 2025-12-30 20:16:02 +00:00 · 0e0b1429e6
commit 0e0b1429e6
parent 1fbbc4277c
4 changed files with 35 additions and 0 deletions
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
@ -28,6 +28,12 @@ jobs:
        run: |
          set -x
          test "top-level-input1" = "${{ inputs.input1 }}"
+      - name: verify workflow secrets
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
      - name: indicate callee-1 hit
        run: touch /srv/example/callee-1

@ -36,6 +42,7 @@ jobs:
    with:
      input1: ${{ inputs.input1 }}
      input2: mid-level-input2
+    secrets: inherit

  callee-2:
    needs: [callee-1, layer-2]
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
@ -28,6 +28,12 @@ jobs:
          set -x
          test "top-level-input1" = "${{ inputs.input1 }}"
          test "mid-level-input2" = "${{ inputs.input2 }}"
+      - name: verify workflow secrets inherited
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
      - name: indicate callee-3 hit
        run: touch /srv/example/callee-3

--- a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@ -6,6 +6,9 @@ jobs:
    uses: ./.forgejo/workflows/reusable-layer-1.yml
    with:
      input1: top-level-input1
+    secrets:
+      secret1: AAAA
+      secret2: BBBB1234

  verify:
    needs: [layer-1]
@ -15,6 +18,13 @@ jobs:
      volumes:
        - /srv/example:/srv/example
    steps:
+      - name: verify test config secret
+        run: |
+          set -x
+          # SECRET3 is set on the repo, but not passed into `reusable-layer-1.yml` so that we can test secrets don't
+          # leak into the workflow if they're not explicitly defined. This check verifies that the test environment has
+          # that secret, otherwise the test assertions that it isn't present within the workflow would be meaningless.
+          test "CCCC" = "${{ secrets.secret3 }}"
      - name: verify callee-[0-4] completed
        run: |
          set -x
--- a/actions/example-workflow-call-expansion/run.sh
+++ b/actions/example-workflow-call-expansion/run.sh
@ -0,0 +1,12 @@
+repo=root/example-$example
+api=$url/api/v1
+
+# Prepare test repo
+forgejo-test-helper.sh push_workflow actions/example-$example $url root example-$example setup-forgejo $token
+sha=$(forgejo-test-helper.sh branch_tip $url $repo main)
+
+# Install a repo secret
+forgejo-curl.sh api_json -X PUT --data-raw '{"data":"CCCC"}' $api/repos/$repo/actions/secrets/SECRET3
+
+# Wait for action to complete
+forgejo-test-helper.sh wait_success $url root/example-$example $sha