-
Notifications
You must be signed in to change notification settings - Fork 11
131 lines (119 loc) · 3.76 KB
/
test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
name: pull_request_target
on: pull_request_target
concurrency:
group: ${{ github.workflow }}--${{ github.head_ref }} # github.ref is unavailable in case of pull_request_target
cancel-in-progress: true
permissions: {}
jobs:
path-filter:
uses: ./.github/workflows/wc-path-filter.yaml
permissions: {}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
enable-auto-merge:
# This job is used for main branch's branch protection rule's status check.
# If all dependent jobs succeed or are skipped this job succeeds.
uses: ./.github/workflows/wc-enable-auto-merge.yaml
needs:
- status-check
permissions: {}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
if: |
! failure() && ! cancelled() && github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.')
# This job is used for branch protection rule
# Add this job to `Status checks that are required`
status-check:
runs-on: ubuntu-latest
needs:
- conftest-verify
- hide-comment
- opa-fmt
- renovate-config-validator
- test
- update-aqua-checksums
if: failure()
steps:
- run: exit 1
conftest-verify:
uses: ./.github/workflows/wc-conftest-verify.yaml
needs: path-filter
if: |
needs.path-filter.outputs.conftest-verify == 'true'
permissions:
contents: read
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
ghalint:
uses: ./.github/workflows/wc-ghalint.yaml
needs: path-filter
if: |
needs.path-filter.outputs.ghalint == 'true'
permissions:
contents: read
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
hide-comment:
uses: ./.github/workflows/wc-hide-comment.yaml
needs: path-filter
permissions:
contents: read
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
opa-fmt:
uses: ./.github/workflows/wc-opa-fmt.yaml
needs: path-filter
if: |
needs.path-filter.outputs.opa-fmt == 'true'
permissions:
contents: read
pull-requests: write
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
renovate-config-validator:
uses: ./.github/workflows/wc-renovate-config-validator.yaml
needs: path-filter
if: needs.path-filter.outputs.renovate-config-validator == 'true'
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
permissions:
contents: read
test:
uses: ./.github/workflows/wc-test.yaml
needs: path-filter
permissions:
id-token: write
contents: read
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}
terraform_private_module_ssh_key: ${{secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY}}
secrets: ${{toJSON(secrets)}}
update-aqua-checksums:
uses: ./.github/workflows/wc-update-aqua-checksums.yaml
needs: path-filter
if: needs.path-filter.outputs.update-aqua-checksums == 'true'
permissions:
contents: read
with:
ref: ${{needs.path-filter.outputs.merge_commit_sha}}
secrets:
gh_app_id: ${{secrets.APP_ID}}
gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}}