search

cnti-testcatalog / testsuite

📞📱☎️📡🌐 Cloud Native Telecom Initiative (CNTI) Test Catalog is a tool to check for and provide feedback on the use of K8s + cloud native best practices in networking applications and platforms
https://wiki.lfnetworking.org/display/LN/Test+Catalog
Apache License 2.0
169 stars 70 forks source link

[MAINTENANCE] Enable github actions to be (successfully) run for PRs created from forked repos #2066

Closed martin-mat closed 3 days ago

martin-mat commented 3 weeks ago

Currently, github actions fail when run on a PR created from a forked repo. This is extremely inconvenient and requires human manual work from maintainer team to test the PR manually.

Error: Cannot perform an interactive login from a non TTY device
Error: Process completed with exit code 1.

Example: https://github.com/cnti-testcatalog/testsuite/actions/runs/9355430581/job/25750561406?pr=2056

svteb commented 2 weeks ago

From ChatGPT:

The error message Cannot perform an interactive login from a non TTY device is occurring because the docker login command is trying to run in a non-interactive shell, and it's failing due to the absence of the required environment variables that should be populated with secrets.

The solution would be to somehow implement the pull_request_target event. But there are possible problems with security, some described in this stackoverflow thread.

kosstennbl commented 1 week ago

Some analysis about secret usage in our workflows: We have only 2 places in our actions where secrets are needed:

  1. GITHUB_TOKEN
  2. Docker login ENV

IMO GitHub token usage can be safely removed from actions as it is used for automatic creation of releases for each PR (which is redundant from my sight, we have 587 releases at the moment).

Docker login is a harder situation to solve, as i remember - we need it because of the large amounts of pulled images during testing. I see two solutions there:

  1. Check and fix if possible that large amount of requests to DockerHub in our spec tests
  2. Pre-load all the required images to the runners before the start of the test (but it could lead to the same limitations)

About pull_request_target: Seems that it can help by running in "privileged mode" on the target branch for PR, but checking out code from the "change" branch of PR. Security measures need to be taken not to leak secrets through environment or other means. Also, it seems that we wouldn't be able to test changes to CI with this method (as it will always run CI from main), some additional tricks would be needed. I could be missing or misunderstanding something, feel free to correct.