Skip to content

ci: refactor test setup#100

Open
reubenmiller wants to merge 2 commits into
mainfrom
ci/refactor-test-setup
Open

ci: refactor test setup#100
reubenmiller wants to merge 2 commits into
mainfrom
ci/refactor-test-setup

Conversation

@reubenmiller

Copy link
Copy Markdown
Contributor

Summary

Modernizes the CI test setup, applying the fork-safe pattern from thin-edge/tedge-apk-plugin#5. The dominant legacy pattern in this repo was the pull_request_target + manual GitHub Environment approval workflow; the per-test DeviceLibrary.Setup, parametrized Dockerfile, and justfile were already modern, so this PR focuses on the workflow.

What changed

  • Fork-PR safety. Dropped pull_request_target + the manual approve environment gate. In-repo (maintainer) PRs now run automatically on pull_request; fork PRs are skipped on that event and instead run only when a maintainer comments /test (new test-slash-command.yamlrepository_dispatch). Secrets are never exposed to untrusted fork code.
  • buildtestTests Pass shape. A new build job builds the container-bundle *.tar.gz artifacts once per tedge/tedge-main image and uploads them. The test matrix downloads the matching bundles and only builds the per-engine test-infrastructure image — avoiding a full bundle rebuild in each of the 14 matrix combinations.
  • Stable branch-protection gate. Added a Tests Pass job that fails if build or any matrix test job failed. Require this check in branch protection (matrix job names change; this one is stable).
  • Checkout ref handled across all four triggers (pull_request, repository_dispatch, workflow_dispatch with a ref input, merge_group), and the Robot Framework report is posted back to the PR for both maintainer and /test runs.

Supporting changes

  • justfile: split build-test into build-test-bundles + build-test-image so the test job can build only the infra image.
  • tests/.python-version: pins Python via python-version-file (replaces the hard-coded python-version: '3.11').

⚠️ Action required by a maintainer

  • Add a COMMUNITY_ACTIONS_PAT secret — a repo-scoped PAT. The default GITHUB_TOKEN cannot create repository_dispatch events, so the /test slash command will not work without it.
  • Update branch protection to require the Tests Pass status check (and drop the old per-matrix Test … checks).

Notes

  • Per-test device setup (DeviceLibrary.Setup / Stop DeviceDelete Managed Object And Device User), the TEDGE_IMAGE/TEDGE_TAG-parametrized Dockerfile, and the justfile (no compose-demo targets) were already in the modern shape, so they are unchanged. The mixed Suite Setup vs Test Setup usage across suites is intentional (the operations/telemetry suites share device state across cases) and was left as-is.
  • actionlint passes (only a pre-existing SC2129 style nit on the .env redirects, carried over from the original workflow).

🤖 Generated with Claude Code

reubenmiller and others added 2 commits June 22, 2026 17:48
Fork PRs cannot access repository secrets on the pull_request event, so
the integration tests cannot run automatically for them. This workflow
listens for a maintainer commenting /test on a PR and dispatches a
repository_dispatch event (in the base-repo context, which has secret
access) that triggers test.yaml against the fork's head commit.

Requires a repo-scoped PAT stored as the COMMUNITY_ACTIONS_PAT secret;
the default GITHUB_TOKEN cannot create repository_dispatch events.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the pull_request_target + manual GitHub Environment approval
setup with a fork-safe structure:

- In-repo (maintainer) PRs run automatically on pull_request; fork PRs
  are skipped on that event and instead run via the /test slash command
  (repository_dispatch), so secrets are never exposed to untrusted code.
- Split the single test job into a build job (builds the container
  bundle tar.gz artifacts once per tedge image and uploads them) and a
  test matrix that downloads the bundles and only builds the per-engine
  test infrastructure image. This avoids rebuilding the bundles in every
  one of the 14 matrix combinations.
- Add a stable "Tests Pass" gate job for branch protection (matrix job
  names change; this single status does not).
- Handle the checkout ref across all triggers (pull_request,
  repository_dispatch, workflow_dispatch, merge_group) and post the
  Robot Framework report back to the PR for both maintainer and /test
  runs.

Supporting changes:
- justfile: split build-test into build-test-bundles + build-test-image
  so the test job can build only the infra image.
- tests/.python-version: pin the Python version via python-version-file.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@reubenmiller reubenmiller temporarily deployed to Test Pull Request June 22, 2026 15:49 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
21 0 1 21 100 10m37.039589s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant