diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml index bf5cae2..e33a72b 100644 --- a/.github/actionlint.yaml +++ b/.github/actionlint.yaml @@ -1,4 +1,6 @@ --- self-hosted-runner: labels: - - ubuntu-24.04-large + - sonar-xs + - github-ubuntu-latest-s + - github-windows-latest-s diff --git a/.github/workflows/check-cache-migration.yml b/.github/workflows/check-cache-migration.yml index edef6f4..9aeaaa8 100644 --- a/.github/workflows/check-cache-migration.yml +++ b/.github/workflows/check-cache-migration.yml @@ -15,7 +15,7 @@ on: jobs: check-migration: - runs-on: ubuntu-latest + runs-on: github-ubuntu-latest-s name: Compare GitHub cache vs S3 permissions: id-token: write diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 81db98f..7bbc54e 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -6,7 +6,7 @@ on: jobs: pre-commit: name: "pre-commit" - runs-on: ubuntu-latest + runs-on: github-ubuntu-latest-s steps: - uses: SonarSource/gh-action_pre-commit@fc9d73025994fd1c2b96d568c8c8a4af82a3ae21 # 1.0.6 with: diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index e7ee7d4..10da10a 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -147,9 +147,11 @@ jobs: # This is the scenario that caused production failures - name: Overwrite AWS credentials (simulating user workflow) run: | - echo "AWS_ACCESS_KEY_ID=FAKE_KEY_TO_OVERRIDE" >> "$GITHUB_ENV" - echo "AWS_SECRET_ACCESS_KEY=FAKE_SECRET_TO_OVERRIDE" >> "$GITHUB_ENV" - echo "AWS_SESSION_TOKEN=FAKE_TOKEN_TO_OVERRIDE" >> "$GITHUB_ENV" + { + echo "AWS_ACCESS_KEY_ID=FAKE_KEY_TO_OVERRIDE" + echo "AWS_SECRET_ACCESS_KEY=FAKE_SECRET_TO_OVERRIDE" + echo "AWS_SESSION_TOKEN=FAKE_TOKEN_TO_OVERRIDE" + } >> "$GITHUB_ENV" echo "Simulated credential override via GITHUB_ENV" # Step 3: Create something to cache @@ -264,11 +266,13 @@ jobs: - name: Set conflicting AWS env vars run: | - echo "AWS_ACCESS_KEY_ID=AKIAFAKEENV" >> "$GITHUB_ENV" - echo "AWS_SECRET_ACCESS_KEY=fakesecretenv" >> "$GITHUB_ENV" - echo "AWS_SESSION_TOKEN=faketokenenv" >> "$GITHUB_ENV" - echo "AWS_PROFILE=some-other-profile" >> "$GITHUB_ENV" - echo "AWS_DEFAULT_PROFILE=some-other-profile" >> "$GITHUB_ENV" + { + echo "AWS_ACCESS_KEY_ID=AKIAFAKEENV" + echo "AWS_SECRET_ACCESS_KEY=fakesecretenv" + echo "AWS_SESSION_TOKEN=faketokenenv" + echo "AWS_PROFILE=some-other-profile" + echo "AWS_DEFAULT_PROFILE=some-other-profile" + } >> "$GITHUB_ENV" # Cache action should override the conflicting credentials - name: Cache with S3 @@ -283,9 +287,11 @@ jobs: - name: Re-override with fake credentials (simulating mid-job auth change) run: | - echo "AWS_ACCESS_KEY_ID=AKIAFAKEOVERRIDE" >> "$GITHUB_ENV" - echo "AWS_SECRET_ACCESS_KEY=fakesecretoverride" >> "$GITHUB_ENV" - echo "AWS_SESSION_TOKEN=faketokenoverride" >> "$GITHUB_ENV" + { + echo "AWS_ACCESS_KEY_ID=AKIAFAKEOVERRIDE" + echo "AWS_SECRET_ACCESS_KEY=fakesecretoverride" + echo "AWS_SESSION_TOKEN=faketokenoverride" + } >> "$GITHUB_ENV" - name: Create something to cache run: | @@ -328,3 +334,22 @@ jobs: pip install pytest requests # SUCCESS: credential-guard post step runs, then runs-on/cache saves to S3 + + all-green: + name: All Tests + if: always() + needs: + - test-github-cache + - test-s3-cache + - test-s3-cache-with-fallback + - test-s3-cache-with-credential-interference + - test-s3-cache-windows + - test-s3-cache-multiple-invocations + - test-s3-cache-with-preset-aws-config + - test-s3-cache-survives-git-clean + runs-on: github-ubuntu-latest-s + steps: + - name: Decide whether the needed jobs succeeded or failed + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/test-cache-migration-gh2s3.yml b/.github/workflows/test-cache-migration-gh2s3.yml index b20f01d..1d4e065 100644 --- a/.github/workflows/test-cache-migration-gh2s3.yml +++ b/.github/workflows/test-cache-migration-gh2s3.yml @@ -172,3 +172,21 @@ jobs: [[ "${{ steps.cache.outputs.cache-hit }}" == "true" ]] || { echo "ERROR: cache-hit is not true — GitHub cache was not imported for a public repo"; exit 1; } [[ "$(cat ~/.cache/test-migration/test-file.txt)" == "github-content" ]] || { echo "ERROR: unexpected content, not restored from GitHub"; exit 1; } rm -rf ~/.cache/test-migration # prevent saving to S3 so other scenarios don't find it + + all-green: + name: All Tests - Cache Migration + if: always() + needs: + - provision-github-cache + - provision-s3-cache + - test-s3-import-enabled + - test-s3-import-disabled + - test-s3-import-disabled-via-env + - test-s3-hit-skips-github-import + - test-auto-public-import-enabled + runs-on: github-ubuntu-latest-s + steps: + - name: Decide whether the needed jobs succeeded or failed + uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/test-credential-isolation.yml b/.github/workflows/test-credential-isolation.yml index 10aae0f..28ffcb1 100644 --- a/.github/workflows/test-credential-isolation.yml +++ b/.github/workflows/test-credential-isolation.yml @@ -9,8 +9,8 @@ on: workflow_dispatch: jobs: - credential-isolation-tests: - runs-on: ubuntu-latest + tests-credential-isolation: + runs-on: github-ubuntu-latest-s permissions: id-token: write contents: read diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 33faa82..c900f4c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,13 +7,17 @@ repos: - id: check-hooks-apply - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: 3298ddab3c13dd77d6ce1fc0baf97691430d84b0 # frozen: v4.3.0 + rev: v6.0.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-added-large-files exclude: ^(credential-setup/dist/|credential-guard/dist/) - repo: https://github.com/igorshubovych/markdownlint-cli - rev: f295829140d25717bc79368d3f966fc1f67a824f # frozen: v0.41.0 + rev: v0.48.0 hooks: - id: markdownlint + - repo: https://github.com/rhysd/actionlint + rev: v1.7.11 # v1.7.1 + hooks: + - id: actionlint