github-workflows/.github/workflows/python-run-tests.yml at main · logikal-io/github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Run Python tests
on:
  workflow_call:
    inputs:
      python-version:
        description: The Python version to use
        type: number
        required: false
        default: 3.12
      runs-on:
        description: The runner to use
        type: string
        required: false
        default: ubuntu-24.04
      requirements:
        description: The path to the requirements file
        type: string
        required: false
        default: requirements/dev.txt
      fetch-depth:
        description: Number of commits to fetch
        type: string
        required: false
        default: 1
      pytest-args:
        description: Additional pytest command-line arguments to use
        type: string
        required: false
      playbook-roles:
        description: The Logikal playbook roles to run (comma-separated list)
        type: string
        required: false
      playbook-vars:
        description: The Logikal playbook variables to set (string-encoded JSON)
        type: string
        required: false
        default: '{}'
      upload-artifacts:
        description: Whether to upload artifacts when tests fail
        type: boolean
        required: false
        default: true
      gcp-workload-identity-provider:
        description: Full identifier of the GitHub workload identity pool provider in Google Cloud
        type: string
        required: false
      gcp-service-account-email:
        description: Email of the Google Cloud service account used for running tests
        type: string
        required: false
      aws-role:
        description: The ARN of the AWS role used for running tests
        type: string
        required: false
      aws-region:
        description: The AWS region to use for authorization
        type: string
        required: false

concurrency:
  group: python-run-tests-${{ github.workflow_ref }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

jobs:
  run-tests:
    name: Run tests
    runs-on: ${{ inputs.runs-on }}
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Check out repository
        uses: actions/checkout@v6
        with:
          fetch-depth: ${{ inputs.fetch-depth }}

      - name: Authenticate to Google Cloud Platform
        uses: google-github-actions/auth@v3
        env:
          RUN_STEP: ${{ inputs.gcp-service-account-email != '' }}
        if: env.RUN_STEP == 'true'
        with:
          workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }}
          service_account: ${{ inputs.gcp-service-account-email }}

      - name: Authenticate to Amazon Web Services
        uses: aws-actions/configure-aws-credentials@v6
        env:
          RUN_STEP: ${{ inputs.aws-role != '' }}
        if: env.RUN_STEP == 'true'
        with:
          aws-region: ${{ inputs.aws-region }}
          role-to-assume: ${{ inputs.aws-role }}

      - name: Install Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ inputs.python-version }}

      - name: Run playbooks
        uses: logikal-io/run-logikal-playbook@v2
        if: inputs.playbook-roles != ''
        with:
          roles: ${{ inputs.playbook-roles }}
          vars: ${{ inputs.playbook-vars }}

      - name: Install gcloud CLI
        uses: google-github-actions/setup-gcloud@v3
        env:
          RUN_STEP: ${{ inputs.gcp-service-account-email != '' }}
        if: env.RUN_STEP == 'true'

      - name: Authenticate Docker
        env:
          RUN_STEP: ${{ inputs.gcp-service-account-email != '' }}
        if: env.RUN_STEP == 'true'
        run: gcloud auth configure-docker --quiet marketplace.gcr.io

      - name: Install requirements
        uses: logikal-io/make-orb@v1
        with:
          requirements: ${{ inputs.requirements }}

      # See https://chromium.googlesource.com/chromium/src/+/main/docs/security/
      # apparmor-userns-restrictions.md
      - name: Add AppArmor profiles
        run: |
          # Chrome
          cat | sudo tee /etc/apparmor.d/chrome-dev <<EOF
          abi <abi/4.0>,
          include <tunables/global>

          profile chrome-dev /@{HOME}/.cache/logikal_browser/chrome/**/chrome flags=(unconfined) {
            userns,

            include if exists <local/chrome>
          }
          EOF

          # Edge
          cat | sudo tee /etc/apparmor.d/edge-dev <<EOF
          abi <abi/4.0>,
          include <tunables/global>

          profile edge-dev /@{HOME}/.cache/logikal_browser/edge/**/msedge flags=(unconfined) {
            userns,

            include if exists <local/msedge>
          }
          EOF

          sudo service apparmor reload

      - name: Run pytest
        run: orb --command 'pytest ${{ inputs.pytest-args }}'

      - name: Upload pytest artifacts
        uses: actions/upload-artifact@v7
        if: failure() && inputs.upload-artifacts
        with:
          name: pytest-artifacts
          path: /tmp/pytest-of-runner/
          if-no-files-found: ignore
          retention-days: 7