elementary/.github/workflows/test-all-warehouses.yml at master · elementary-data/elementary · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Test all warehouse platforms
on:
  # For internal PRs (non-forks) - no approval needed, can test workflow changes immediately
  pull_request:
    branches: ["master"]
    paths:
      - elementary/**
      - tests/**
      - .github/**
      - pyproject.toml
  # For fork PRs - requires approval before running (has access to secrets)
  pull_request_target:
    branches: ["master"]
    paths:
      - elementary/**
      - tests/**
      - .github/**
      - pyproject.toml
  workflow_dispatch:
    inputs:
      elementary-ref:
        type: string
        required: false
        description: Branch or tag to checkout for 'elementary' repository
      dbt-data-reliability-ref:
        type: string
        required: false
        description: Branch or tag to checkout for 'dbt-data-reliability' repository
      dbt-version:
        type: string
        required: false
        description: dbt's version to test with
      generate-data:
        type: boolean
        required: false
        default: false
        description: Whether to generate new data

permissions: {}

jobs:
  # Determine if this is a fork PR and skip if wrong trigger is used
  check-fork-status:
    runs-on: ubuntu-latest
    permissions: {}
    outputs:
      is_fork: ${{ steps.check.outputs.is_fork }}
      should_skip: ${{ steps.check.outputs.should_skip }}
    steps:
      - name: Check if PR is from fork
        id: check
        env:
          EVENT_NAME: ${{ github.event_name }}
          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
          REPOSITORY: ${{ github.repository }}
        run: |
          IS_FORK="false"
          SHOULD_SKIP="false"

          if [[ "$EVENT_NAME" == "pull_request" || "$EVENT_NAME" == "pull_request_target" ]]; then
            if [[ "$PR_HEAD_REPO" != "$REPOSITORY" ]]; then
              IS_FORK="true"
            fi

            # Skip if: pull_request from fork (should use pull_request_target) OR pull_request_target from non-fork (should use pull_request)
            if [[ "$EVENT_NAME" == "pull_request" && "$IS_FORK" == "true" ]]; then
              SHOULD_SKIP="true"
            elif [[ "$EVENT_NAME" == "pull_request_target" && "$IS_FORK" == "false" ]]; then
              SHOULD_SKIP="true"
            fi
          fi

          echo "is_fork=$IS_FORK" >> "$GITHUB_OUTPUT"
          echo "should_skip=$SHOULD_SKIP" >> "$GITHUB_OUTPUT"

  # Approval gate for fork PRs (only runs once for all platforms)
  approve-fork:
    runs-on: ubuntu-latest
    needs: [check-fork-status]
    if: needs.check-fork-status.outputs.should_skip != 'true' && needs.check-fork-status.outputs.is_fork == 'true'
    permissions: {}
    environment: elementary_test_env
    steps:
      - name: Approved
        run: echo "Fork PR approved for testing"

  test:
    needs: [check-fork-status, approve-fork]
    permissions:
      contents: read
      # Required so the called test-warehouse.yml can mint an OIDC token to
      # assume the AWS role; per GitHub, id-token: write must be granted by
      # the calling workflow.
      id-token: write
    if: |
      ! cancelled() &&
      needs.check-fork-status.result == 'success' &&
      needs.check-fork-status.outputs.should_skip != 'true' &&
      (needs.check-fork-status.outputs.is_fork != 'true' || needs.approve-fork.result == 'success')
    strategy:
      fail-fast: false
      matrix:
        dbt-version: ${{ inputs.dbt-version && fromJSON(format('["{0}"]', inputs.dbt-version)) || fromJSON('[null]') }}
        warehouse-type:
          [
            postgres,
            snowflake,
            bigquery,
            redshift,
            databricks_catalog,
            athena,
            clickhouse,
            duckdb,
            trino,
            dremio,
            spark,
            fabric,
            sqlserver,
            vertica,
          ]
    uses: ./.github/workflows/test-warehouse.yml
    with:
      warehouse-type: ${{ matrix.warehouse-type }}
      elementary-ref: ${{ inputs.elementary-ref || ((github.event_name == 'pull_request_target' || github.event_name == 'pull_request') && github.event.pull_request.head.sha) || '' }}
      dbt-data-reliability-ref: ${{ inputs.dbt-data-reliability-ref }}
      dbt-version: ${{ matrix.dbt-version }}
      generate-data: ${{ inputs.generate-data || false }}
    secrets:
      # Explicitly set secrets to avoid bleeding secrets to fork PRs.
      # Changes to these from a fork PR should be considered as malicious and NOT ALLOWED TO RUN.
      CI_WAREHOUSE_SECRETS: ${{ secrets.CI_WAREHOUSE_SECRETS }}
      CI_SLACK_WEBHOOK: ${{ secrets.CI_SLACK_WEBHOOK }}
      CI_SLACK_TOKEN: ${{ secrets.CI_SLACK_TOKEN }}
      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}