Test workflow running on forks, and coverage reporting

Lissy93 · Lissy93 · commit 929d43309a1d · 2025-10-05T14:12:22.000+01:00
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -1,9 +1,11 @@
 name: 🧪 Run Tests
 
 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
   push:
     branches: [main]
+  workflow_dispatch:
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -14,6 +16,12 @@ permissions:
   id-token: write  # For OIDC with Codecov
   checks: write    # For test reporting
 
+env:
+  # PR context helpers for conditional logic
+  IS_PR: ${{ github.event_name == 'pull_request_target' }}
+  IS_FORK: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository }}
+  HAS_BOT_TOKEN: ${{ secrets.BOT_TOKEN != '' }}
+
 jobs:
   unit-tests:
     name: Unit Tests
@@ -22,7 +30,12 @@ jobs:
       NODE_OPTIONS: "--max_old_space_size=8192"
 
     steps:
+      # Secure checkout for external PRs
       - uses: actions/checkout@v4
+        with:
+          # For PRs from forks, check out the PR head to prevent token exposure
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
+
       - uses: actions/setup-node@v4
         with:
           node-version: 22
@@ -33,6 +46,7 @@ jobs:
         id: test
         run: |
           npx vitest run \
+            --coverage \
             --reporter=github-actions \
             --reporter=verbose \
             --reporter=junit \
@@ -51,7 +65,7 @@ jobs:
           path: test-result-unit.txt
 
       - name: Upload coverage to Codecov
-        if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event.pull_request.head.repo.full_name == github.repository
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -64,20 +78,22 @@ jobs:
       - name: Unit Test Report
         id: unit-test-report
         uses: dorny/test-reporter@v1
-        if: always()
+        if: always() && (env.IS_FORK != 'true' || env.HAS_BOT_TOKEN == 'true')
         with:
           name: Unit Tests
           path: test-results.xml
           reporter: java-junit
           fail-on-error: false
+          token: ${{ env.IS_FORK == 'true' && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
+        continue-on-error: true
 
       - name: Save unit test report data
         if: always()
         run: |
-          echo "passed=${{ steps.unit-test-report.outputs.passed }}" > unit-report-data.txt
-          echo "failed=${{ steps.unit-test-report.outputs.failed }}" >> unit-report-data.txt
-          echo "skipped=${{ steps.unit-test-report.outputs.skipped }}" >> unit-report-data.txt
-          echo "time=${{ steps.unit-test-report.outputs.time }}" >> unit-report-data.txt
+          echo "passed=${{ steps.unit-test-report.outputs.passed || '0' }}" > unit-report-data.txt
+          echo "failed=${{ steps.unit-test-report.outputs.failed || '0' }}" >> unit-report-data.txt
+          echo "skipped=${{ steps.unit-test-report.outputs.skipped || '0' }}" >> unit-report-data.txt
+          echo "time=${{ steps.unit-test-report.outputs.time || '0' }}" >> unit-report-data.txt
 
       - name: Upload unit test report data
         if: always()
@@ -104,7 +120,12 @@ jobs:
       NODE_OPTIONS: "--max_old_space_size=8192"
 
     steps:
+      # Secure checkout for external PRs
       - uses: actions/checkout@v4
+        with:
+          # For PRs from forks, check out the PR head to prevent naughty people finding my token
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
+
       - uses: actions/setup-node@v4
         with:
           node-version: 22
@@ -142,20 +163,22 @@ jobs:
       - name: API Test Report
         id: api-test-report
         uses: dorny/test-reporter@v1
-        if: always()
+        if: always() && (env.IS_FORK != 'true' || env.HAS_BOT_TOKEN == 'true')
         with:
           name: API Contract Tests
           path: api-test-results.xml
           reporter: java-junit
           fail-on-error: false
+          token: ${{ env.IS_FORK == 'true' && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
+        continue-on-error: true
 
       - name: Save API test report data
         if: always()
         run: |
-          echo "passed=${{ steps.api-test-report.outputs.passed }}" > api-report-data.txt
-          echo "failed=${{ steps.api-test-report.outputs.failed }}" >> api-report-data.txt
-          echo "skipped=${{ steps.api-test-report.outputs.skipped }}" >> api-report-data.txt
-          echo "time=${{ steps.api-test-report.outputs.time }}" >> api-report-data.txt
+          echo "passed=${{ steps.api-test-report.outputs.passed || '0' }}" > api-report-data.txt
+          echo "failed=${{ steps.api-test-report.outputs.failed || '0' }}" >> api-report-data.txt
+          echo "skipped=${{ steps.api-test-report.outputs.skipped || '0' }}" >> api-report-data.txt
+          echo "time=${{ steps.api-test-report.outputs.time || '0' }}" >> api-report-data.txt
 
       - name: Upload API test report data
         if: always()
@@ -175,7 +198,12 @@ jobs:
       NODE_OPTIONS: "--max_old_space_size=8192"
 
     steps:
+      # Secure checkout for external PRs
       - uses: actions/checkout@v4
+        with:
+          # For PRs from forks, check out the PR head to prevent token exposure
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }}
+
       - uses: actions/setup-node@v4
         with:
           node-version: 22
@@ -219,20 +247,22 @@ jobs:
       - name: E2E Test Report
         id: e2e-test-report
         uses: dorny/test-reporter@v1
-        if: always()
+        if: always() && (env.IS_FORK != 'true' || env.HAS_BOT_TOKEN == 'true')
         with:
           name: E2E Tests
           path: e2e-results.xml
           reporter: java-junit
           fail-on-error: false
+          token: ${{ env.IS_FORK == 'true' && secrets.BOT_TOKEN || secrets.GITHUB_TOKEN }}
+        continue-on-error: true
 
       - name: Save e2e test report data
         if: always()
         run: |
-          echo "passed=${{ steps.e2e-test-report.outputs.passed }}" > e2e-report-data.txt
-          echo "failed=${{ steps.e2e-test-report.outputs.failed }}" >> e2e-report-data.txt
-          echo "skipped=${{ steps.e2e-test-report.outputs.skipped }}" >> e2e-report-data.txt
-          echo "time=${{ steps.e2e-test-report.outputs.time }}" >> e2e-report-data.txt
+          echo "passed=${{ steps.e2e-test-report.outputs.passed || '0' }}" > e2e-report-data.txt
+          echo "failed=${{ steps.e2e-test-report.outputs.failed || '0' }}" >> e2e-report-data.txt
+          echo "skipped=${{ steps.e2e-test-report.outputs.skipped || '0' }}" >> e2e-report-data.txt
+          echo "time=${{ steps.e2e-test-report.outputs.time || '0' }}" >> e2e-report-data.txt
 
       - name: Upload e2e test report data
         if: always()
