Integration — GitHub Permissions #194
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration — GitHub Permissions | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 3 * * *' # nightly UTC | |
| push: | |
| branches: | |
| - main | |
| - master | |
| paths: | |
| - 'test/integration/github_permissions_test.rb' | |
| - '.github/workflows/integration-github-permissions.yml' | |
| jobs: | |
| github-permissions: | |
| name: Run GitHub permissions integration tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| GITHUB_TEST_TOKEN: ${{ secrets.GITHUB_TEST_TOKEN }} | |
| steps: | |
| - name: Check for PAT secret | |
| id: gate | |
| run: | | |
| if [ -z "${GITHUB_TEST_TOKEN}" ]; then | |
| echo "missing=1" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "missing=0" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Checkout | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| uses: actions/checkout@v6 | |
| - name: Setup Ruby | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: .ruby-version | |
| bundler-cache: true | |
| - name: Setup Node.js | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 'lts/*' | |
| cache: 'npm' | |
| - name: Install Node dependencies (cached) | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| run: | | |
| if [ -f package-lock.json ]; then | |
| npm ci --no-fund --no-audit --loglevel=error | |
| else | |
| npm install --no-fund --no-audit --loglevel=error | |
| fi | |
| - name: Prepare database | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| run: | | |
| bin/rails db:prepare | |
| - name: Prepare token environment | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| env: | |
| SECRET_PAT: ${{ secrets.GITHUB_TEST_TOKEN }} | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| # Prefer repo secret PAT if provided; otherwise fall back to the workflow GITHUB_TOKEN | |
| if [ -n "$SECRET_PAT" ]; then | |
| echo "GITHUB_TEST_TOKEN=$SECRET_PAT" >> "$GITHUB_ENV" | |
| echo "GITHUB_TEST_REQUIRE_EMAIL=1" >> "$GITHUB_ENV" | |
| else | |
| echo "GITHUB_TEST_TOKEN=$GITHUB_TOKEN" >> "$GITHUB_ENV" | |
| # GitHub Actions token cannot read user emails; skip that assertion | |
| echo "GITHUB_TEST_REQUIRE_EMAIL=0" >> "$GITHUB_ENV" | |
| fi | |
| - name: Run GitHub permissions tests | |
| if: ${{ steps.gate.outputs.missing == '0' }} | |
| env: | |
| DISABLE_PARALLEL_TESTS: '1' | |
| run: | | |
| bin/rails test --verbose test/integration/github_permissions_test.rb | |
| - name: Skip - GITHUB_TEST_TOKEN not set | |
| if: ${{ steps.gate.outputs.missing == '1' }} | |
| run: echo "GITHUB_TEST_TOKEN not set; skipping integration tests" |