-
Notifications
You must be signed in to change notification settings - Fork 800
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a CI job for WPCloud testing of wpcomsh. #39258
base: trunk
Are you sure you want to change the base?
Changes from 2 commits
3a57a51
2ab2c4a
0d40db9
a8da4b4
a3a5533
8b74cdf
4df8ed7
b102738
27bbd07
aad27e3
9e892e4
dfb7439
bf302d5
8f1f194
df0ed81
3618211
510482f
747555d
cdff320
a60df09
4f4f451
f2ff12f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
name: WPCloud Unit Testing for WPCOMSH | ||
|
||
on: | ||
pull_request: | ||
push: | ||
branches: ['trunk', '*/branch-*'] | ||
concurrency: | ||
group: wpcloud-${{ github.event_name }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
deploy: | ||
name: Run phpunit on WPCloud site | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
# codecov.io requires a fetch depth > 1. | ||
fetch-depth: 2 | ||
|
||
# For pull requests, list-changed-projects.sh needs the merge base. | ||
# But it doesn't have to be checked out. | ||
- name: Deepen to merge base | ||
if: github.event_name == 'pull_request' | ||
uses: ./.github/actions/deepen-to-merge-base | ||
with: | ||
checkout: false | ||
|
||
- name: Setup tools | ||
uses: ./.github/actions/tool-setup | ||
with: | ||
php: ${{ matrix.php }} | ||
node: ${{ matrix.node }} | ||
- name: Monorepo install | ||
run: | | ||
echo "::group::Pnpm" | ||
pnpm install | ||
echo "::endgroup::" | ||
- name: Detect if wpcomsh has changed | ||
id: changed | ||
run: | | ||
CHANGED="$(EXTRA=test .github/files/list-changed-projects.sh)" | ||
|
||
WPCOMSH_CHANGED="$(jq --argjson changed "$CHANGED" -n '$changed | has( "plugins/wpcomsh" ) ')" | ||
echo "wpcomsh=${WPCOMSH_CHANGED}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Configure Github to be able to SSH to the Atomic site | ||
if: steps.changed.outputs.wpcomsh == 'true' | ||
run: | | ||
echo "Intializing" | ||
echo "::group::setup" | ||
|
||
mkdir -vp ~/.ssh/ | ||
chmod -v 700 ~/.ssh | ||
|
||
touch ~/.ssh/id_site | ||
chmod 600 ~/.ssh/id_site | ||
echo "$WPCLOUD_SSH_KEY" > ~/.ssh/id_site | ||
echo "wrote ~/.ssh/id_site" | ||
|
||
touch ~/.ssh/askpass | ||
chmod -v 700 ~/.ssh/askpass | ||
cat >>~/.ssh/askpass <<END | ||
#!/bin/bash | ||
echo "\$WPCLOUD_SSH_KEY_PASSPHRASE" | ||
END | ||
echo "wrote ~/.ssh/askpass" | ||
|
||
cat >>~/.ssh/config <<END | ||
Host * | ||
StrictHostKeyChecking no | ||
END | ||
echo "wrote ~/.ssh/config" | ||
|
||
touch ~/.ssh/stdin | ||
chmod -v 600 ~/.ssh/stdin | ||
cat >>~/.ssh/stdin <<END | ||
$WPCLOUD_STDIN | ||
END | ||
echo "wrote ~/.ssh/stdin" | ||
|
||
export SSH_ASKPASS="$HOME/.ssh/askpass" | ||
echo "exported SSH_ASKPASS" | ||
export SSH_ASKPASS_REQUIRE="force" | ||
echo "exported SSH_ASKPASS_REQUIRE" | ||
export DISPLAY=":" | ||
echo "exported DISPLAY" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (this along with the comment on lines 61–67 above) |
||
|
||
echo "::endgroup::" | ||
|
||
echo "::group::execution" | ||
cat ~/.ssh/stdin | setsid ssh -i ~/.ssh/id_site -l "$WPCLOUD_SSH_USER" ssh.atomicsites.net "$WPCLOUD_SSH_COMMAND" || CODE=$? | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm left wondering what's in Is whatever this runs going to work if multiple PRs run this at the same time? |
||
echo "::endgroup::" | ||
|
||
echo "::group::teardown" | ||
rm -rvf ~/.ssh/ | ||
echo "::endgroup::" | ||
echo "Exiting with exit code $CODE" | ||
exit $CODE | ||
env: | ||
WPCLOUD_SSH_KEY: ${{ secrets.WPCLOUD_SSH_KEY }} | ||
WPCLOUD_SSH_KEY_PASSPHRASE: ${{ secrets.WPCLOUD_SSH_KEY_PASSPHRASE }} | ||
WPCLOUD_SSH_USER: ${{ secrets.WPCLOUD_SSH_USER }} | ||
WPCLOUD_SSH_COMMAND: ${{ secrets.WPCLOUD_SSH_COMMAND }} | ||
WPCLOUD_STDIN: ${{ toJSON(github) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we could switch to a key with no password, so we could skip this. Is there an attack scenario where someone could steal the key but not also steal this file with the password?