8000 Use pull_request_target to run kitchen tests in the context of main by tpowell-progress · Pull Request #15480 · chef/chef · GitHub
[go: up one dir, main page]
Skip to content

Use pull_request_target to run kitchen tests in the context of main #15480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tpowell-progress wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Use pull_request_target to run kitchen tests in the context of main #15480

tpowell-progress wants to merge 2 commits into from
+15 −4

Conversation

@tpowell-progress
Copy link
Contributor
@tpowell-progress tpowell-progress commented Nov 26, 2025
edited
Loading

Description

GitHub Actions improvements for fork and pull request workflows:

In order to solve this, we’ve added a new pull_request_target event, which behaves in an almost identical way to the pull_request event with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request. This event can be used in combination with the private repository settings as well.

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@tpowell-progress
Use pull_request_target to run kitchen tests in the context of main
679151a 
Signed-off-by: Thomas Powell <thomas.powell@progress.com>
@tpowell-progress tpowell-progress requested review from a team and jaymzh as code owners November 26, 2025 17:33
@Stromweld
Copy link
Contributor
Stromweld commented Nov 26, 2025

we should also then pull out the chef-license key and add it as a secret env variable.

@johnmccrae johnmccrae closed this Nov 26, 2025
@johnmccrae johnmccrae reopened this Nov 27, 2025
@jaymzh
Copy link
Collaborator
jaymzh commented Nov 27, 2025

Can you do this as a fork, so we can see the results before we merge it, please?

@neha-p6
Copy link
Collaborator
neha-p6 commented Dec 1, 2025
edited
Loading

@tpowell-progress None of the TKE workflows seem to have run here? The change in kitchen.yml seems have caused some issue for the runs to be skipped

@tpowell-progress
Copy link
Contributor Author
tpowell-progress commented Dec 1, 2025

Can you do this as a fork, so we can see the results before we merge it, please?

@jaymzh pull_request_target needs to be merged into the base branch prior to actually taking effect. The "disabled" kitchen tests that @neha-p6 is seeing are a symptom of that, in which I've pulled out the pull_request hook but pull_request_target is not yet merged.

@sean-sype-simmons sean-sype-simmons added the Expeditor: Skip All Used to skip all merge_actions. label Dec 1, 2025
sean-sype-simmons
sean-sype-simmons requested changes Dec 1, 2025
View reviewed changes
Copy link
Collaborator
@sean-sype-simmons sean-sype-simmons left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me do some more reading on this ~ before we merge. This should be fine, but need to understand how secrets are accessed.

@Stromweld
8000 Copy link
Contributor
Stromweld commented Dec 1, 2025

@sean-sype-simmons This blog has some info and here are the docs on the setting if it helps.

@tpowell-progress
Update workflows to use pull_request_target and also require approval
c49ca4f 
Signed-off-by: Thomas Powell <thomas.powell@progress.com>
@sonarqubecloud
Copy link
sonarqubecloud bot commented Dec 2, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jaymzh
Copy link
Collaborator
jaymzh commented Dec 2, 2025

@tpowell-progress - need conflict resolution

@jaymzh
Copy link
Collaborator
jaymzh commented Dec 2, 2025

FYI - we can't merge this as-is. We need to checkout the PR commit, because pull_request_target runs on the base of the PR, not the PR commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sean-sype-simmons sean-sype-simmons sean-sype-simmons requested changes

@johnmccrae johnmccrae johnmccrae approved these changes

@jaymzh jaymzh Awaiting requested review from jaymzh jaymzh is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Expeditor: Skip All Used to skip all merge_actions.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@tpowell-progress @Stromweld @jaymzh @neha-p6 @johnmccrae @sean-sype-simmons
0