ci: let Dependabot integration tests run via pull_request_target#199
Open
ionmincu wants to merge 4 commits into
Open
ci: let Dependabot integration tests run via pull_request_target#199ionmincu wants to merge 4 commits into
ionmincu wants to merge 4 commits into
Conversation
Mirror the dependabot.yml from uipath-python and uipath-langchain-python so version-update PRs are not opened. They could not pass integration tests because GitHub does not pass repository secrets to workflows triggered by dependabot, leaving uipath auth without credentials. Add timeout-minutes: 10 to the integration-tests job so hung jobs do not sit "in progress" indefinitely. Add set -e to each run.sh so the first failure is surfaced instead of cascading through init/pack/run and ending with a misleading "UIPATH_ACCESS_TOKEN is not set". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates repository automation to reduce CI churn from Dependabot and make integration test execution more fail-fast and bounded in duration.
Changes:
- Added a
.github/dependabot.ymlconfiguration that disables new Dependabot version-bump PRs (open-pull-requests-limit: 0) and excludessamples/**. - Added
timeout-minutes: 10to the GitHub Actionsintegration-testsjob to prevent indefinite hangs. - Hardened the three integration testcase
run.shscripts by enablingset -eand preserving MCP server log output even whentest.pyfails.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
testcases/string-server/run.sh |
Enable set -e and capture test failures while still printing mcp_server_output.log. |
testcases/ground-to-cloud/run.sh |
Same hardening as above for the ground-to-cloud testcase script. |
testcases/datetime-server/run.sh |
Same hardening as above for the datetime testcase script. |
.github/workflows/integration_tests.yml |
Add a 10-minute timeout to each integration test job to avoid stuck runs. |
.github/dependabot.yml |
Add Dependabot configuration to stop opening new dependency PRs (and exclude samples). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Supersedes the dependabot.yml disable from the previous commit: instead of blocking Dependabot from opening PRs, let them run integration tests with secrets in scope. Port the pattern from uipath-python PR #1628: - Add pull_request_target trigger alongside pull_request. Both gated by actor so each event fires only for its intended PR source — no double-runs and no secrets exposed to arbitrary fork PRs. - Restrict the Dependabot matrix to alpha only to minimize the blast radius of running PR code with credentials in scope. - actions/checkout uses ref: head.sha in both jobs so the PR's code is tested under pull_request_target (which defaults to base otherwise). - Add a Check secrets availability step that emits a ::warning:: annotation when CLIENT_ID/CLIENT_SECRET/BASE_URL arrive empty, so fork-PR failures have clear context instead of cascading into a misleading UIPATH_ACCESS_TOKEN error downstream. set -e in run.sh and timeout-minutes from the previous commit are kept as-is. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ionmincu
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
The container image used by the integration-tests job
(ghcr.io/astral-sh/uv:python3.12-bookworm) does not put bash on the
default shell path, so GitHub falls back to `sh -e {0}` for inline
`run:` blocks. The Check secrets availability step uses bash array
syntax (`missing=()`), which is a POSIX-sh parse error and fails the
step before any check runs. Set shell: bash explicitly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SonarCloud flagged the use of github.actor in the actor gate as forgeable — on a re-run by a maintainer, github.actor becomes that maintainer rather than the original PR author, which would let a malicious PR bypass the gate. Switch to github.event.pull_request.user.login, which is the immutable original author set by GitHub from the authenticated session. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make Dependabot PRs actually able to run integration tests, ported from uipath-python PR #1628:
pull_request_targetadded alongsidepull_request, restricted to[opened, synchronize, reopened]. Both jobs gated by actor:pull_requestruns for everyone exceptdependabot[bot],pull_request_targetruns only fordependabot[bot]. No double-runs, no secrets exposed to fork PRs.actions/checkoutusesref: ${{ github.event.pull_request.head.sha || github.sha }}in both