chore: ensure PR workflows can't write to GHCR (#446)

.github/workflows/test-e2e.yaml → .github/workflows/nightly-ghcr.yaml

@@ -1,23 +1,16 @@
-name: E2E Tests
+name: Test GHCR Write
 on:
-  pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**.jpg"
-      - "**.png"
-      - "**.gif"
-      - "**.svg"
-      - "adr/**"
-      - "docs/**"
-      - "CODEOWNERS"
-      - "goreleaser.yml"
+  schedule:
+    - cron: '0 7 * * *' ## Every day at 0700 UTC
+
+  workflow_dispatch: ## Give us the ability to run this manually
 
 permissions:
   contents: read
 
 # Abort prior jobs in the same workflow / PR
 concurrency:
-  group: e2e-k3d-${{ github.ref }}
+  group: e2e-ghcr-write-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -47,7 +40,7 @@ jobs:
 
       - name: Run e2e tests
         run: |
-          make test-e2e
+          make test-e2e-ghcr
         env:
           GITHUB_TOKEN: secrets.GITHUB_TOKEN
 

.github/workflows/test-e2e-pr.yaml

@@ -0,0 +1,45 @@
+name: E2E Tests
+on:
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - "CODEOWNERS"
+      - "goreleaser.yml"
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: e2e-k3d-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Build UDS-CLI binary
+        run: make build-cli-linux-amd ARCH=amd64
+
+      - name: Setup K3d
+        uses: ./.github/actions/k3d
+
+      - name: Run e2e tests
+        run: |
+          make test-e2e-no-ghcr-write
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs

Makefile

@@ -30,10 +30,13 @@ test-unit: ## Run Unit Tests
 test-e2e: ## Run End to End (e2e) tests
 	cd src/test/e2e && go test -failfast -v -timeout 30m
 
-test-e2e-no-ghcr: ## Run End to End (e2e) tests without GHCR
+test-e2e-ghcr: ## Run End to End (e2e) tests with GHCR (contains writes)
+	cd src/test/e2e && go test -failfast -v -timeout 30m -run ".*GHCR.*"
+
+test-e2e-no-ghcr-write: ## Run End to End (e2e) tests without GHCR
 	cd src/test/e2e && go test -failfast -v -timeout 30m -skip ".*GHCR.*"
 
-test-e2e-only-tasks: ## Run End to End (e2e) tests for task runner only
+test-e2e-runner: ## Run End to End (e2e) tests for task runner only
 	cd src/test/e2e && go test -failfast -v -timeout 30m -run TestTaskRunner
 
 schema: ## Update JSON schema for uds-bundle.yaml

src/test/e2e/bundle_test.go

@@ -121,6 +121,10 @@ func TestBundle(t *testing.T) {
 	//Test create using custom tmpDir
 	runCmd(t, "create "+bundleDir+" --tmpdir ./customtmp --confirm --insecure")
 
+	// remove customtmp folder if it exists
+	err := os.RemoveAll("./customtmp")
+	require.NoError(t, err)
+
 }
 
 func TestPackagesFlag(t *testing.T) {

src/test/e2e/ghcr_test.go

@@ -15,8 +15,9 @@ import (
 
 // NOTE: These tests need to have the string "GHCR" in their names
 //       to ensure they are not run by the test-e2e-no-ghcr make target
+//       Also, these tests are run nightly and on releases, not on PRs
 
-func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
+func TestBundleCreateAndPublishGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleName := "ghcr-test"
@@ -51,7 +52,7 @@ func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
 }
 
 // test the create -o path
-func TestBundleCreateAndDeployGHCR(t *testing.T) {
+func TestBundleCreateRemoteAndDeployGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleDir := "src/test/bundles/06-ghcr"