From a41e96c7ccb03e5db9c21abaf1728ede1b5eea66 Mon Sep 17 00:00:00 2001
From: UncleGedd <42304551+UncleGedd@users.noreply.github.com>
Date: Wed, 21 Feb 2024 15:18:13 -0600
Subject: [PATCH] chore: ensure PR workflows can't write to GHCR (#446)

---
 .../{test-e2e.yaml => nightly-ghcr.yaml}      | 21 +++------
 .github/workflows/test-e2e-pr.yaml            | 45 +++++++++++++++++++
 Makefile                                      |  7 ++-
 src/test/e2e/bundle_test.go                   |  4 ++
 src/test/e2e/ghcr_test.go                     |  5 ++-
 5 files changed, 64 insertions(+), 18 deletions(-)
 rename .github/workflows/{test-e2e.yaml => nightly-ghcr.yaml} (77%)
 create mode 100644 .github/workflows/test-e2e-pr.yaml

diff --git a/.github/workflows/test-e2e.yaml b/.github/workflows/nightly-ghcr.yaml
similarity index 77%
rename from .github/workflows/test-e2e.yaml
rename to .github/workflows/nightly-ghcr.yaml
index 1a547d77..c15088ba 100644
--- a/.github/workflows/test-e2e.yaml
+++ b/.github/workflows/nightly-ghcr.yaml
@@ -1,23 +1,16 @@
-name: E2E Tests
+name: Test GHCR Write
 on:
-  pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**.jpg"
-      - "**.png"
-      - "**.gif"
-      - "**.svg"
-      - "adr/**"
-      - "docs/**"
-      - "CODEOWNERS"
-      - "goreleaser.yml"
+  schedule:
+    - cron: '0 7 * * *' ## Every day at 0700 UTC
+
+  workflow_dispatch: ## Give us the ability to run this manually
 
 permissions:
   contents: read
 
 # Abort prior jobs in the same workflow / PR
 concurrency:
-  group: e2e-k3d-${{ github.ref }}
+  group: e2e-ghcr-write-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -47,7 +40,7 @@ jobs:
 
       - name: Run e2e tests
         run: |
-          make test-e2e
+          make test-e2e-ghcr
         env:
           GITHUB_TOKEN: secrets.GITHUB_TOKEN
 
diff --git a/.github/workflows/test-e2e-pr.yaml b/.github/workflows/test-e2e-pr.yaml
new file mode 100644
index 00000000..1f53723a
--- /dev/null
+++ b/.github/workflows/test-e2e-pr.yaml
@@ -0,0 +1,45 @@
+name: E2E Tests
+on:
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - "CODEOWNERS"
+      - "goreleaser.yml"
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: e2e-k3d-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Build UDS-CLI binary
+        run: make build-cli-linux-amd ARCH=amd64
+
+      - name: Setup K3d
+        uses: ./.github/actions/k3d
+
+      - name: Run e2e tests
+        run: |
+          make test-e2e-no-ghcr-write
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
diff --git a/Makefile b/Makefile
index 22cce695..d91a26c4 100644
--- a/Makefile
+++ b/Makefile
@@ -30,10 +30,13 @@ test-unit: ## Run Unit Tests
 test-e2e: ## Run End to End (e2e) tests
 	cd src/test/e2e && go test -failfast -v -timeout 30m
 
-test-e2e-no-ghcr: ## Run End to End (e2e) tests without GHCR
+test-e2e-ghcr: ## Run End to End (e2e) tests with GHCR (contains writes)
+	cd src/test/e2e && go test -failfast -v -timeout 30m -run ".*GHCR.*"
+
+test-e2e-no-ghcr-write: ## Run End to End (e2e) tests without GHCR
 	cd src/test/e2e && go test -failfast -v -timeout 30m -skip ".*GHCR.*"
 
-test-e2e-only-tasks: ## Run End to End (e2e) tests for task runner only
+test-e2e-runner: ## Run End to End (e2e) tests for task runner only
 	cd src/test/e2e && go test -failfast -v -timeout 30m -run TestTaskRunner
 
 schema: ## Update JSON schema for uds-bundle.yaml
diff --git a/src/test/e2e/bundle_test.go b/src/test/e2e/bundle_test.go
index d89ed309..766484ca 100644
--- a/src/test/e2e/bundle_test.go
+++ b/src/test/e2e/bundle_test.go
@@ -121,6 +121,10 @@ func TestBundle(t *testing.T) {
 	//Test create using custom tmpDir
 	runCmd(t, "create "+bundleDir+" --tmpdir ./customtmp --confirm --insecure")
 
+	// remove customtmp folder if it exists
+	err := os.RemoveAll("./customtmp")
+	require.NoError(t, err)
+
 }
 
 func TestPackagesFlag(t *testing.T) {
diff --git a/src/test/e2e/ghcr_test.go b/src/test/e2e/ghcr_test.go
index bfb44932..f4b3f152 100644
--- a/src/test/e2e/ghcr_test.go
+++ b/src/test/e2e/ghcr_test.go
@@ -15,8 +15,9 @@ import (
 
 // NOTE: These tests need to have the string "GHCR" in their names
 //       to ensure they are not run by the test-e2e-no-ghcr make target
+//       Also, these tests are run nightly and on releases, not on PRs
 
-func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
+func TestBundleCreateAndPublishGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleName := "ghcr-test"
@@ -51,7 +52,7 @@ func TestBundleDeployFromOCIFromGHCR(t *testing.T) {
 }
 
 // test the create -o path
-func TestBundleCreateAndDeployGHCR(t *testing.T) {
+func TestBundleCreateRemoteAndDeployGHCR(t *testing.T) {
 	deployZarfInit(t)
 
 	bundleDir := "src/test/bundles/06-ghcr"