-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Unit tests" CI workflow fails for PRs from forks #7423
Comments
Additionally, after submitting this issue, I received a notification that "Check issue template" workflow is failing because repository it relies on doesn't exist: https://github.com/n8n-io/n8n/actions/runs/6497229064 |
@inga-lovinde Thanks for the report, I had reported issues with merging community PRs the other day, I have just raised it again. The issue with the issue template will be resolved soon when I replace it with something else 😃 |
Github issue / Community forum post (link here to close automatically): #7423 This PR updates reference passed to the `checkout` action by the `cy-pull-request.ym`. This should fix three existing issues: - Failing unit tests for external pull requests - Failing e2e tests for external PRs - Passing empty `ref` to `lint` job which makes linter run on a wrong branch
Hey @inga-lovinde, The issue with the PRs has been resolved and the CI tests are now working as we expect them to. The other issue with the notifications when opening issues may be resolved later this week or next week. For now I am going to mark this one as closed, Let me know if you have any questions about this. |
Github issue / Community forum post (link here to close automatically): #7423 This PR updates reference passed to the `checkout` action by the `cy-pull-request.ym`. This should fix three existing issues: - Failing unit tests for external pull requests - Failing e2e tests for external PRs - Passing empty `ref` to `lint` job which makes linter run on a wrong branch
Describe the bug
PRs from forks (including all PRs from external contributors, per https://github.com/n8n-io/n8n/blob/n8n%401.11.0/CONTRIBUTING.md ) cannot be merged, because "Unit tests" workflow is failing on "Run actions/checkout" step.
For example, it is failing for #7377
To Reproduce
Steps to reproduce the behavior:
Expected behavior
"Unit tests" workflow is completing successfully.
Environment (please complete the following information):
Security notice
This issue has a minor security impact: a malicious actor can create a branch in their fork with the same name as the known good feature branch in upstream repository, make seemingly benign but actually breaking changes, submit a PR, and then "Unit tests" workflow will presumably pass for that PR (by running tests against the existing feature branch in upstream repository), even though tests would actually fail for their changes.
Additional context
refs/remotes/pull/PR_ID/merge
. One consequence of that is that even for internal contributors, linting and testing in CI is done for different versions of code; while linting is done on a merge of source and target branches, testing is only done on a source branch (which might not include the latest changes from the target branch).ci-pull-requests.yml
, testing workflow code was unified betweenci-pull-requests.yml
andci-master.yml
, slightly changing the behavior:ci-pull-requests.yml
called checkout withref: ${{ inputs.branch }}
(which apparently was empty, judging by workflow logs from that time, e.g. https://github.com/n8n-io/n8n/actions/runs/6157004828/job/16706916335)ref
values, checkout@v3 action falls back togithub.context.ref
, which in turn is defined as "For workflows triggered by pull_request, this is the pull request merge branch"ref
values manually inunits-tests-dispatch.yml
, based oninputs.ref
andinputs.prNumber
, both being optional parameters... withci-pull-requests.yml
only passingref: ${{ github.event.pull_request.head.ref }}
. So even though the intent ofunits-tests-dispatch.yml
apparently was to support running for merge branches, it neededprNumber
for that, whichci-pull-requests.yml
didn't pass.units-tests-dispatch.yml
is not even actually used, with bothci-pull-requests.yml
andci-master.yml
callingunits-tests-reusable.yml
, and with no trace of the "prepare" step in workflow logs. But I'm not an expert in github workflows, so maybe I'm missing how this dispatch code will run.Unfortunately, there is no public description or comments or links in #7159, so it is not clear what was the intent of the behavior changes (PR title makes it seem as if it was just code reorganization which is not supposed to change the behavior). For pull requests, there are three options basically:
cacheKey
in tests workflow refers to merge commit, which means that changing the target branch will likely reset the cache, even though the same code should be tested);head
readonly PR branch, which is generally the same code as in the source branch (and the bug then is that it doesn't seem to be implemented anywhere; another bug, just like in option 1, is that wrongcacheKey
is used);merge
readonly PR branch, just like it worked before ci: Add reusable unit test workflow (no-changelog) #7159, and just like linting and building workflows are doing now. In this case, one way to fix it would be to removeunits-tests-dispatch.yml
entirely, to removeref
parameter value fromci-pull-requests.yml
(and rely oncheckout
action inferring it instead), to remove defaultref
value fromunits-tests-reusable.yml
, and probably updateci-master.yml
to pass main branch name explicitly (or maybe to pass nothing and rely oncheckout
action in this workflow too) instead of${{ inputs.branch }}
(I'm not even sure if${{ inputs.branch }}
means anything for workflows triggered automatically by pushes?)But being an outside observer only, I don't know which of the three options is right for you.
The text was updated successfully, but these errors were encountered: