From 37754bc4d06d8f5ba47abff8cf95419d16efbae0 Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Thu, 25 Sep 2025 09:26:59 -0400 Subject: [PATCH 1/9] Add deployer test pipeline --- .github/workflows/test-deployer.yml | 203 ++++++++++++++++++++++++++++ 1 file changed, 203 insertions(+) create mode 100644 .github/workflows/test-deployer.yml diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml new file mode 100644 index 00000000..8dbcfdfb --- /dev/null +++ b/.github/workflows/test-deployer.yml @@ -0,0 +1,203 @@ +name: Test Deployer + +on: + pull_request: + branches: + - main + workflow_dispatch: + +jobs: + test-deployer: + runs-on: self-hosted + container: + image: ghcr.io/catthehacker/ubuntu:act-latest + env: + GIT_SSH_COMMAND: ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no + PIP_BREAK_SYSTEM_PACKAGES: "1" + timeout-minutes: 60 + strategy: + matrix: + design: [aio, minimal, ha2, asa] + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Update package lists + run: apt update + + - name: Install Python + run: | + apt install -y python3 + wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py && rm get-pip.py + ln -s /usr/bin/python3 /usr/bin/python + python --version + pip --version + + - name: Install OpenTofu + uses: opentofu/setup-opentofu@v1 + with: + tofu_version: latest + + - name: Install Ansible + run: | + pip install "ansible>=9.0.0,<10.0.0" "ansible-core>=2.11,<2.17" + ansible --version + + # Configures Ansible to fail immediately on error, skip host key checking, use correct key file + - name: Write Ansible configuration file + run: | + cat > ~/.ansible.cfg << 'EOF' + [defaults] + any_errors_fatal = True + host_key_checking = False + max_fail_percentage = 0 + private_key_file = ~/.ssh/pet-east1.open.pem + EOF + + - name: Install this collection + run: ansible-galaxy collection install . --force + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} + aws-region: us-east-1 + + - name: Setup SSH for GitLab + run: | + mkdir -p ~/.ssh + echo "${{ secrets.GITLAB_SSH_KEY }}" > ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + + - name: Setup SSH for EC2 + run: | + echo "${{ secrets.EC2_SSH_KEY }}" > ~/.ssh/pet-east1.open.pem + chmod 600 ~/.ssh/pet-east1.open.pem + + - name: Clone Themis repository + working-directory: .. + run: | + rm -rf themis + git clone "${{ secrets.THEMIS_REPO_SSH_URI }}" + cd themis + ls -la + + - name: Install Themis Python script dependencies + working-directory: ../themis + run: pip install -r scripts/requirements.txt + + - name: Configure inventory to download Platform from Nexus + working-directory: ../themis + run: | + cat > inventories/common/group_vars/platform.yml << 'EOF' + --- + platform_packages: + - "${{ secrets.PLATFORM_RPM_URL }}" + EOF + + cat > inventories/common/group_vars/platform_secondary.yml << 'EOF' + --- + platform_packages: + - "${{ secrets.PLATFORM_RPM_URL }}" + EOF + + - name: Configure inventory to download Gateway from Nexus + working-directory: ../themis + run: | + cat > inventories/common/group_vars/gateway.yml << 'EOF' + --- + gateway_release: ${{ secrets.GATEWAY_RELEASE }} + gateway_archive_download_url: "${{ secrets.GATEWAY_WHL_URL }}" + EOF + + # This is potentially more secure than adding the credentials as extra vars in the ansible-playbook command + - name: Add Nexus credentials to inventory + working-directory: ../themis + run: | + echo 'repository_username: "${{ secrets.NEXUS_USERNAME }}"' >> inventories/common/group_vars/all.yml + echo 'repository_password: "${{ secrets.NEXUS_PASSWORD }}"' >> inventories/common/group_vars/all.yml + + - name: Initialize OpenTofu + working-directory: ../themis/tofu_aws + run: tofu init + + - name: Generate OpenTofu execution plan + working-directory: ../themis/tofu_aws + run: tofu plan -var-file=tfvars/${{ matrix.design }}.tfvars + + - name: Provision EC2 instances + working-directory: ../themis/tofu_aws + run: tofu apply -var-file=tfvars/${{ matrix.design }}.tfvars -auto-approve + + - name: Generate Ansible inventory hosts file + working-directory: ../themis/tofu_aws + run: python3 ../scripts/generate_inventory.py --validate -o hosts.json + + # Retries until SSH connection is established or timeout is reached + - name: Wait for EC2 instances to be ready to SSH into + working-directory: ../themis + run: ansible all -m wait_for_connection -a "delay=10 timeout=300" -i tofu_aws/hosts.json -v + + # Waits for cloud init marker file to be written to disk (see cloud-init.tpl) + - name: Wait for cloud init script to complete + working-directory: ../themis + run: ansible all -m wait_for -a "path=/var/log/cloud-init-finished.marker timeout=300" -i tofu_aws/hosts.json -v + + # Overrides inventory variables to install Redis from the Remi repository using a known working URL, as a + # workaround for bugs in the deployer (dependency resolution errors when building Redis, incorrect Remi URL) + - name: Run the deployer + working-directory: ../themis + run: > + ansible-playbook itential.deployer.site + -i tofu_aws/hosts.json + -i inventories/common + -i inventories/${{ matrix.design }} + -e "redis_install_from_source=false" + -e "redis_remi_repo_url=http://rpms.remirepo.net/enterprise/remi-release-9.rpm" + -v + + - name: Verify that Platform is running correctly + working-directory: ../themis + run: | + for host in $(jq -r '.all.children.platform.hosts[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py platform "http://$host:3000" + done + for host in $(jq -r '(.all.children.platform_secondary.hosts // [])[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py platform "http://$host:3000" + done + + - name: Verify that Gateway is running correctly + working-directory: ../themis + run: | + for host in $(jq -r '.all.children.gateway.hosts[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py gateway "http://$host:8083" + done + + - name: Verify that Redis is running correctly + working-directory: ../themis + run: | + for host in $(jq -r '.all.children.redis.hosts[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py redis "$host" + done + for host in $(jq -r '(.all.children.redis_secondary.hosts // [])[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py redis "$host" + done + + - name: Verify that MongoDB is running correctly + working-directory: ../themis + run: | + for host in $(jq -r '.all.children.mongodb.hosts[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py mongodb "$host" + done + for host in $(jq -r '(.all.children.mongodb_arbiter.hosts // [])[] | .ansible_host' tofu_aws/hosts.json); do + python3 scripts/validate.py mongodb "$host" --arbiter + done + + - name: Terminate EC2 instances + if: always() + working-directory: ../themis/tofu_aws + run: tofu destroy -var-file=tfvars/${{ matrix.design }}.tfvars -auto-approve From c0ee194866b3f58f91e0562558e512a81c432229 Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Fri, 26 Sep 2025 12:20:45 -0400 Subject: [PATCH 2/9] Migrate to docker runners, make pipeline callable --- .github/workflows/test-deployer.yml | 72 ++++++++++++++++------ .github/workflows/test-on-pull-request.yml | 19 ++++++ 2 files changed, 71 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/test-on-pull-request.yml diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index 8dbcfdfb..d1a2fa02 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -1,39 +1,72 @@ name: Test Deployer + on: - pull_request: - branches: - - main - workflow_dispatch: - + workflow_call: + inputs: + design: + required: true + type: string + os-type: + required: true + type: string + os-version: + required: true + type: string + secrets: + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + AWS_SESSION_TOKEN: + required: true + GITLAB_SSH_KEY: + required: true + EC2_SSH_KEY: + required: true + THEMIS_REPO_SSH_URI: + required: true + NEXUS_USERNAME: + required: true + NEXUS_PASSWORD: + required: true + PLATFORM_RPM_URL: + required: true + GATEWAY_RELEASE: + required: true + GATEWAY_WHL_URL: + required: true + + jobs: test-deployer: runs-on: self-hosted - container: - image: ghcr.io/catthehacker/ubuntu:act-latest env: GIT_SSH_COMMAND: ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no PIP_BREAK_SYSTEM_PACKAGES: "1" timeout-minutes: 60 - strategy: - matrix: - design: [aio, minimal, ha2, asa] - fail-fast: false steps: - name: Checkout repository uses: actions/checkout@v4 - name: Update package lists - run: apt update + run: sudo apt update - name: Install Python run: | - apt install -y python3 - wget https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py && rm get-pip.py - ln -s /usr/bin/python3 /usr/bin/python + sudo apt install -y python3 + wget https://bootstrap.pypa.io/get-pip.py && sudo python3 get-pip.py && rm get-pip.py + sudo ln -s /usr/bin/python3 /usr/bin/python || true + sudo ln -s /usr/bin/pip3 /usr/bin/pip || true python --version pip --version + + # For some reason, Node appears to be a dependency of Themis + - name: Install Node.js + run: | + sudo apt install -y nodejs + node --version - name: Install OpenTofu uses: opentofu/setup-opentofu@v1 @@ -81,7 +114,6 @@ jobs: - name: Clone Themis repository working-directory: .. run: | - rm -rf themis git clone "${{ secrets.THEMIS_REPO_SSH_URI }}" cd themis ls -la @@ -127,11 +159,11 @@ jobs: - name: Generate OpenTofu execution plan working-directory: ../themis/tofu_aws - run: tofu plan -var-file=tfvars/${{ matrix.design }}.tfvars + run: tofu plan -var-file=tfvars/${{ inputs.design }}.tfvars -var "os_type=${{ inputs.os-type }}" -var "os_version=${{ inputs.os-version }}" -out=plan.tfplan - name: Provision EC2 instances working-directory: ../themis/tofu_aws - run: tofu apply -var-file=tfvars/${{ matrix.design }}.tfvars -auto-approve + run: tofu apply plan.tfplan - name: Generate Ansible inventory hosts file working-directory: ../themis/tofu_aws @@ -155,7 +187,7 @@ jobs: ansible-playbook itential.deployer.site -i tofu_aws/hosts.json -i inventories/common - -i inventories/${{ matrix.design }} + -i inventories/${{ inputs.design }} -e "redis_install_from_source=false" -e "redis_remi_repo_url=http://rpms.remirepo.net/enterprise/remi-release-9.rpm" -v @@ -200,4 +232,4 @@ jobs: - name: Terminate EC2 instances if: always() working-directory: ../themis/tofu_aws - run: tofu destroy -var-file=tfvars/${{ matrix.design }}.tfvars -auto-approve + run: tofu destroy -auto-approve diff --git a/.github/workflows/test-on-pull-request.yml b/.github/workflows/test-on-pull-request.yml new file mode 100644 index 00000000..dfd02f07 --- /dev/null +++ b/.github/workflows/test-on-pull-request.yml @@ -0,0 +1,19 @@ +name: Test Deployer on Pull Request + +on: + pull_request: + branches: + - main + +jobs: + run-test: + strategy: + matrix: + design: [aio, minimal, ha2, asa] + fail-fast: false + uses: ./.github/workflows/test-deployer.yml + with: + design: ${{ matrix.design }} + os-type: rocky + os-version: "9" + secrets: inherit From ce46d0c883fa618159f75077d71182ac8aa364e6 Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Fri, 26 Sep 2025 13:54:57 -0400 Subject: [PATCH 3/9] Fix EC2 termination step --- .github/workflows/test-deployer.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index d1a2fa02..cf453141 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -159,7 +159,12 @@ jobs: - name: Generate OpenTofu execution plan working-directory: ../themis/tofu_aws - run: tofu plan -var-file=tfvars/${{ inputs.design }}.tfvars -var "os_type=${{ inputs.os-type }}" -var "os_version=${{ inputs.os-version }}" -out=plan.tfplan + run: > + tofu plan + -var-file=tfvars/${{ inputs.design }}.tfvars + -var "os_type=${{ inputs.os-type }}" + -var "os_version=${{ inputs.os-version }}" + -out=plan.tfplan - name: Provision EC2 instances working-directory: ../themis/tofu_aws @@ -232,4 +237,9 @@ jobs: - name: Terminate EC2 instances if: always() working-directory: ../themis/tofu_aws - run: tofu destroy -auto-approve + run: > + tofu destroy + -var-file=tfvars/${{ inputs.design }}.tfvars + -var "os_type=${{ inputs.os-type }}" + -var "os_version=${{ inputs.os-version }}" + -auto-approve From 173fa43b5f73a63edb96fde929a4c2b1bb5e8b31 Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Tue, 30 Sep 2025 13:50:34 -0400 Subject: [PATCH 4/9] Revert to using Docker container --- .github/workflows/test-deployer.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index cf453141..d0d83322 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -41,6 +41,8 @@ on: jobs: test-deployer: runs-on: self-hosted + container: + image: ghcr.io/catthehacker/ubuntu:act-latest env: GIT_SSH_COMMAND: ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no PIP_BREAK_SYSTEM_PACKAGES: "1" From 06a93bbe564aa415843ea6c8451f079d98cd9653 Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Tue, 30 Sep 2025 13:54:29 -0400 Subject: [PATCH 5/9] Use Themis default config for Platform and Gateway URLs, remove Themis URI from secrets --- .github/workflows/test-deployer.yml | 34 +---------------------------- 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index d0d83322..9096b4e4 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -24,18 +24,10 @@ on: required: true EC2_SSH_KEY: required: true - THEMIS_REPO_SSH_URI: - required: true NEXUS_USERNAME: required: true NEXUS_PASSWORD: required: true - PLATFORM_RPM_URL: - required: true - GATEWAY_RELEASE: - required: true - GATEWAY_WHL_URL: - required: true jobs: @@ -116,7 +108,7 @@ jobs: - name: Clone Themis repository working-directory: .. run: | - git clone "${{ secrets.THEMIS_REPO_SSH_URI }}" + git clone git@gitlab.com:itential/platform-engineering/themis.git cd themis ls -la @@ -124,30 +116,6 @@ jobs: working-directory: ../themis run: pip install -r scripts/requirements.txt - - name: Configure inventory to download Platform from Nexus - working-directory: ../themis - run: | - cat > inventories/common/group_vars/platform.yml << 'EOF' - --- - platform_packages: - - "${{ secrets.PLATFORM_RPM_URL }}" - EOF - - cat > inventories/common/group_vars/platform_secondary.yml << 'EOF' - --- - platform_packages: - - "${{ secrets.PLATFORM_RPM_URL }}" - EOF - - - name: Configure inventory to download Gateway from Nexus - working-directory: ../themis - run: | - cat > inventories/common/group_vars/gateway.yml << 'EOF' - --- - gateway_release: ${{ secrets.GATEWAY_RELEASE }} - gateway_archive_download_url: "${{ secrets.GATEWAY_WHL_URL }}" - EOF - # This is potentially more secure than adding the credentials as extra vars in the ansible-playbook command - name: Add Nexus credentials to inventory working-directory: ../themis From 9b2b22522692320d77e3b1f2ad01c6e7a165bf6f Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Tue, 30 Sep 2025 14:20:46 -0400 Subject: [PATCH 6/9] Add high level documentation --- .github/workflows/test-deployer.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index 9096b4e4..6cb7e5cb 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -1,3 +1,16 @@ +# Runs the Itential Deployer on EC2 instances conforming to some validated design and other parameters +# (e.g. OS type and version), and validates that the deployed services are all running correctly. +# This allows for testing deployments on various configurations in parallel in a fully automated manner. + +# Main steps performed by this workflow: +# - Cloning Themis from GitLab +# - Provisioning EC2 instances using Themis +# - Converting OpenTofu output to Ansible inventory +# - Running deployer on newly created instances +# - Running validation script to test each service (Redis, MongoDB, Platform, Gateway) +# - Terminating all instances using Themis, irrespective of success + + name: Test Deployer From f86fce02ac4a34f8a86bb37c68b942ad0cc4f4ba Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Wed, 1 Oct 2025 09:19:20 -0400 Subject: [PATCH 7/9] Move additional tfvars to reusable file, --- .github/workflows/test-deployer.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index 6cb7e5cb..c3384f72 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -140,13 +140,21 @@ jobs: working-directory: ../themis/tofu_aws run: tofu init + - name: Create .tfvars file with additional job-specific variables + working-directory: ../themis/tofu_aws + run: | + cat > github_actions.tfvars << 'EOF' + prefix = "github" + os_type = "${{ inputs.os-type }}" + os_version = "${{ inputs.os-version }}" + EOF + - name: Generate OpenTofu execution plan working-directory: ../themis/tofu_aws run: > tofu plan -var-file=tfvars/${{ inputs.design }}.tfvars - -var "os_type=${{ inputs.os-type }}" - -var "os_version=${{ inputs.os-version }}" + -var-file=github_actions.tfvars -out=plan.tfplan - name: Provision EC2 instances @@ -223,6 +231,5 @@ jobs: run: > tofu destroy -var-file=tfvars/${{ inputs.design }}.tfvars - -var "os_type=${{ inputs.os-type }}" - -var "os_version=${{ inputs.os-version }}" + -var-file=github_actions.tfvars -auto-approve From e6036c2eb7b222e170e45f8f9f4f13f799bb5acd Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Mon, 6 Oct 2025 12:35:21 -0400 Subject: [PATCH 8/9] Use variables from themis, simplify tofu commands --- .github/workflows/test-deployer.yml | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index c3384f72..4eb0cadb 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -140,22 +140,23 @@ jobs: working-directory: ../themis/tofu_aws run: tofu init - - name: Create .tfvars file with additional job-specific variables + # Copies the vars file for the selected design to the working directory to be imported automatically + - name: Set validated design + working-directory: ../themis/tofu_aws + run: cp tfvars/${{ inputs.design }}.tfvars design.auto.tfvars + + - name: Set additional job-specific variables working-directory: ../themis/tofu_aws run: | - cat > github_actions.tfvars << 'EOF' - prefix = "github" + cat > github_actions.auto.tfvars << 'EOF' + owner = "github" os_type = "${{ inputs.os-type }}" os_version = "${{ inputs.os-version }}" EOF - name: Generate OpenTofu execution plan working-directory: ../themis/tofu_aws - run: > - tofu plan - -var-file=tfvars/${{ inputs.design }}.tfvars - -var-file=github_actions.tfvars - -out=plan.tfplan + run: tofu plan -out=plan.tfplan - name: Provision EC2 instances working-directory: ../themis/tofu_aws @@ -175,8 +176,6 @@ jobs: working-directory: ../themis run: ansible all -m wait_for -a "path=/var/log/cloud-init-finished.marker timeout=300" -i tofu_aws/hosts.json -v - # Overrides inventory variables to install Redis from the Remi repository using a known working URL, as a - # workaround for bugs in the deployer (dependency resolution errors when building Redis, incorrect Remi URL) - name: Run the deployer working-directory: ../themis run: > @@ -184,8 +183,6 @@ jobs: -i tofu_aws/hosts.json -i inventories/common -i inventories/${{ inputs.design }} - -e "redis_install_from_source=false" - -e "redis_remi_repo_url=http://rpms.remirepo.net/enterprise/remi-release-9.rpm" -v - name: Verify that Platform is running correctly @@ -228,8 +225,4 @@ jobs: - name: Terminate EC2 instances if: always() working-directory: ../themis/tofu_aws - run: > - tofu destroy - -var-file=tfvars/${{ inputs.design }}.tfvars - -var-file=github_actions.tfvars - -auto-approve + run: tofu destroy -auto-approve From 0be17c3009e571cc9e0130191cce280e1318a21e Mon Sep 17 00:00:00 2001 From: Hamza Qadri Date: Fri, 10 Oct 2025 13:16:41 -0400 Subject: [PATCH 9/9] Switch to pull_request_target trigger, unset AWS profile name --- .github/workflows/test-deployer.yml | 6 ++++++ .github/workflows/test-on-pull-request.yml | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-deployer.yml b/.github/workflows/test-deployer.yml index 4eb0cadb..b6a80f4a 100644 --- a/.github/workflows/test-deployer.yml +++ b/.github/workflows/test-deployer.yml @@ -17,6 +17,9 @@ name: Test Deployer on: workflow_call: inputs: + ref: + required: false + type: string design: required: true type: string @@ -56,6 +59,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Update package lists run: sudo apt update @@ -149,6 +154,7 @@ jobs: working-directory: ../themis/tofu_aws run: | cat > github_actions.auto.tfvars << 'EOF' + profile = "" owner = "github" os_type = "${{ inputs.os-type }}" os_version = "${{ inputs.os-version }}" diff --git a/.github/workflows/test-on-pull-request.yml b/.github/workflows/test-on-pull-request.yml index dfd02f07..0a56558e 100644 --- a/.github/workflows/test-on-pull-request.yml +++ b/.github/workflows/test-on-pull-request.yml @@ -1,7 +1,7 @@ name: Test Deployer on Pull Request on: - pull_request: + pull_request_target: branches: - main @@ -13,6 +13,7 @@ jobs: fail-fast: false uses: ./.github/workflows/test-deployer.yml with: + ref: ${{ github.event.pull_request.head.sha }} design: ${{ matrix.design }} os-type: rocky os-version: "9"