name: e2e-azure on: workflow_dispatch: schedule: - cron: '0 6 * * *' push: branches: - main paths: - 'tests/**' - '.github/workflows/e2e-azure.yaml' pull_request: branches: - main paths: - 'tests/**' - '.github/workflows/e2e-azure.yaml' permissions: contents: read jobs: e2e-aks: runs-on: ubuntu-latest env: SSH_SECRET_SMOKE_TEST_ONLY: "true" defaults: run: working-directory: ./tests/integration if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - name: CheckoutD uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Smoke test Git SSH secrets env: GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }} GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }} run: | set -euo pipefail mkdir -p ./build/ssh cat < build/ssh/key $GITREPO_SSH_CONTENTS EOF cat < build/ssh/key.pub $GITREPO_SSH_PUB_CONTENTS EOF chmod 600 build/ssh/key key_lines=$(wc -l < build/ssh/key) pub_lines=$(wc -l < build/ssh/key.pub) echo "private key lines: ${key_lines}" echo "public key lines: ${pub_lines}" ssh-keygen -y -f build/ssh/key > build/ssh/derived.pub if ! cmp -s build/ssh/derived.pub build/ssh/key.pub; then echo "::error::derived public key does not match GIT_SSH_IDENTITY_PUB" echo "derived public key fingerprint:" ssh-keygen -lf build/ssh/derived.pub echo "configured public key fingerprint:" ssh-keygen -lf build/ssh/key.pub exit 1 fi echo "SSH key fingerprint:" ssh-keygen -lf build/ssh/derived.pub set +e ssh_output=$(ssh -i build/ssh/key -o BatchMode=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=build/ssh/known_hosts -T git@ssh.dev.azure.com 2>&1) ssh_status=$? set -e echo "${ssh_output}" if echo "${ssh_output}" | grep -q "Shell access is not supported"; then echo "Azure DevOps SSH accepted the key" exit 0 fi if echo "${ssh_output}" | grep -Eq "Public key authentication failed|Permission denied"; then echo "::error::Azure DevOps SSH rejected the key" exit 1 fi echo "::error::unexpected Azure DevOps SSH probe result, exit status ${ssh_status}" exit 1 - name: Setup Go if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: 1.26.x cache-dependency-path: tests/integration/go.sum - name: Setup Terraform if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Setup Flux CLI if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} run: make build working-directory: ./ - name: Setup SOPS if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} run: | mkdir -p $HOME/.local/bin wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux chmod +x $HOME/.local/bin/sops env: SOPS_VER: 3.7.1 - name: Authenticate to Azure if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} uses: Azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v1.4.6 with: creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}' - name: Set dynamic variables in .env if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} run: | cat > .env < build/ssh/key $GITREPO_SSH_CONTENTS EOF export GITREPO_SSH_PATH=build/ssh/key cat < build/ssh/key.pub $GITREPO_SSH_PUB_CONTENTS EOF export GITREPO_SSH_PUB_PATH=build/ssh/key.pub make test-azure - name: Ensure resource cleanup if: ${{ always() && env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }} env: ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }} TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }} TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }} run: source .env && make destroy-azure