Merge pull request #882 from gitlabhq/split-ce-and-ee-acceptance-workflows

Split EE and CE acceptance workflows

Author: DonNicoJs

.github/workflows/pr-acceptance-ce.yml

@@ -0,0 +1,45 @@
+# This workflow runs acceptance tests on pull requests (CE)
+
+name: pr-acceptance-ce
+
+on:
+  pull_request:
+    # Acceptance tests are unnecessary to run on some types of PRs.
+    paths-ignore:
+      - 'docs/**'
+      - 'examples/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'CONTRIBUTING.md'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@v2
+      # Read the .go-version file and output it for other jobs to use.
+      - id: go-version
+        run: echo "::set-output name=go-version::$(cat .go-version)"
+
+  acceptance-ce:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    needs: [go-version]
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ needs.go-version.outputs.go-version }}
+      - uses: actions/checkout@v2
+      # Cache the Go modules.
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
+      - run: make testacc-up
+      - run: make testacc

.github/workflows/pr-acceptance.yml renamed to .github/workflows/pr-acceptance-ee.yml

@@ -1,17 +1,18 @@
-# This workflow runs acceptance tests on pull requests (both CE and EE). It needs to be run in the
+# This workflow runs acceptance tests on pull requests (EE). It needs to be run in the
 # target project instead of the fork in order to use secrets. This is why the actions/checkout
 # action regularly has to specify the pull request sha.
 #
 # SECURITY ADVISORY
 # Be careful while making changes to this file.
 # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 
-name: pr-acceptance
+name: pr-acceptance-ee
 
 on:
   # The pull_request_target event type fires for pull requests, but in the context of the target
   # project.
   pull_request_target:
+    types: [labeled]
     # Acceptance tests are unnecessary to run on some types of PRs.
     paths-ignore:
       - 'docs/**'
@@ -51,32 +52,10 @@ jobs:
         if: ${{ env.LICENSE_ENCRYPTION_PASSWORD != '' }}
         run: echo "::set-output name=defined::true"
 
-  acceptance-ce:
-    timeout-minutes: 60
-    runs-on: ubuntu-latest
-    needs: [go-version]
-    steps:
-      - uses: actions/setup-go@v2
-        with:
-          go-version: ${{ needs.go-version.outputs.go-version }}
-      # Check out the pull request code (as opposed to the target project).
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      # Cache the Go modules.
-      - uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ github.job }}-${{ runner.os }}-go${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum', 'GNUMakefile') }}
-      # CAUTION: EXECUTING UNTRUSTED CODE.
-      # This is made safe because we have not referenced any secrets or GitHub tokens.
-      - run: make testacc-up
-      - run: make testacc
-
   acceptance-ee:
     # Only run EE tests if the LICENSE_ENCRYPTION_PASSWORD secret exists, so that the workflow
     # doesn't fail when code is pushed to a fork.
-    if: ${{ needs.license-encryption-password.outputs.defined }}
+    if: needs.license-encryption-password.outputs.defined && contains(github.event.pull_request.labels.*.name, 'safe to test')
     timeout-minutes: 60
     runs-on: ubuntu-latest
     needs: [go-version, license-encryption-password]
@@ -107,3 +86,4 @@ jobs:
       # This is made safe because we have already cleaned up the unencrypted GitLab license file,
       # we have no other secrets, and we are not using GitHub tokens.
       - run: make testacc
+