Skip to content

#62221 GitHub Actions workflow hardening #1903

#62221 GitHub Actions workflow hardening

#62221 GitHub Actions workflow hardening #1903

Workflow file for this run

name: Code Coverage Report
on:
# Verify
push:
branches:
- trunk
paths:
- '.github/workflows/test-coverage.yml'
- '.github/workflows/reusable-phpunit-tests-v3.yml'
- 'docker-compose.yml'
- 'phpunit.xml.dist'
- 'tests/phpunit/multisite.xml'
pull_request:
branches:
- trunk
paths:
- '.github/workflows/test-coverage.yml'
- '.github/workflows/reusable-phpunit-tests-v3.yml'
- 'docker-compose.yml'
- 'phpunit.xml.dist'
- 'tests/phpunit/multisite.xml'
# Once daily at 00:00 UTC.
schedule:
- cron: '0 0 * * *'
# Allow manually triggering the workflow.
workflow_dispatch:
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
env:
LOCAL_PHP_XDEBUG: true
LOCAL_PHP_XDEBUG_MODE: 'coverage'
LOCAL_PHP_MEMCACHED: ${{ false }}
PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
jobs:
#
# Creates a PHPUnit test jobs for generating code coverage reports.
#
test-coverage-report:
name: ${{ matrix.multisite && 'Multisite' || 'Single site' }} report
uses: WordPress/wordpress-develop/.github/workflows/reusable-phpunit-tests-v3.yml@trunk
permissions:
contents: read
if: ${{ github.repository == 'WordPress/wordpress-develop' }}
strategy:
fail-fast: false
matrix:
multisite: [ false, true ]
coverage-report: [ true ]
with:
php: '8.3'
multisite: ${{ matrix.multisite }}
coverage-report: ${{ matrix.coverage-report }}
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
slack-notifications:
name: Slack Notifications
uses: WordPress/wordpress-develop/.github/workflows/slack-notifications.yml@trunk
permissions:
actions: read
contents: read
needs: [ test-coverage-report ]
if: ${{ github.repository == 'WordPress/wordpress-develop' && github.event_name != 'pull_request' && always() }}
with:
calling_status: ${{ contains( needs.*.result, 'cancelled' ) && 'cancelled' || contains( needs.*.result, 'failure' ) && 'failure' || 'success' }}
secrets:
SLACK_GHA_SUCCESS_WEBHOOK: ${{ secrets.SLACK_GHA_SUCCESS_WEBHOOK }}
SLACK_GHA_CANCELLED_WEBHOOK: ${{ secrets.SLACK_GHA_CANCELLED_WEBHOOK }}
SLACK_GHA_FIXED_WEBHOOK: ${{ secrets.SLACK_GHA_FIXED_WEBHOOK }}
SLACK_GHA_FAILURE_WEBHOOK: ${{ secrets.SLACK_GHA_FAILURE_WEBHOOK }}
failed-workflow:
name: Failed workflow tasks
runs-on: ubuntu-latest
permissions:
actions: write
needs: [ slack-notifications ]
if: |
always() &&
github.repository == 'WordPress/wordpress-develop' &&
github.event_name != 'pull_request' &&
github.run_attempt < 2 &&
(
contains( needs.*.result, 'cancelled' ) ||
contains( needs.*.result, 'failure' )
)
steps:
- name: Dispatch workflow run
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
retries: 2
retry-exempt-status-codes: 418
script: |
github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'failed-workflow.yml',
ref: 'trunk',
inputs: {
run_id: '${{ github.run_id }}'
}
});