ci: use pull_request instead of pull_request_target for Actions (#380)

Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Azure · Feb 23, 2022 · 1edb03d · 1edb03d
1 parent 3f2be3a
commit 1edb03d
Showing 1 changed file with 9 additions and 23 deletions.
diff --git a/.github/workflows/azwi-e2e.yaml b/.github/workflows/azwi-e2e.yaml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # nightly
-  pull_request_target:
+  pull_request:
     branches:
       - main
       - release-**
@@ -18,9 +18,10 @@ permissions:
 
 jobs:
   azwi_e2e:
-    environment: azwi-e2e
     env:
-      SERVICE_ACCOUNT_ISSUER: ${{ secrets.SERVICE_ACCOUNT_ISSUER }}
+      AZURE_CLIENT_ID: 0dcfc182-7b36-4e23-b53f-a27c929a9e4e
+      AZURE_TENANT_ID: bc2d60ab-9b1d-45bd-8a3b-3a18ae865e3a
+      SERVICE_ACCOUNT_ISSUER: "https://chuwon.blob.core.windows.net/oidc-test/"
     strategy:
       fail-fast: false
       matrix:
@@ -29,13 +30,6 @@ jobs:
     runs-on: ${{ matrix.env }}
     steps:
       - name: Checkout
-        if: github.event_name == 'pull_request_target'
-        uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-      - name: Checkout
-        if: github.event_name != 'pull_request_target'
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
@@ -55,16 +49,15 @@ jobs:
           echo "SERVICE_ACCOUNT_NAME=${SERVICE_ACCOUNT_NAMESPACE}-sa" >> "${GITHUB_ENV}"
       - name: Create kind cluster
         run: |
-          # create a kind cluster with predefined signing keys
-          echo ${{ secrets.SERVICE_ACCOUNT_SIGNING_KEY }} | base64 -d > sa.key
-          echo ${{ secrets.SERVICE_ACCOUNT_KEY }} | base64 -d > sa.pub
+          openssl genrsa -out sa.key 2048
+          openssl rsa -in sa.key -pubout -out sa.pub
           make kind-create
       - name: Build azwi
         run: make bin/azwi
       - uses: azure/login@v1.4.3
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
           allow-no-subscriptions: true
       - name: E2E test
         run: |
@@ -85,7 +78,7 @@ jobs:
           APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${AAD_APPLICATION_NAME}" --query '[0].appId' -otsv)"
           cat sa.yaml | grep "azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID}"
           cat sa.yaml | grep "azure.workload.identity/service-account-token-expiration: 36000"
-          cat sa.yaml | grep "azure.workload.identity/tenant-id: ${{ secrets.AZURE_TENANT_ID }}"
+          cat sa.yaml | grep "azure.workload.identity/tenant-id: ${AZURE_TENANT_ID}"
 
           # get the federated identity
           APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query objectId -otsv)"
@@ -111,13 +104,6 @@ jobs:
     runs-on: ${{ matrix.env }}
     steps:
       - name: Checkout
-        if: github.event_name == 'pull_request_target'
-        uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-      - name: Checkout
-        if: github.event_name != 'pull_request_target'
         uses: actions/checkout@v2
         with:
           fetch-depth: 0