Skip to content

Add operator PR testing workflow#88

Merged
sciabarracom merged 7 commits intoapache:mainfrom
luigidematteis:pr-trigger-test
Mar 11, 2026
Merged

Add operator PR testing workflow#88
sciabarracom merged 7 commits intoapache:mainfrom
luigidematteis:pr-trigger-test

Conversation

@luigidematteis
Copy link
Contributor

@luigidematteis luigidematteis commented Mar 11, 2026

Description

This PR adds a new workflow for testing operator PRs end-to-end.

Operator PR test workflow (operator-pr-test.yaml)

New repository_dispatch-driven workflow that receives events from the operator repo when a maintainer comments /testing <platform> on a PR. It:

  • Clones the operator PR branch with --recurse-submodules (picking up the olaris/ task submodule)
  • Builds the operator Docker image from the PR code
  • Pushes it to GHCR under the testing repo's namespace (ghcr.io/<owner>/openserverless-testing:pr-<num>-<sha>)
  • Patches opsroot.json to point to the just-built image via jq
  • Sets OPS_ROOT to the submodule path so ops uses the PR's task definitions
  • Runs the full acceptance test suite against the specified platform

Uses ${{ github.repository_owner }} throughout, so the same workflow works on forks and upstream without changes.

Secrets and environment variables

  • Secrets are loaded at runtime from 1Password vault OpenServerless/TESTING using 1password/load-secrets-action@v2 (Linux/Mac) and shyim/1password-load-secrets-action@v1 (Windows)
  • The only GitHub Secret required is OP_SERVICE_ACCOUNT_TOKEN (authenticates the 1Password action)
  • NGROK_TOKEN remains as a GitHub Secret (not stored in 1Password)
  • OPS_REPO and OPS_BRANCH are configurable via repository variables

SSH via DNS hostnames

  • 1-deploy.sh uses K3S_AMD_APIHOST / K3S_ARM_APIHOST as the SSH target

Bug fix in tests.yaml

  • Fixed platform name parsing for dispatch-based triggers: the sed pattern was incorrectly stripping platform suffixes (e.g. "amd" from "k3s-amd") when no timestamp was present
  • Removed branches-ignore: '*' from the push trigger (redundant filter that caused the workflow to fire on branch pushes)

Deploy script updates (tests/1-deploy.sh)

  • k3s-amd/k3s-arm blocks use K3S_AMD_APIHOST / K3S_ARM_APIHOST for both ops config apihost and ops setup server (SSH target)
  • SSH connection uses SSH_USER variable (defaults to root)
  • Kubeconfig setup reads from K8S_KUBECONFIG_B64 for generic K8s platforms

1Password vault fields required

1Password vault "OpenServerless" / item "TESTING"
  ├── K3S_AMD_APIHOST      DNS FQDN for k3s AMD
  ├── K3S_ARM_APIHOST      DNS FQDN for k3s ARM
  ├── K8S_KUBECONFIG_B64   Base64-encoded kubeconfig for K8s clusters
  ├── K8S_APIHOST          DNS FQDN for generic K8s
  ├── ID_RSA_B64           Base64-encoded SSH key for VM access
  ├── APIHOST              Fallback DNS FQDN
  └── NGROK_PASSWORD       ngrok password (debug)

GitHub Secrets required

Secret Purpose
OP_SERVICE_ACCOUNT_TOKEN Authenticates 1Password access at runtime
NGROK_TOKEN ngrok auth token (debug)

Companion PR

This PR works together with a PR on openserverless-operator that:

  • Adds openserverless-task as a git submodule at olaris/
  • Adds trigger-testing.yaml workflow (dispatches operator-pr-test events to this repo)
  • Requires OPENSERVERLESS_TESTING_PAT secret on the operator repo

@luigidematteis
Add openserverless-task as submodule at olaris/
be8cb3f
@luigidematteis
Add trigger-testing workflow for PR-based integration tests
69161d4
@luigidematteis
Add .gitmodules to license check ignore list
a4431fd 
The .gitmodules file uses git config syntax which does not support
license headers.
@luigidematteis
Fix CI build on Python 3.12: upgrade flatdict, align Poetry version
8d145b0 
flatdict 4.0.1 only ships as a source tarball. Building it requires
pkg_resources (setuptools), removed from Python 3.12 virtual environments.
Version 4.1.0 ships a pre-built wheel, bypassing the build step entirely.

Also update Dockerfile Poetry from 1.8.5 to 2.3.2 to match the
lock-version 2.1 format already in use.
@luigidematteis
Update image.yml to support configurable image registry
cd35a86 
  Allow forks to push operator images to ghcr.io by setting the IMAGE_REGISTRY
  repository variable, without requiring Docker Hub credentials.

  Defaults to registry.hub.docker.com for backward compatibility with the
  Apache upstream. When DOCKERHUB_USER/DOCKERHUB_TOKEN secrets are not set,
  credentials fall back to github.actor/GITHUB_TOKEN automatically.
@luigidematteis
Remove redundant branches-ignore from image.yml trigger
dd104c6 
Same fix as testing repo: branches-ignore under push was causing
spurious workflow runs on branch pushes. With only tags filter
present, branch pushes are already excluded.
@luigidematteis
fix: use commit SHA for check.yml TAG on both push and PR events
9326e9e 
The commit SHA is the correct tag for
both event types.
@sciabarracom sciabarracom merged commit c506bc3 into apache:main Mar 11, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@luigidematteis @sciabarracom