Add operator PR testing workflow#4
Merged
sciabarracom merged 9 commits intoapache:mainfrom Mar 10, 2026
Merged
Conversation
Replace 1Password secret loading with GitHub Actions secrets and
variables. Retarget infrastructure from AWS/Azure/GCP to Hetzner
(single VMs for k3s, managed K8s cluster via kubeconfig).
Changes:
- .github/workflows/tests.yaml: remove 1password/load-secrets-action
from all three OS jobs (linux/windows/mac), replace with workflow-level
env block using ${{ secrets.* }} and ${{ vars.* }}.
- tests/1-deploy.sh: rename k3s -> k3s-amd with explicit K3S_AMD_IP,
add k8s platform (generic kubeconfig-based cluster),
implement apihost env var hierarchy (<PLATFORM>_APIHOST -> APIHOST ->
hardcoded default), comment out mk8s/eks/aks/gke/osh types.
- tests/all.sh: update platform whitelist (k3s-amd, k3s-arm, k8s),
fix OPS_BRANCH to read from environment instead of hardcoding main,
update TYPE extraction.
Tag format: <platform>-<run-id> (e.g. k3s-amd-test1, k8s-run3)
Active platforms: kind, k3s-amd, k3s-arm, k8s
Commented out: mk8s, eks, aks, gke, osh
Signed-off-by: Luigi De Matteis <ldematteis123@gmail.com>
Signed-off-by: Luigi De Matteis <ldematteis123@gmail.com>
The branches-ignore: '*' under push was causing spurious workflow runs on branch pushes. With only tags filter present, branch pushes are already excluded by GitHub Actions.
Add operator PR testing workflow and migrate secrets to GitHub
The sed pattern stripped the last dash-separated component, turning "k3s-amd" into "k3s" when no timestamp suffix was present. Now only strips a trailing numeric suffix (the timestamp added by tag-based triggers), leaving clean platform names like "k3s-amd" unchanged.
Replace GitHub Secrets env vars with 1Password load-secrets-action in all three workflow jobs (linux, windows, mac) and operator-pr-test. Only OP_SERVICE_ACCOUNT_TOKEN and NGROK_TOKEN remain as GitHub Secrets.
…secrets The k3s-amd and k3s-arm deploy scripts now use K3S_AMD_APIHOST / K3S_ARM_APIHOST as the SSH target, removing the need for K3S_AMD_IP and K3S_ARM_IP secrets. DNS hostnames resolve to the same address and reduce the number of secrets to maintain in the 1Password vault.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds a new workflow for testing operator PRs end-to-end.
Operator PR test workflow (
operator-pr-test.yaml)New
repository_dispatch-driven workflow that receives events from the operator repo when a maintainer comments/testing <platform>on a PR. It:--recurse-submodules(picking up theolaris/task submodule)ghcr.io/<owner>/openserverless-testing:pr-<num>-<sha>)opsroot.jsonto point to the just-built image viajqOPS_ROOTto the submodule path soopsuses the PR's task definitionsUses
${{ github.repository_owner }}throughout, so the same workflow works on forks and upstream without changes.Secrets and environment variables
OpenServerless/TESTINGusing1password/load-secrets-action@v2(Linux/Mac) andshyim/1password-load-secrets-action@v1(Windows)OP_SERVICE_ACCOUNT_TOKEN(authenticates the 1Password action)NGROK_TOKENremains as a GitHub Secret (not stored in 1Password)OPS_REPOandOPS_BRANCHare configurable via repository variablesSSH via DNS hostnames
1-deploy.shusesK3S_AMD_APIHOST/K3S_ARM_APIHOSTas the SSH targetBug fix in
tests.yamlbranches-ignore: '*'from thepushtrigger (redundant filter that caused the workflow to fire on branch pushes)Deploy script updates (
tests/1-deploy.sh)K3S_AMD_APIHOST/K3S_ARM_APIHOSTfor bothops config apihostandops setup server(SSH target)SSH_USERvariable (defaults toroot)K8S_KUBECONFIG_B64for generic K8s platforms1Password vault fields required
GitHub Secrets required
OP_SERVICE_ACCOUNT_TOKENNGROK_TOKENCompanion PR
This PR works together with a PR on
openserverless-operatorthat:openserverless-taskas a git submodule atolaris/trigger-testing.yamlworkflow (dispatchesoperator-pr-testevents to this repo)OPENSERVERLESS_TESTING_PATsecret on the operator repo