Fix cypress checkout and use github actions environments (#8790)

* Fix cypress checkout and use github actions environments * Harden github token for cypress.yaml * Allow writing status checks
2022-06-08 16:00:47 +01:00 · 2022-06-08 16:00:47 +01:00 · f53207a4fe
parent 5167521ea4
commit f53207a4fe
3 changed files with 36 additions and 4 deletions
--- a/.github/workflows/cypress.yaml
+++ b/.github/workflows/cypress.yaml
@ -10,6 +10,12 @@ jobs:
  cypress:
    if: github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      checks: write
+      issues: read
+      pull-requests: read
+    environment: Cypress
    steps:
      # Wire up the status check for this workflow_run action
      - uses: haya14busa/action-workflow_run-status@967ed83efa565c257675ed70cfe5231f062ddd94 # v1.0.0
@ -22,6 +28,13 @@ jobs:
          branch: ${{ github.event.workflow_run.head_branch }}

      - uses: actions/checkout@v2
+        with:
+          # XXX: We're checking out untrusted code in a secure context
+          # We need to be careful to not trust anything this code outputs/may do
+          # We need to check this out to access the cypress tests which are on the head branch
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_sha }}
+          persist-credentials: false

      # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
      # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
@ -86,16 +99,34 @@ jobs:
            cypress/videos
            cypress/synapselogs

+      - name: Upload Benchmark
+        uses: actions/upload-artifact@v2
+        with:
+          name: cypress-benchmark
+          path: cypress/performance/measurements.json
+          retention-days: 1
+
+  store-benchmark:
+    needs: cypress
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event != 'pull_request'
+    permissions:
+      contents: write
+    steps:
+      - name: Download benchmark result
+        uses: actions/download-artifact@v3
+        with:
+          name: cypress-benchmark
+
      - name: Store benchmark result
-        if: github.event.workflow_run.event != 'pull_request'
        uses: matrix-org/github-action-benchmark@jsperfentry-5
        with:
          name: Cypress measurements
          tool: 'jsperformanceentry'
-          output-file-path: cypress/performance/measurements.json
+          output-file-path: measurements.json
          # The dashboard is available at https://matrix-org.github.io/matrix-react-sdk/cypress/bench/
          benchmark-data-dir-path: cypress/bench
          fail-on-alert: false
          comment-on-alert: false
-          github-token: ${{ secrets.DEPLOY_GH_PAGES }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          auto-push: ${{ github.event.workflow_run.event != 'pull_request' }}
--- a/.github/workflows/end-to-end-tests.yaml
+++ b/.github/workflows/end-to-end-tests.yaml
@ -53,5 +53,5 @@ jobs:
          benchmark-data-dir-path: dev/bench
          fail-on-alert: false
          comment-on-alert: false
-          github-token: ${{ secrets.DEPLOY_GH_PAGES }}
+          github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
          auto-push: ${{ github.ref == 'refs/heads/develop' }}
--- a/.github/workflows/netlify.yaml
+++ b/.github/workflows/netlify.yaml
@ -10,6 +10,7 @@ jobs:
  deploy:
    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
    runs-on: ubuntu-latest
+    environment: Netlify
    steps:
      - name: 📝 Create Deployment
        uses: bobheadxi/deployments@v1