Feature - ok-to-test in github action

.github/workflows/integration.yml

@@ -0,0 +1,120 @@
+# Run secret-dependent integration tests only after /ok-to-test approval
+on:
+  pull_request:
+  repository_dispatch:
+    types: [ok-to-test-command]
+
+name: Integration tests
+
+jobs:
+  integration-trusted:
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'repository_dispatch') || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+    steps:
+      - id: debug-outputs
+        run: |
+          echo ${{ github.event_name }}
+          echo ${{ github.event.client_payload }}
+
+      - id: verify-sha-input
+        if: github.event_name == 'repository_dispatch'
+        run: |
+          echo \"${{ github.event.client_payload.pull_request.head.sha }}\"
+          echo \"${{ github.event.client_payload.slash_command.args.named.sha }}\"
+          SHAINPUT=$(echo ${{github.event.client_payload.slash_command.args.named.sha}} | cut -c1-7)
+          if [ ${#SHAINPUT} -le 6 ]; then echo "error::input sha not at least 7 characters long" ; exit 1
+          else echo "done"
+          fi
+          SHAHEAD=$(echo ${{github.event.client_payload.pull_request.head.sha}} | cut -c1-7)
+          echo ${#SHAINPUT}
+          echo ${#SHAHEAD}
+          if [ "${SHAHEAD}" != "${SHAINPUT}" ]; then echo "sha input from slash command does not equal the head sha" ; exit 1
+          else echo "shas are equal"
+          fi
+
+      - name: pull_request actions/checkout
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@v2
+
+      - name: pull_request actions/checkout
+        if: github.event_name == 'repository_dispatch'
+        uses: actions/checkout@v2
+        with:
+          ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
+
+      - name: setup-go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.15.5'
+
+      - name: Run ci-e2e
+        env:  
+          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
+        run: |
+          if [[ ! -v GITHUB_AUTH_TOKEN ]]; then
+              echo "GITHUB_AUTH_TOKEN is not set, skip test"
+              exit 1
+          elif [[ -z "$GITHUB_AUTH_TOKEN" ]]; then
+              echo "GITHUB_AUTH_TOKEN is set to the empty string, skip test"
+              exit 1
+          else
+            go get github.com/onsi/ginkgo/ginkgo@v1.14.2
+            go mod download
+            make ci-e2e
+          fi
+
+      - name: find comment
+        if: ${{ always() }}
+        uses: peter-evans/find-comment@v1
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: Integration tests ran for
+
+      - name: create or update comment
+        if: (${{ always() }})
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          issue-number: ${{ github.event.pull_request.number || github.event.client_payload.pull_request.number }}
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          body: |
+            Integration tests ${{ job.status }} for [${{ github.event.client_payload.slash_command.args.named.sha || github.event.pull_request.head.sha }}](https://github.com/chanzuckerberg/terraform-provider-snowflake/actions/runs/${{ github.run_id }})
+
+      - name: set fork job status
+        uses: actions/github-script@v3
+        if: ${{ always() }}
+        id: update-check-run
+        env:
+          number: ${{ github.event.client_payload.pull_request.number }}
+          job: ${{ github.job }}
+          # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
+          conclusion: ${{ job.status }}
+          sha: ${{ github.event.client_payload.slash_command.args.named.sha }}
+          event_name: ${{ github.event_name }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            if (process.env.event_name !== 'repository_dispatch') {
+              console.log("Not repository_dispatch... nothing to do!");
+              return process.env.event_name;
+            }
+
+            const ref = process.env.sha;
+
+            const { data: checks } = await github.checks.listForRef({
+              ...context.repo,
+              ref
+            });
+
+            const check = checks.check_runs.filter(c => c.name === process.env.job);
+            console.log(check);
+
+            const { data: result } = await github.checks.update({
+              ...context.repo,
+              check_run_id: check[0].id,
+              status: 'completed',
+              conclusion: process.env.conclusion
+            });
+
+            return result;

.github/workflows/ok-to-test.yml

@@ -0,0 +1,35 @@
+# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
+name: Ok To Test
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  ok-to-test:
+    runs-on: ubuntu-latest
+    # Only run for PRs, not issue comments
+    if: ${{ github.event.issue.pull_request }}
+    steps:
+    # Generate a GitHub App installation access token from an App ID and private key
+    # To create a new GitHub App:
+    #   https://developer.github.com/apps/building-github-apps/creating-a-github-app/
+    # See app.yml for an example app manifest
+    - name: Generate token
+      id: generate_token
+      uses: tibdex/github-app-token@v1
+      with:
+        app_id: ${{ secrets.APP_ID }}
+        private_key: ${{ secrets.PRIVATE_KEY }}
+
+    - name: Slash Command Dispatch
+      uses: peter-evans/slash-command-dispatch@v1
+      env:
+        TOKEN: ${{ steps.generate_token.outputs.token }}
+      with:
+        token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # PAT or OAuth token will also work
+        reaction-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-type: pull-request
+        commands: ok-to-test
+        named-args: true
+        permission: write