feat(ci): Add pull_request_target workflow for fork PR connector tests with BYO secrets

devin-ai-integration[bot] · aaronsteers · devin-ai-integration[bot] · commit 7d9c599b608c · 2025-10-07T20:27:17.000Z
- Add workflow_dispatch trigger to connector-ci-checks.yml - Create fork-connector-tests.yml workflow that: - Detects PRs from external forks - Checks for GitHub App installation on fork - Triggers connector-ci-checks.yml in fork's context - Posts commit status with test results - Replaces push-based BYO secrets trigger This enables community contributors to run connector tests with their own secrets by installing the Airbyte GitHub App on their fork. Requested by AJ Steers (@aaronsteers) Co-Authored-By: AJ Steers <aj@airbyte.io>
diff --git a/.github/workflows/connector-ci-checks.yml b/.github/workflows/connector-ci-checks.yml
@@ -8,6 +8,25 @@ on:
       - reopened
       - ready_for_review
 
+  workflow_dispatch:
+    inputs:
+      repo:
+        type: string
+        required: false
+        description: "The repository name"
+      gitref:
+        type: string
+        required: false
+        description: "The git reference (branch or tag)"
+      comment-id:
+        type: string
+        required: false
+        description: "The ID of the comment triggering the workflow. Unused as of now."
+      pr:
+        type: string
+        required: false
+        description: "The pull request number, if applicable. Unused as of now."
+
   # Available as a reusable workflow
   # (https://docs.github.com/en/actions/sharing-automations/reusing-workflows)
   workflow_call:
diff --git a/.github/workflows/fork-connector-tests.yml b/.github/workflows/fork-connector-tests.yml
@@ -0,0 +1,138 @@
+name: Fork PR Connector Tests
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+
+permissions:
+  contents: read
+  statuses: write
+  pull-requests: write
+
+jobs:
+  check-fork-and-trigger-tests:
+    name: Check Fork and Trigger Tests
+    runs-on: ubuntu-24.04
+    if: github.event.pull_request.head.repo.full_name != github.repository
+    steps:
+      - name: Check if fork is from outside airbytehq org
+        id: check-fork
+        run: |
+          FORK_REPO="${{ github.event.pull_request.head.repo.full_name }}"
+          echo "fork-repo=$FORK_REPO" >> $GITHUB_OUTPUT
+          
+          if [[ "$FORK_REPO" == airbytehq/* ]]; then
+            echo "is-external-fork=false" >> $GITHUB_OUTPUT
+            echo "Fork is from airbytehq org, skipping"
+          else
+            echo "is-external-fork=true" >> $GITHUB_OUTPUT
+            echo "Fork is external: $FORK_REPO"
+          fi
+
+      - name: Get fork owner
+        id: fork-owner
+        if: steps.check-fork.outputs.is-external-fork == 'true'
+        run: |
+          FORK_OWNER=$(echo "${{ steps.check-fork.outputs.fork-repo }}" | cut -d'/' -f1)
+          echo "owner=$FORK_OWNER" >> $GITHUB_OUTPUT
+          echo "Fork owner: $FORK_OWNER"
+
+      - name: Attempt to get GitHub App token for fork
+        id: get-app-token
+        if: steps.check-fork.outputs.is-external-fork == 'true'
+        continue-on-error: true
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
+          private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
+          owner: ${{ steps.fork-owner.outputs.owner }}
+
+      - name: Post pending commit status
+        if: steps.get-app-token.outcome == 'success'
+        run: |
+          curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            "${{ github.api_url }}/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -d '{
+              "state": "pending",
+              "context": "Fork Connector Tests",
+              "description": "Running connector tests in fork with BYO secrets...",
+              "target_url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            }'
+
+      - name: Trigger connector tests in fork
+        id: trigger-tests
+        if: steps.get-app-token.outcome == 'success'
+        uses: the-actions-org/workflow-dispatch@v4
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          repo: ${{ steps.check-fork.outputs.fork-repo }}
+          workflow: connector-ci-checks.yml
+          ref: ${{ github.event.pull_request.head.ref }}
+          wait-for-completion: true
+          wait-for-completion-timeout: 2h
+          wait-for-completion-interval: 30s
+          inputs: |
+            {
+              "repo": "${{ steps.check-fork.outputs.fork-repo }}",
+              "gitref": "${{ github.event.pull_request.head.ref }}",
+              "pr": "${{ github.event.pull_request.number }}"
+            }
+
+      - name: Post success commit status
+        if: steps.trigger-tests.outcome == 'success' && steps.trigger-tests.outputs.workflow-conclusion == 'success'
+        run: |
+          curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            "${{ github.api_url }}/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -d '{
+              "state": "success",
+              "context": "Fork Connector Tests",
+              "description": "Connector tests passed in fork with BYO secrets",
+              "target_url": "${{ steps.trigger-tests.outputs.workflow-url }}"
+            }'
+
+      - name: Post failure commit status
+        if: steps.get-app-token.outcome == 'success' && (steps.trigger-tests.outcome == 'failure' || steps.trigger-tests.outputs.workflow-conclusion != 'success')
+        run: |
+          curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            "${{ github.api_url }}/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
+            -d '{
+              "state": "failure",
+              "context": "Fork Connector Tests",
+              "description": "Connector tests failed in fork with BYO secrets",
+              "target_url": "${{ steps.trigger-tests.outputs.workflow-url || format(''{0}/{1}/actions/runs/{2}'', github.server_url, github.repository, github.run_id) }}"
+            }'
+
+      - name: Comment on PR with results
+        if: steps.get-app-token.outcome == 'success'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            ## Fork Connector Tests Results
+            
+            ${{ steps.trigger-tests.outputs.workflow-conclusion == 'success' && '✅ Tests passed' || '❌ Tests failed' }}
+            
+            The connector tests ran in your fork's repository context using your BYO secrets.
+            
+            [View test results](${{ steps.trigger-tests.outputs.workflow-url }})
+
+      - name: Skip message for non-external forks
+        if: steps.check-fork.outputs.is-external-fork != 'true'
+        run: |
+          echo "Skipping fork connector tests - PR is not from an external fork"
+
+      - name: Skip message for missing GitHub App
+        if: steps.check-fork.outputs.is-external-fork == 'true' && steps.get-app-token.outcome != 'success'
+        run: |
+          echo "Skipping fork connector tests - GitHub App not installed on fork"
+          echo "Fork owner '${{ steps.fork-owner.outputs.owner }}' needs to install the Airbyte GitHub App"
