integration-test.yml

name: Integration Tests

on:
  push:
    branches:
      - main
    paths:
      - .github/workflows/integration-test*.yml
      - earthaccess/**
      - scripts/integration-test.sh
      - tests/**
      - pyproject.toml
  pull_request:
    branches:
      - main
    paths:
      - .github/workflows/integration-test*.yml
      - earthaccess/**
      - scripts/integration-test.sh
      - tests/**
      - pyproject.toml
  pull_request_target:
    branches:
      - main
    paths:
      - .github/workflows/integration-test*.yml
      - earthaccess/**
      - scripts/integration-test.sh
      - tests/**
      - pyproject.toml

# When this workflow is queued, automatically cancel any previous running
# or pending jobs from the same branch
concurrency:
  group: integration-tests-${{ github.ref }}
  cancel-in-progress: true

jobs:
  integration-tests:
    #
    # This condition prevents DUPLICATE attempts to run integration tests for
    # PRs coming from FORKS.
    #
    # When a PR originates from a fork, both a pull_request and a
    # pull_request_target event are triggered.  This means that without a
    # condition, GitHub will attempt to run integration tests TWICE, once for
    # each event.
    #
    # To prevent this, this condition ensures that integration tests are run
    # in only ONE of the following cases:
    #
    #   1. The event is NOT a pull_request (it's a pull_request_target) and the base
    #      repo is NOT the head repo (i.e., the PR is from a fork).
    #   2. The event IS a pull_request AND the base repo IS the head repo
    #      (i.e., the PR is not from a fork).
    #
    if: (github.event_name != 'pull_request') == github.event.pull_request.head.repo.fork
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13"]
      fail-fast: false

    steps:
      - name: Fetch user permission
        if: github.event_name == 'pull_request_target'
        id: permission
        uses: actions-cool/check-user-permission@v2
        with:
          require: write
          username: ${{ github.triggering_actor }}

      - name: Check user permission
        # The name of the output require-result is a bit confusing, but when its value
        # is 'false', it means that the triggering actor does NOT have the required
        # permission.
        if: github.event_name == 'pull_request_target' && steps.permission.outputs.require-result == 'false'

        # If the triggering actor does not have write permission (i.e., this is a
        # PR from a fork), then we exit, otherwise most of the integration tests will
        # fail because they require access to secrets.  In this case, a maintainer
        # will need to make sure the PR looks safe, and if so, manually re-run the
        # failed pull_request_target jobs.
        run: |
          echo "User **${{ github.triggering_actor }}** does not have permission to run integration tests." >> $GITHUB_STEP_SUMMARY
          echo "A maintainer must perform a security review and re-run this build, if the code is safe." >> $GITHUB_STEP_SUMMARY
          echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY
          exit 1

      - name: Checkout source
        uses: actions/checkout@v4
        with:
          # Getting the correct commit for a pull_request_target event appears to be
          # a known, problematic issue: https://github.com/actions/checkout/issues/518
          # It seems that ideally, we want github.event.pull_request.merge_commit_sha,
          # but that it is not reliable, and can sometimes be a null values.  It
          # appears that the most reasonable way to ensure that we are pulling the same
          # code that triggered things is shown in this issue comment:
          # https://github.com/actions/checkout/issues/518#issuecomment-1661941548
          # However, attempts to get that working resulted in getting an empty
          # github.event.number, so we're resorting to this simpler approach, which
          # is apparently less than ideal, but seems to be the best we can muster at
          # this point.
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Install package with dependencies
        uses: ./.github/actions/install-pkg
        with:
          python-version: ${{ matrix.python-version }}
          cache-key: integration

      - name: Run integration tests
        env:
          EARTHDATA_USERNAME: ${{ secrets.EDL_USERNAME }}
          EARTHDATA_PASSWORD: ${{ secrets.EDL_PASSWORD }}
        run: |
          # -rxXs: Show provided (r)eason in summary for (x)fail, (X)pass, and (s)kipped tests
          uv run pytest tests/integration \
            -rxXs \
            --cov=earthaccess \
            --cov-report=term-missing \
            --capture=no \
            --tb=native \
            --log-cli-level=INFO

      - name: Upload coverage report
        # Don't upload coverage when using the `act` tool to run the workflow locally
        if: ${{ !env.ACT }}
        uses: codecov/codecov-action@v4