feat: generate workflow for testing third-party PRs with secrets

adbc_drivers_dev/templates/dev.yaml

@@ -44,13 +44,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
 
 <% if lang.get("go") %>
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           cache-dependency-path: go/go.sum
           check-latest: true

adbc_drivers_dev/templates/dev_pr.yaml

@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-slim
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 1
           persist-credentials: false

adbc_drivers_dev/templates/go_test_pr.yaml

@@ -0,0 +1,117 @@
+<% if private %>
+# Copyright (c) 2025 Columnar Technologies Inc.  All rights reserved.
+<% else %>
+# Copyright (c) 2025 ADBC Drivers Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+<% endif %>
+
+# !!!! AUTO-GENERATED FILE.  DO NOT EDIT. !!!!
+# USE adbc-gen-workflow (see adbc-drivers/dev) TO UPDATE THIS FILE.
+
+# This is a common workflow for testing a PR when permissions are needed.
+
+name: Go Test PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr:
+        description: "The ID of the PR to test (e.g. 42)"
+        required: true
+        type: string
+      ref:
+        description: "The commit/ref to checkout"
+        required: true
+        type: string
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ inputs.pr }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+<% if permissions.get("id_token") %>
+  id-token: write
+<% endif %>
+  packages: read
+  pull-requests: read
+
+jobs:
+  setup:
+    name: configure job
+    runs-on: ubuntu-slim
+    outputs:
+      repository: ${{ steps.get_repo.outputs.repository }}
+    steps:
+      - name: get repository
+        id: get_repo
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo repository=$(gh pr --repo ${{ github.repository }} view ${{ inputs.pr }} --json headRepository,headRepositoryOwner --jq '"\(.headRepositoryOwner.login)/\(.headRepository.name)"') | tee -a $GITHUB_OUTPUT
+
+      - name: set job summary
+        run: |
+          echo "**PR:** https://github.com/${{ github.repository }}/pull/${{ inputs.pr }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Remote:** ${{ steps.get_repo.outputs.repository }}@${{ inputs.ref }}" >> $GITHUB_STEP_SUMMARY
+
+  test:
+    uses: adbc-drivers/<{driver}>/.github/workflows/go_test.yaml@main
+    needs:
+      - setup
+    with:
+      repository: ${{ needs.setup.outputs.repository }}
+      ref: ${{ inputs.ref }}
+    secrets:
+      # https://github.com/orgs/community/discussions/25238#discussioncomment-3247035
+<% for name, val in secrets["all"].items() %>
+      <{val}>: ${{ secrets.<{val}> }}
+<% endfor %>
+
+  report:
+    name: comment on PR
+    runs-on: ubuntu-slim
+    if: ${{ always() }}
+    needs:
+      - setup
+      - test
+    permissions:
+      actions: read
+      pull-requests: write
+    steps:
+      - id: get_run
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          echo workflow_run_url=$(gh run --repo ${{ github.repository }} view ${{ github.run_id }} --json url --jq '.url') | tee -a $GITHUB_OUTPUT
+          if [[ '${{ needs.test.result }}' == 'success' ]]; then
+            echo message=":heavy_check_mark: **Test passed:** " | tee -a $GITHUB_OUTPUT
+          else
+            echo message=":x: **Test failed:** " | tee -a $GITHUB_OUTPUT
+          fi
+
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: ${{ inputs.pr }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '${{ steps.get_run.outputs.message }} ${{ needs.setup.outputs.repository }}@${{ inputs.ref }}\nWorkflow run: ${{ steps.get_run.outputs.workflow_run_url }}'
+            })

adbc_drivers_dev/templates/pixi.toml

@@ -39,6 +39,9 @@ gendocs = "python -m validation.tests.generate_documentation"
 
 [dependencies]
 python = ">=3.13.5,<3.14"
+<% for key, value in validation["extra_dependencies"].items() %>
+<{key}> = "<{value}>"
+<% endfor %>
 
 [pypi-dependencies]
 adbc-drivers-dev = { git = "https://github.com/adbc-drivers/dev" }

adbc_drivers_dev/templates/test.yaml

@@ -54,8 +54,26 @@ on:
 <% endfor %>
 <% endif %>
 
+<% if not release and secrets["all"] %>
+  workflow_call:
+    inputs:
+      repository:
+        description: "The repository to checkout (in owner/repo short format)"
+        required: true
+        type: string
+      ref:
+        description: "The ref to checkout"
+        required: true
+        type: string
+    secrets:
+<% for name, val in secrets["all"].items() %>
+      <{val}>:
+        required: true
+<% endfor %>
+<% endif %>
+<% if release %>
   workflow_dispatch: {}
-
+<% endif %>
 
 concurrency:
   # Must share concurrency group with release workflow since it also builds/tests
@@ -93,12 +111,29 @@ jobs:
           # https://github.com/actions/runner-images/issues/2840
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+<% if release or not secrets["all"] %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+<% else %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name != 'workflow_dispatch'
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - name: "checkout remote"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name == 'workflow_dispatch'
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+<% endif %>
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           cache-dependency-path: go/go.sum
           check-latest: true
@@ -147,6 +182,12 @@ jobs:
 
       - name: Test
         if: runner.os == 'Linux'
+<% if secrets["test"] %>
+        env:
+<% for name, val in secrets["test"].items() %>
+          <{name}>: ${{ secrets.<{val}> }}
+<% endfor %>
+<% endif %>
         working-directory: go
         run: |
           set -a
@@ -158,11 +199,6 @@ jobs:
           fi
           set +a
 
-          if [[ -n "${{ secrets.environment }}" ]]; then
-            echo "Loading secret environment variables"
-            eval "${{ secrets.environment }}"
-          fi
-
           if [[ -f ci/scripts/pre-test.sh ]]; then
             echo "Loading pre-test"
             ./ci/scripts/pre-test.sh
@@ -211,12 +247,29 @@ jobs:
           # https://github.com/actions/runner-images/issues/2840
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+<% if release or not secrets["all"] %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+<% else %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: "checkout remote"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name == 'workflow_dispatch'
         with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
           fetch-depth: 0
           persist-credentials: false
+<% endif %>
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           cache-dependency-path: go/go.sum
           check-latest: true
@@ -290,11 +343,6 @@ jobs:
           fi
           set +a
 
-          if [[ -n "${{ secrets.environment }}" ]]; then
-            echo "Loading secret environment variables"
-            eval "${{ secrets.environment }}"
-          fi
-
           if [[ -f ci/scripts/pre-test.sh ]]; then
             echo "Loading pre-test"
             ./ci/scripts/pre-test.sh
@@ -339,12 +387,29 @@ jobs:
       packages: read
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+<% if release or not secrets["all"] %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+<% else %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name != 'workflow_dispatch'
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - name: "checkout remote"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name == 'workflow_dispatch'
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+<% endif %>
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           cache-dependency-path: go/go.sum
           check-latest: true
@@ -398,12 +463,29 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+<% if release or not secrets["all"] %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+<% else %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name != 'workflow_dispatch'
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - name: "checkout remote"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name == 'workflow_dispatch'
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+<% endif %>
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           check-latest: true
           go-version: "stable"
@@ -473,12 +555,29 @@ jobs:
 <% endif %>
 
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+<% if release or not secrets["all"] %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+<% else %>
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name != 'workflow_dispatch'
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c  # v6.1.0
+      - name: "checkout remote"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        if: github.event_name == 'workflow_dispatch'
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+<% endif %>
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
         with:
           check-latest: true
           go-version: "stable"