Skip to content

Update nightly schedule to weekdays at 10:30 PM PT and fix security issues #2910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brandonpage merged 2 commits into from
May 29, 2026
Merged

Update nightly schedule to weekdays at 10:30 PM PT and fix security issues #2910

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
00d9795
Update nightly schedule to weekdays at 10:30 PM PT and fix security i…
brandonpage May 29, 2026
6e96482
Add job-level permissions to reusable-workflow callers.
brandonpage May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 28 additions & 5 deletions .github/workflows/nightly.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,36 @@
name: Nightly Tests

on:
on:
schedule:
- cron: "0 6 * * 2,6" # cron is UTC, this translates to 10 PM PST Mon and Fri.
- cron: "30 6 * * 2-6" # cron is UTC; 10:30 PM PT every weekday (Mon-Fri).
Copy link
Copy Markdown
Contributor

@wmathurin wmathurin May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do Sunday to Thursday instead (so always followed by a working day the next morning) ?

# This lets us trigger the workflow from a browser.
workflow_dispatch:

permissions:
contents: read

# Run the native libraries first so that the native and Hybrid MobileSync tests
# don't run simultaneously (to prevent flappers).
jobs:
android-nightly:
permissions:
contents: read
pull-requests: write
strategy:
fail-fast: false
matrix:
lib: [SalesforceAnalytics, SalesforceSDK, SmartStore, MobileSync]
uses: ./.github/workflows/reusable-lib-workflow.yaml
with:
lib: ${{ matrix.lib }}
secrets: inherit
secrets:
TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
android-nightly-Hybrid:
permissions:
contents: read
pull-requests: write
if: success() || failure()
needs: [android-nightly]
strategy:
Expand All @@ -28,7 +40,18 @@ jobs:
uses: ./.github/workflows/reusable-lib-workflow.yaml
with:
lib: ${{ matrix.lib }}
secrets: inherit
secrets:
TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
android-nightly-UI-Tests:
permissions:
contents: read
pull-requests: write
uses: ./.github/workflows/reusable-ui-workflow.yaml
secrets: inherit
secrets:
MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL }}
MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY }}
UI_TEST_CONFIG: ${{ secrets.UI_TEST_CONFIG }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
51 changes: 39 additions & 12 deletions .github/workflows/pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,57 @@
name: Pull Request

on:
# Dangerous without Member Check setup!
pull_request_target:
# Pull_request_target is required to grant secrets/write-permission to fork PRs.
# Mitigated by per-job Member Check (see "Check Write Permission" + "Validate Write Permission" steps).
# Reference: team Github Actions Tribal Knowledge doc.
pull_request_target: # zizmor: ignore[dangerous-triggers]
branches: [dev, master]

permissions:
contents: read

jobs:
test-orchestrator:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/.github/DangerFiles/Gemfile
outputs:
libs: ${{ steps.test-orchestrator.outputs.libs }}
steps:
- name: Check Write Permission
uses: octokit/request-action@v2.x
uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
id: check_permissions
with:
route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Debug Permission Response
env:
PERMISSION_DATA: ${{ steps.check_permissions.outputs.data }}
run: |
echo "Permission raw response: ${{ steps.check_permissions.outputs.data }}"
echo "Permission raw response: ${PERMISSION_DATA}"
- name: Validate Write Permission
env:
PERMISSION: ${{ fromJson(steps.check_permissions.outputs.data).permission }}
TRIGGERING_ACTOR: ${{ github.triggering_actor }}
run: |
permission=$(echo "${{ fromJson(steps.check_permissions.outputs.data).permission }}")
echo "User ${{ github.triggering_actor }} has permission: $permission"
if [[ "$permission" != "write" && "$permission" != "admin" ]]; then
echo "User ${{ github.triggering_actor }} does not have sufficient permission (write or admin) to proceed. Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
echo "User ${TRIGGERING_ACTOR} has permission: ${PERMISSION}"
if [ "${PERMISSION}" != "write" ] && [ "${PERMISSION}" != "admin" ]; then
echo "User ${TRIGGERING_ACTOR} does not have sufficient permission (write or admin) to proceed. Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
exit 1
fi
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
# We need a sufficient depth or Danger will occasionally run into issues checking which files were modified.
fetch-depth: 100
# This is dangerous without the member check
ref: ${{ github.event.pull_request.head.sha }}
- uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
with:
ruby-version: '3.2'
bundler-cache: true
Expand All @@ -49,6 +62,9 @@ jobs:
run: bundle exec danger --dangerfile=.github/DangerFiles/TestOrchestrator.rb --danger_id="TestOrchestrator"

unit-tests-pr:
permissions:
contents: read
pull-requests: write
needs: [test-orchestrator]
strategy:
fail-fast: false
Expand All @@ -58,11 +74,22 @@ jobs:
with:
lib: ${{ matrix.lib }}
is_pr: true
secrets: inherit
secrets:
TEST_CREDENTIALS: ${{ secrets.TEST_CREDENTIALS }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

ui-tests-pr:
permissions:
contents: read
pull-requests: write
needs: [test-orchestrator]
uses: ./.github/workflows/reusable-ui-workflow.yaml
with:
is_pr: true
secrets: inherit
secrets:
MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CALLBACK_URL }}
MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY: ${{ secrets.MSDK_ANDROID_REMOTE_ACCESS_CONSUMER_KEY }}
UI_TEST_CONFIG: ${{ secrets.UI_TEST_CONFIG }}
GCLOUD_SERVICE_KEY: ${{ secrets.GCLOUD_SERVICE_KEY }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
Loading
Loading