ci: Implement secure test result reporting via GitHub Actions

tonygermano · tonygermano · commit e854921a2140 · 2026-02-09T23:38:47.000-05:00
Establishes a split-workflow CI pipeline to safely run tests and report
results, complying with security best practices for public repositories.

Changes:
* Build Workflow:
  - Updated the Ant build command to enable coverage
    (`-Dcoverage=true`).
  - Added a "Stage Test Results" step to aggregate XML reports from
    all sub-projects (client, server, donkey, etc.) while preserving
    directory structure.
  - Added an "Event File" job to capture PR metadata for secure
    downstream processing.
* Reporting Workflow:
  - Created `upload_test_results.yaml` triggered by `workflow_run`.
  - Implemented the privileged report publishing step separately from
    the unprivileged build step.
  - configured `EnricoMi/publish-unit-test-result-action` to ingest the
    aggregated XML reports.

Security:
* Uses the `workflow_run` pattern to allow safe PR commenting from forks
  without exposing write tokens to the build environment.

Signed-off-by: Tony Germano &lt;tony@germano.name&gt;
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,4 +1,4 @@
-name: Build OpenIntegrationEngine
+name: Build Open Integration Engine
 
 on:
   push:
@@ -9,6 +9,16 @@ on:
       - main
 
 jobs:
+  event_file:
+    name: "Event File"
+    runs-on: ubuntu-latest
+    steps:
+    - name: Upload
+      uses: actions/upload-artifact@v4
+      with:
+        name: Event File
+        path: ${{ github.event_path }}
+
   build:
     runs-on: ubuntu-latest
 
@@ -30,7 +40,7 @@ jobs:
       - name: Build OIE (unsigned)
         if: github.ref != 'refs/heads/main'
         working-directory: server
-        run: ant -f mirth-build.xml -DdisableSigning=true
+        run: ant -f mirth-build.xml -DdisableSigning=true -Dcoverage=true
 
       - name: Package distribution
         run: tar czf openintegrationengine.tar.gz -C server/ setup --transform 's|^setup|openintegrationengine/|'
@@ -40,3 +50,19 @@ jobs:
         with:
           name: oie-build
           path: openintegrationengine.tar.gz
+
+      - name: Stage Test Results
+        if: (!cancelled())
+        run: |
+          mkdir -p aggregate-test-results
+          # Copy the directory structures
+          cp -r --parents */build/test-results aggregate-test-results/
+
+      - name: Upload Test Results
+        if: (!cancelled())
+        uses: actions/upload-artifact@v4
+        with:
+          name: Test Results
+          path: |
+            aggregate-test-results/**/*.xml
+
diff --git a/.github/workflows/upload_test_results.yaml b/.github/workflows/upload_test_results.yaml
@@ -0,0 +1,38 @@
+name: Test Results
+
+on:
+  workflow_run:
+    workflows: ["Build Open Integration Engine"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  test-results:
+    name: Test Results
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure'
+
+    permissions:
+      checks: write
+      # needed unless run with comment_mode: off
+      pull-requests: write
+      # required by download step to access artifacts API
+      actions: read
+
+    steps:
+      - name: Download and Extract Artifacts
+        uses: actions/download-artifact@v4
+        with:
+           run-id: ${{ github.event.workflow_run.id }}
+           github-token: ${{ secrets.GITHUB_TOKEN }}
+           path: artifacts
+
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        with:
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: artifacts/Event File/event.json
+          event_name: ${{ github.event.workflow_run.event }}
+          files: "artifacts/Test Results/**/*.xml"
