[DECO-26060] Migrate integration tests to Checks API (#1826)

rauchy · web-flow · commit 47c94dd73baa · 2026-01-19T09:25:50.000+01:00
## Summary Migrate integration tests from GitHub Statuses API to Checks API. **Why:** This eliminates the need for `DECO_GITHUB_TOKEN` (PAT) for integration test status reporting, removing the monthly token rotation burden. Uses `DECO_TEST_APPROVAL_APP` (GitHub App) instead. **Changes:** - Generate `DECO_TEST_APPROVAL_APP` token and create check run before triggering workflow - Pass `check_run_id` to eng-dev-ecosystem workflow - Update `auto-approve` job to use Checks API instead of Statuses API - Check for both `DECO_WORKFLOW_TRIGGER_APP_ID` and `DECO_TEST_APPROVAL_APP_ID` secrets This aligns VS Code with how the SDKs handle integration test status reporting. **Depends on:** https://github.com/databricks-eng/eng-dev-ecosystem/pull/1151 --------- Co-authored-by: Omer Lachish <rauchy@users.noreply.github.com>
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -18,15 +18,15 @@ jobs:
     outputs:
       has_token: ${{ steps.set-token-status.outputs.has_token }}
     steps:
-      - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
+      - name: Check if required secrets are set
         id: set-token-status
         run: |
-          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
-              echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
-              echo "::set-output name=has_token::false"
+          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ] || [ -z "${{ secrets.DECO_TEST_APPROVAL_APP_ID }}" ]; then
+            echo "Required secrets are missing. User has no access to secrets."
+            echo "has_token=false" >> $GITHUB_OUTPUT
           else
-              echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
-              echo "::set-output name=has_token::true"
+            echo "All required secrets are set. User has access to secrets."
+            echo "has_token=true" >> $GITHUB_OUTPUT
           fi
 
   trigger-tests:
@@ -39,49 +39,80 @@ jobs:
     needs: check-token
     if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
     environment: "test-trigger-is"
+
     steps:
-      - uses: actions/checkout@v4
+    - uses: actions/checkout@v4
 
-      - name: Generate GitHub App Token
-        id: generate-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
-          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
-          owner: ${{ secrets.ORG_NAME }}
-          repositories: ${{secrets.REPO_NAME}}
-
-      - name: Trigger Workflow in Another Repo
-        env:
-          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
-        run: |
-          gh workflow run vscode-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
-          --ref main \
-          -f pull_request_number=${{ github.event.pull_request.number }} \
-          -f commit_sha=${{ github.event.pull_request.head.sha }}
-
-  # Statuses and checks apply to specific commits (by hash).
-  # Enforcement of required checks is done both at the PR level and the merge queue level.
-  # In case of multiple commits in a single PR, the hash of the squashed commit
-  # will not match the one for the latest (approved) commit in the PR.
-  # We auto approve the check for the merge queue for two reasons:
-  # * Queue times out due to duration of tests.
-  # * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
+    - name: Generate GitHub App Token for Check Updates
+      id: generate-check-token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.DECO_TEST_APPROVAL_APP_ID }}
+        private-key: ${{ secrets.DECO_TEST_APPROVAL_PRIVATE_KEY }}
+        owner: databricks
+
+    - name: Create Check Run
+      id: create-check
+      env:
+        GH_TOKEN: ${{ steps.generate-check-token.outputs.token }}
+      run: |
+        response=$(gh api -X POST \
+          /repos/${{ github.repository }}/check-runs \
+          -f name="Integration Tests" \
+          -f head_sha="${{ github.event.pull_request.head.sha }}" \
+          -f status="queued" \
+          -f output[title]="Integration Tests" \
+          -f output[summary]="Tests queued and will be triggered shortly...")
+
+        check_run_id=$(echo "$response" | jq -r .id)
+        echo "check_run_id=$check_run_id" >> $GITHUB_OUTPUT
+
+    - name: Generate GitHub App Token for Workflow Trigger
+      id: generate-token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+        private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+        owner: ${{ secrets.ORG_NAME }}
+        repositories: ${{secrets.REPO_NAME}}
+
+    - name: Trigger Workflow in Another Repo
+      env:
+        GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+      run: |
+        gh workflow run vscode-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+        --ref deco-26060-vscode-checks-api \
+        -f pull_request_number=${{ github.event.pull_request.number }} \
+        -f commit_sha=${{ github.event.pull_request.head.sha }} \
+        -f check_run_id=${{ steps.create-check.outputs.check_run_id }}
+
+  # The hash for the merge queue may not be the same as the hash for the PR.
+  # Auto approve the check for the merge queue to avoid running integration tests twice.
   auto-approve:
     if: github.event_name == 'merge_group'
 
     runs-on:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
 
+    permissions:
+      checks: write
+      contents: read
+
     steps:
-      - name: Mark Check
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        shell: bash
-        run: |
-          gh api -X POST -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/${{ github.repository }}/statuses/${{ github.sha }} \
-            -f 'state=success' \
-            -f 'context=Integration Tests Check'
+      - name: Auto-approve Check for Merge Queue
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.checks.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: 'Integration Tests',
+              head_sha: context.sha,
+              status: 'completed',
+              conclusion: 'success',
+              output: {
+                title: 'Integration Tests',
+                summary: 'Auto-approved for merge queue (tests already passed on PR)'
+              }
+            });
