From ae6ad6586d5f5ca485869929416c8cc1d03692dd Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Tue, 7 Jul 2026 17:34:15 +0200 Subject: [PATCH 1/5] ci: use distributed lock for integration tests Replace concurrency group with onfido-actions/lock acquire/release steps to prevent parallel integration test execution across SDK repositories. The lock uses a git branch in onfido/ci-lock as an atomic mutex. A should-run-integration-tests step centralizes the condition check, keeping subsequent steps DRY. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/python.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 336c4cf..5331430 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -54,13 +54,22 @@ jobs: poetry run flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide poetry run flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude onfido - - name: Test with API token auth + - name: Should run integration tests + id: should-run-integration-tests if: ${{ matrix.python-version == '3.13' && github.repository_owner == 'onfido' && (github.event_name == 'pull_request' || github.event_name == 'release' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule') }} + run: echo "result=true" >> "$GITHUB_OUTPUT" + - name: Acquire integration test lock + if: steps.should-run-integration-tests.outputs.result == 'true' + uses: onfido/onfido-actions/lock/acquire@main + with: + github-token: ${{ secrets.CI_LOCK_TOKEN }} + - name: Test with API token auth + if: steps.should-run-integration-tests.outputs.result == 'true' run: | poetry run pytest --show-capture=no env: @@ -71,12 +80,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_1: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_1 }} ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Test with OAuth client credentials auth - if: ${{ matrix.python-version == '3.13' && - github.repository_owner == 'onfido' && - (github.event_name == 'pull_request' || - github.event_name == 'release' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'schedule') }} + if: steps.should-run-integration-tests.outputs.result == 'true' run: | poetry run pytest --show-capture=no env: @@ -87,6 +91,11 @@ jobs: ONFIDO_SAMPLE_VIDEO_ID_2: ${{ secrets.ONFIDO_SAMPLE_VIDEO_ID_2 }} ONFIDO_SAMPLE_MOTION_ID_1: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_1 }} ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} + - name: Release integration test lock + if: always() && steps.should-run-integration-tests.outputs.result == 'true' + uses: onfido/onfido-actions/lock/release@main + with: + github-token: ${{ secrets.CI_LOCK_TOKEN }} publish: runs-on: ubuntu-latest From 0cedfd85b4fa3d2809b7552e13190b72ef013eb7 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Wed, 8 Jul 2026 09:50:56 +0200 Subject: [PATCH 2/5] test: temporarily target add-lock-action branch for lock actions This commit should be reverted before merging. --- .github/workflows/python.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 5331430..272abbd 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -65,7 +65,7 @@ jobs: run: echo "result=true" >> "$GITHUB_OUTPUT" - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/acquire@main + uses: onfido/onfido-actions/lock/acquire@add-lock-action with: github-token: ${{ secrets.CI_LOCK_TOKEN }} - name: Test with API token auth @@ -93,7 +93,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Release integration test lock if: always() && steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/release@main + uses: onfido/onfido-actions/lock/release@add-lock-action with: github-token: ${{ secrets.CI_LOCK_TOKEN }} From 6ee259d2114d562c8afd57bd5cb185460b5c45b2 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Thu, 9 Jul 2026 09:21:03 +0200 Subject: [PATCH 3/5] ci: use shared should-run-integration-tests action Use onfido-actions/should-run-integration-tests to determine when to run integration tests. This adds support for running tests on push events from merged fork PRs (where secrets aren't available pre-merge). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/python.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 272abbd..d8704a0 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -57,12 +57,8 @@ jobs: - name: Should run integration tests id: should-run-integration-tests if: ${{ matrix.python-version == '3.13' && - github.repository_owner == 'onfido' && - (github.event_name == 'pull_request' || - github.event_name == 'release' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'schedule') }} - run: echo "result=true" >> "$GITHUB_OUTPUT" + github.repository_owner == 'onfido' }} + uses: onfido/onfido-actions/should-run-integration-tests@add-lock-action - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/acquire@add-lock-action From 5ed9b522b59bcc94da51e526463c5e21769c3a29 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Fri, 10 Jul 2026 12:12:46 +0200 Subject: [PATCH 4/5] ci: use GitHub App for lock authentication Replace CI_LOCK_TOKEN with GitHub App credentials (ONFIDO_CI_LOCK_APP_ID, ONFIDO_CI_LOCK_PRIVATE_KEY, ONFIDO_CI_LOCK_INSTALLATION_ID) for the distributed lock mechanism. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/python.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index d8704a0..054bc9d 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -63,7 +63,8 @@ jobs: if: steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/acquire@add-lock-action with: - github-token: ${{ secrets.CI_LOCK_TOKEN }} + app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} + app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} - name: Test with API token auth if: steps.should-run-integration-tests.outputs.result == 'true' run: | @@ -91,7 +92,8 @@ jobs: if: always() && steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/release@add-lock-action with: - github-token: ${{ secrets.CI_LOCK_TOKEN }} + app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} + app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} publish: runs-on: ubuntu-latest From affc64abf2a8dd0f53a66f59e4739c4ff8d30bf4 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Fri, 10 Jul 2026 16:17:17 +0200 Subject: [PATCH 5/5] ci: point lock actions to onfido-actions@main Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/python.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 054bc9d..1aa3982 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -58,10 +58,10 @@ jobs: id: should-run-integration-tests if: ${{ matrix.python-version == '3.13' && github.repository_owner == 'onfido' }} - uses: onfido/onfido-actions/should-run-integration-tests@add-lock-action + uses: onfido/onfido-actions/should-run-integration-tests@main - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/acquire@add-lock-action + uses: onfido/onfido-actions/lock/acquire@main with: app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} @@ -90,7 +90,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Release integration test lock if: always() && steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/release@add-lock-action + uses: onfido/onfido-actions/lock/release@main with: app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }}