From e971d8f814444ba933cfa1e8d152d187fa3c33d9 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Tue, 7 Jul 2026 17:34:16 +0200 Subject: [PATCH 1/5] ci: use distributed lock for integration tests Replace concurrency group with onfido-actions/lock acquire/release steps to prevent parallel integration test execution across SDK repositories. The lock uses a git branch in onfido/ci-lock as an atomic mutex. A should-run-integration-tests step centralizes the condition check, keeping subsequent steps DRY. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/php.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 174b670..00a6c2b 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -37,13 +37,22 @@ jobs: uses: php-actions/composer@8a65f0d3c6a1d17ca4800491a40b5756a4c164f3 # v6 with: php_version: ${{ matrix.php-version }} - - name: Test with API token auth + - name: Should run integration tests + id: should-run-integration-tests if: ${{ matrix.php-version == '8.3' && github.repository_owner == 'onfido' && (github.event_name == 'pull_request' || github.event_name == 'release' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule') }} + run: echo "result=true" >> "$GITHUB_OUTPUT" + - name: Acquire integration test lock + if: steps.should-run-integration-tests.outputs.result == 'true' + uses: onfido/onfido-actions/lock/acquire@main + with: + github-token: ${{ secrets.CI_LOCK_TOKEN }} + - name: Test with API token auth + if: steps.should-run-integration-tests.outputs.result == 'true' run: | vendor/bin/phpunit env: @@ -54,12 +63,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_1: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_1 }} ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Test with OAuth client credentials auth - if: ${{ matrix.php-version == '8.3' && - github.repository_owner == 'onfido' && - (github.event_name == 'pull_request' || - github.event_name == 'release' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'schedule') }} + if: steps.should-run-integration-tests.outputs.result == 'true' run: | vendor/bin/phpunit env: @@ -70,6 +74,11 @@ jobs: ONFIDO_SAMPLE_VIDEO_ID_2: ${{ secrets.ONFIDO_SAMPLE_VIDEO_ID_2 }} ONFIDO_SAMPLE_MOTION_ID_1: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_1 }} ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} + - name: Release integration test lock + if: always() && steps.should-run-integration-tests.outputs.result == 'true' + uses: onfido/onfido-actions/lock/release@main + with: + github-token: ${{ secrets.CI_LOCK_TOKEN }} publish: runs-on: ubuntu-latest From cc7e8524cce8d7d25f1c22dfe823b6fd888f1e45 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Wed, 8 Jul 2026 09:50:56 +0200 Subject: [PATCH 2/5] test: temporarily target add-lock-action branch for lock actions This commit should be reverted before merging. --- .github/workflows/php.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 00a6c2b..f42e92d 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -48,7 +48,7 @@ jobs: run: echo "result=true" >> "$GITHUB_OUTPUT" - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/acquire@main + uses: onfido/onfido-actions/lock/acquire@add-lock-action with: github-token: ${{ secrets.CI_LOCK_TOKEN }} - name: Test with API token auth @@ -76,7 +76,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Release integration test lock if: always() && steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/release@main + uses: onfido/onfido-actions/lock/release@add-lock-action with: github-token: ${{ secrets.CI_LOCK_TOKEN }} From 224c576419bb4a5e1200cb869f4cf2d871140870 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Thu, 9 Jul 2026 09:21:03 +0200 Subject: [PATCH 3/5] ci: use shared should-run-integration-tests action Use onfido-actions/should-run-integration-tests to determine when to run integration tests. This adds support for running tests on push events from merged fork PRs (where secrets aren't available pre-merge). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/php.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index f42e92d..528f7f2 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -40,12 +40,8 @@ jobs: - name: Should run integration tests id: should-run-integration-tests if: ${{ matrix.php-version == '8.3' && - github.repository_owner == 'onfido' && - (github.event_name == 'pull_request' || - github.event_name == 'release' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'schedule') }} - run: echo "result=true" >> "$GITHUB_OUTPUT" + github.repository_owner == 'onfido' }} + uses: onfido/onfido-actions/should-run-integration-tests@add-lock-action - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/acquire@add-lock-action From 9a697733260048179594e84320b1647b196ed2f4 Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Fri, 10 Jul 2026 12:12:49 +0200 Subject: [PATCH 4/5] ci: use GitHub App for lock authentication Replace CI_LOCK_TOKEN with GitHub App credentials (ONFIDO_CI_LOCK_APP_ID, ONFIDO_CI_LOCK_PRIVATE_KEY, ONFIDO_CI_LOCK_INSTALLATION_ID) for the distributed lock mechanism. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/php.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 528f7f2..1ad72c7 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -46,7 +46,8 @@ jobs: if: steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/acquire@add-lock-action with: - github-token: ${{ secrets.CI_LOCK_TOKEN }} + app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} + app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} - name: Test with API token auth if: steps.should-run-integration-tests.outputs.result == 'true' run: | @@ -74,7 +75,8 @@ jobs: if: always() && steps.should-run-integration-tests.outputs.result == 'true' uses: onfido/onfido-actions/lock/release@add-lock-action with: - github-token: ${{ secrets.CI_LOCK_TOKEN }} + app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} + app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} publish: runs-on: ubuntu-latest From 15f7e912020ea6be2a298d93a157e149fe6ab69c Mon Sep 17 00:00:00 2001 From: Davide Vacca Date: Fri, 10 Jul 2026 16:17:22 +0200 Subject: [PATCH 5/5] ci: point lock actions to onfido-actions@main Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/php.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index 1ad72c7..08c0d41 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -41,10 +41,10 @@ jobs: id: should-run-integration-tests if: ${{ matrix.php-version == '8.3' && github.repository_owner == 'onfido' }} - uses: onfido/onfido-actions/should-run-integration-tests@add-lock-action + uses: onfido/onfido-actions/should-run-integration-tests@main - name: Acquire integration test lock if: steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/acquire@add-lock-action + uses: onfido/onfido-actions/lock/acquire@main with: app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }} @@ -73,7 +73,7 @@ jobs: ONFIDO_SAMPLE_MOTION_ID_2: ${{ secrets.ONFIDO_SAMPLE_MOTION_ID_2 }} - name: Release integration test lock if: always() && steps.should-run-integration-tests.outputs.result == 'true' - uses: onfido/onfido-actions/lock/release@add-lock-action + uses: onfido/onfido-actions/lock/release@main with: app-id: ${{ secrets.ONFIDO_CI_LOCK_APP_ID }} app-private-key: ${{ secrets.ONFIDO_CI_LOCK_PRIVATE_KEY }}