reusable-build-test-release.yml

name: build-test-release
on:
  workflow_call:
    inputs:
      marker:
        required: false
        description: 'Parallel run marker'
        type: string
        default: >-
          [""]
    secrets:
      GH_TOKEN_ADMIN:
        description: Github admin token
        required: true
      SEMGREP_PUBLISH_TOKEN:
        description: Semgrep token
        required: true
      AWS_ACCESS_KEY_ID:
        description: AWS access key id
        required: true
      AWS_DEFAULT_REGION:
        description: AWS default region
        required: true
      AWS_SECRET_ACCESS_KEY:
        description: AWS secret access key
        required: true
      VT_API_KEY:
        description: Virustotal api key
        required: true
      OTHER_TA_REQUIRED_CONFIGS:
        description: other required configs
        required: true
      FOSSA_API_KEY:
        description: API token for FOSSA app
        required: true
      SA_GH_USER_NAME:
        description: GPG signature username
        required: true
      SA_GH_USER_EMAIL:
        description:  GPG signature user email
        required: true
      SA_GPG_PRIVATE_KEY:
        description: GPG signature private key
        required: true
      SA_GPG_PASSPHRASE:
        description: GPG signature passphrase
        required: true
      SPL_COM_USER:
        description: username to splunk.com
        required: true
      SPL_COM_PASSWORD:
        description: password to splunk.com
        required: true
permissions:
  contents: read
  packages: read
concurrency: 
  group: ${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
jobs:
  setup-workflow:
    runs-on: ubuntu-latest
    outputs:
      skip-workflow: ${{ steps.skip-workflow.outputs.skip-workflow }}
      delay-destroy-ko: ${{ steps.delay-destroy-setup.outputs.delay-destroy-ko }}
      delay-destroy-ui: ${{ steps.delay-destroy-setup.outputs.delay-destroy-ui }}
      delay-destroy-modinput_functional: ${{ steps.delay-destroy-setup.outputs.delay-destroy-modinput_functional }}
      delay-destroy-escu: ${{ steps.delay-destroy-setup.outputs.delay-destroy-escu }}
      delay-destroy-scripted_inputs: ${{ steps.delay-destroy-setup.outputs.delay-destroy-scripted_inputs }}
      delay-destroy-requirement_test: ${{ steps.delay-destroy-setup.outputs.delay-destroy-requirement_test }}
      execute-ko: ${{ steps.delay-destroy-setup.outputs.execute-ko }}
      execute-ui: ${{ steps.delay-destroy-setup.outputs.execute-ui }}
      execute-escu: ${{ steps.delay-destroy-setup.outputs.execute-escu }}
      execute-modinput_functional: ${{ steps.delay-destroy-setup.outputs.execute-modinput_functional }}
      execute-scripted_inputs: ${{ steps.delay-destroy-setup.outputs.execute-scripted_inputs }}
      execute-requirement_test: ${{ steps.delay-destroy-setup.outputs.execute-requirement_test }}
      execute-knowledge-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_knowledge_labeled }}
      execute-ui-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_ui_labeled }}
      execute-escu-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_escu_labeled }}
      execute-modinput-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_modinput_functional_labeled }}
      execute-scripted_inputs-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_scripted_inputs_labeled }}
      execute-requirement-labeled: ${{ steps.configure-tests-on-labels.outputs.execute_requirement_test_labeled }}
    steps:
      - name: skip workflow if description is empty for labeled pr
        id: skip-workflow
        env:
          PR_BODY: ${{ github.event.pull_request.body }}
        run: |
          set +e
          TESTSET="knowledge ui modinput_functional scripted_inputs escu requirement_test"
          echo "testset=$TESTSET" >> "$GITHUB_OUTPUT"
          SKIP_WORKFLOW="No"
          if [[ '${{ github.event.action }}' == 'labeled' && '${{ github.event.label.name }}' == 'preserve_infra' ]]; then
            echo "$PR_BODY" >> body.txt
            SKIP_WORKFLOW="Yes" 
            tests=$(grep -i "^preserve:" body.txt | { grep -v grep || true; })
            for test_type in $TESTSET; do
                if [[ $tests =~ $test_type ]]; then
                    SKIP_WORKFLOW="No"
                fi
            done
          fi
          echo "skip-workflow=$SKIP_WORKFLOW" >> "$GITHUB_OUTPUT"
          if [ "$SKIP_WORKFLOW" == "Yes" ]; then 
            echo "No description is provided with preserve infra label"
          fi 
      - name: setup for delay destroy
        id: delay-destroy-setup
        shell: bash
        env:
          PR_BODY: ${{ github.event.pull_request.body }}
        run: |
          set +e
          TESTSET="${{ steps.skip-workflow.outputs.testset }}"
          for test_type in $TESTSET; do
              eval DELAY_DESTROY_$test_type="No"
              eval EXECUTE_$test_type="No"
          done
          if [[ '${{ github.event.label.name }}' == 'preserve_infra' ]]; then
            echo "$PR_BODY" >> body.txt
            tests=$(grep -i "^preserve:" body.txt | { grep -v grep || true; })
            if [[ $tests =~ "escu" ]]; then
              echo "preserve_infra for escu test-type is not supported yet"
            fi
            for test_type in $TESTSET; do
                if [[ $tests =~ $test_type ]]; then
                    eval EXECUTE_$test_type="Yes"
                    eval DELAY_DESTROY_$test_type="Yes"
                fi
            done
          fi
          # PRESERVE_INFRA for escu test-type is not supported yet.
          DELAY_DESTROY_escu="No"
          {
            echo "delay-destroy-ko=$DELAY_DESTROY_knowledge"
            echo "delay-destroy-ui=$DELAY_DESTROY_ui"
            echo "delay-destroy-modinput_functional=$DELAY_DESTROY_modinput_functional"
            echo "delay-destroy-scripted_inputs=$DELAY_DESTROY_scripted_inputs"
            echo "delay-destroy-escu=$DELAY_DESTROY_escu"
            echo "delay-destroy-requirement_test=$DELAY_DESTROY_requirement_test"
            echo "execute-ko=$EXECUTE_knowledge"
            echo "execute-ui=$EXECUTE_ui"
            echo "execute-modinput_functional=$EXECUTE_modinput_functional"
            echo "execute-scripted_inputs=$EXECUTE_scripted_inputs"
            echo "execute-escu=$EXECUTE_escu"
            echo "execute-requirement_test=$EXECUTE_requirement_test"
          } >> "$GITHUB_OUTPUT"
      - name: configure tests based on labels
        id: configure-tests-on-labels
        run: |
          set +e
          declare -A EXECUTE_LABELED
          TESTSET=("execute_knowledge" "execute_ui" "execute_modinput_functional" "execute_scripted_inputs" "execute_escu" "execute_requirement_test")
          for test_type in "${TESTSET[@]}"; do
            EXECUTE_LABELED["$test_type"]="false"
          done

          case "${{ github.event_name }}" in
          "pull_request")
            if ${{ github.base_ref == 'main' }} || ${{ contains(github.event.pull_request.labels.*.name, 'execute_all_tests') }}; then
              for test_type in "${TESTSET[@]}"; do
                EXECUTE_LABELED["$test_type"]="true"
              done
            else
              labels=$(echo '${{ toJSON(github.event.pull_request.labels) }}' | jq -r '.[] | .name')
              for test_type in "${TESTSET[@]}"; do
                if [[ "$labels" =~ $test_type ]]; then
                  EXECUTE_LABELED["$test_type"]="true"
                fi
              done
            fi
            ;;
          "push")
            if ${{ github.ref_name == 'main' }} || ${{ github.ref_name == 'develop' }} || ${{ github.ref_type == 'tag' }} ; then
              for test_type in "${TESTSET[@]}"; do
                EXECUTE_LABELED["$test_type"]="true"
              done
            fi
            ;;
          "schedule")
            for test_type in "${TESTSET[@]}"; do
              EXECUTE_LABELED["$test_type"]="true"
            done
            ;;
          *)
            echo "No tests were labeled for execution!"
            ;;
          esac
          
          echo "Tests to execute based on labels:"
          for test_type in "${TESTSET[@]}"; do
            echo "$test_type""_labeled=${EXECUTE_LABELED["$test_type"]}" >> "$GITHUB_OUTPUT"
            echo "$test_type""_labeled: ${EXECUTE_LABELED["$test_type"]}"
          done

  validate-pr-title:
    name: Validate PR title
    needs: 
    - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' && github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
      pull-requests: read
      statuses: write
    steps:
      - uses: amannn/action-semantic-pull-request@v5.2.0
        with:
          wip: true
          validateSingleCommit: true
        env:
          GITHUB_TOKEN: ${{ github.token }}

  meta:
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    outputs:
      sc4s: ghcr.io/${{ github.repository }}/container:${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
      container_tags: ${{ steps.docker_action_meta.outputs.tags }}
      container_labels: ${{ steps.docker_action_meta.outputs.labels }}
      container_buildtime: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.created'] }}
      container_version: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.version'] }}
      container_revision: ${{ fromJSON(steps.docker_action_meta.outputs.json).labels['org.opencontainers.image.revision'] }}
      container_base: ${{ fromJSON(steps.docker_action_meta.outputs.json).tags[0] }}
      matrix_supportedSplunk: ${{ steps.matrix.outputs.supportedSplunk }}
      matrix_latestSplunk: ${{ steps.matrix.outputs.latestSplunk }}
      matrix_supportedSC4S: ${{ steps.matrix.outputs.supportedSC4S }}
      matrix_supportedModinputFunctionalVendors: ${{ steps.matrix.outputs.supportedModinputFunctionalVendors }}
      matrix_supportedUIVendors: ${{ steps.matrix.outputs.supportedUIVendors }}
      python39_splunk: ${{steps.python39_splunk.outputs.splunk}}
      python39_sc4s: ${{steps.python39_splunk.outputs.sc4s}}
    permissions:
      contents: write
      packages: read
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          submodules: false
          persist-credentials: false
      - name: Semantic Release
        id: version
        uses: splunk/semantic-release-action@v1.3
        with:
          dry_run: true
          git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
          git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
          gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
        env:
          GITHUB_TOKEN: ${{ github.token }}
      - name: Docker meta
        id: docker_action_meta
        uses: docker/metadata-action@v4.6.0
        with:
          images: ghcr.io/${{ github.repository }}/container
          tags: |
            type=sha,format=long
            type=sha
            type=semver,pattern={{version}},value=${{ steps.version.outputs.new_release_version }}
            type=semver,pattern={{major}},value=${{ steps.version.outputs.new_release_version }}
            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.new_release_version }}
            type=ref,event=branch
            type=ref,event=pr
      - name: matrix
        id: matrix
        uses: splunk/addonfactory-test-matrix-action@v1.10
      - name: python39_Splunk
        id: python39_splunk
        run: |
          echo "splunk={\"version\":\"unreleased-python3_9-a076ce4c50aa\", \"build\":\"a076ce4c50aa\", \"islatest\":false, \"isoldest\":false}" >> "$GITHUB_OUTPUT"
          echo "sc4s={\"version\":\"2.49.5\", \"docker_registry\":\"ghcr.io/splunk/splunk-connect-for-syslog/container2\"}"  >> "$GITHUB_OUTPUT"

  fossa-scan:
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    steps:
      - uses: actions/checkout@v3
      - name: run fossa anlyze and create report
        run: |
          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
          fossa analyze --debug
          fossa report attribution --format text --timeout 600 > /tmp/THIRDPARTY
        env:
          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
      - name: upload THIRDPARTY file
        uses: actions/upload-artifact@v3
        with:
          name: THIRDPARTY
          path: /tmp/THIRDPARTY

  fossa-test:
    continue-on-error: true
    runs-on: ubuntu-latest
    needs:
      - fossa-scan
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    steps:
      - uses: actions/checkout@v3
      - name: run fossa test
        run: |
          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
          fossa test --debug
        env:
          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}

  compliance-copyrights:
    name: compliance-copyrights
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: REUSE Compliance Check
        uses: fsfe/reuse-action@v1.1

  lint:
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: "3.7"
      - uses: pre-commit/action@v3.0.0

  review_secrets:
    name: security-detect-secrets
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    steps:
      - name: Checkout
        if: github.event_name != 'pull_request'
        uses: actions/checkout@v3
        with:
          submodules: false
          fetch-depth: "0"
      - name: Checkout for PR
        if: github.event_name == 'pull_request'
        uses: actions/checkout@v3
        with:
          submodules: false
          fetch-depth: "0"
          ref: ${{ github.head_ref }}
      - name: Trufflehog Actions Scan
        uses: edplato/trufflehog-actions-scan@v0.9l-beta
        with:
          scanArguments: "--max_dept 5 -x .github/workflows/exclude-patterns.txt --allow .github/workflows/trufflehog-false-positive.json"

  semgrep:
    runs-on: ubuntu-latest
    name: security-sast-semgrep
    needs:
      - setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' && github.actor != 'dependabot[bot]' }}
    steps:
      - uses: actions/checkout@v3
      - name: Semgrep
        id: semgrep
        uses: semgrep/semgrep-action@v1
        with:
          publishToken: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}

  test-inventory:
    runs-on: ubuntu-latest
    needs: setup-workflow
    if: ${{ needs.setup-workflow.outputs.skip-workflow != 'Yes' }}
    # Map a step output to a job output
    outputs:
      unit: ${{ steps.testset.outputs.unit }}
      knowledge: ${{ steps.testset.outputs.knowledge }}
      ui: ${{ steps.testset.outputs.ui }}
      modinput_functional: ${{ steps.testset.outputs.modinput_functional }}
      requirement_test: ${{ steps.testset.outputs.requirement_test }}
      scripted_inputs: ${{ steps.testset.outputs.scripted_inputs }}
      escu: ${{ steps.testset.outputs.escu }}
      ucc_modinput_functional: ${{ steps.modinput-version.outputs.ucc_modinput_tests }}
    steps:
      - uses: actions/checkout@v3
      - id: testset
        name: Check available test types
        run: |
          find tests -type d -maxdepth 1 -mindepth 1 | sed 's|^tests/||g' |  while read -r TESTSET; do echo "$TESTSET=true" >> "$GITHUB_OUTPUT"; echo "$TESTSET::true"; done
      - id: modinput-version
        name: Check modinput tests version
        run: |
          CENTAURS_MODINPUT_TESTS_CHECK_DIR="tests/modinput_functional/centaurs"
          ucc_modinput_tests="true"
          if [ -d "$CENTAURS_MODINPUT_TESTS_CHECK_DIR" ]; then
            ucc_modinput_tests="false"
          fi
          echo "ucc_modinput_tests=$ucc_modinput_tests" >> "$GITHUB_OUTPUT"
        
  run-unit-tests:
    name: test-unit-python3-${{ matrix.python-version }}
    if: ${{ needs.test-inventory.outputs.unit == 'true' }}
    runs-on: ubuntu-latest
    needs:
      - test-inventory
    strategy:
      fail-fast: false
      matrix:
        python-version:
          - "3.7"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}
      - name: Setup addon
        run: |
          if [ -f "poetry.lock" ]
           then
             mkdir -p package/lib || true
             pip install poetry==1.5.1 poetry-plugin-export==1.4.0
             poetry export --without-hashes -o package/lib/requirements.txt
             poetry export --without-hashes --dev -o requirements_dev.txt
           fi
          if [ ! -f requirements_dev.txt ]; then echo no requirements;exit 0 ;fi
          pip install -r requirements_dev.txt
      - name: Create directories
        run: |
          mkdir -p /opt/splunk/var/log/splunk
          chmod -R 777 /opt/splunk/var/log/splunk
      - name: Copy pytest ini
        run: cp tests/unit/pytest-ci.ini pytest.ini
      - name: Run Pytest with coverage
        run: pytest --cov=./ --cov-report=xml --junitxml=test-results/junit.xml tests/unit
      - uses: actions/upload-artifact@v3
        if: success() || failure()
        with:
          name: test-results-unit-python_${{ matrix.python-version }}
          path: test-results/*

  run-unit-tests-3_9:
    name: test-unit-python3-${{ matrix.python-version }}
    if: ${{ needs.test-inventory.outputs.unit == 'true' }}
    runs-on: ubuntu-latest
    needs:
      - test-inventory
    strategy:
      fail-fast: false
      matrix:
        python-version:
          - "3.9"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}
      - name: Setup addon
        run: |
          if [ -f "poetry.lock" ]
           then
             mkdir -p package/lib || true
             pip install poetry==1.5.1 poetry-plugin-export==1.4.0
             poetry export --without-hashes -o package/lib/requirements.txt
             poetry export --without-hashes --dev -o requirements_dev.txt
           fi
          if [ ! -f requirements_dev.txt ]; then echo no requirements;exit 0 ;fi
          pip install -r requirements_dev.txt
      - name: Create directories
        run: |
          mkdir -p /opt/splunk/var/log/splunk
          chmod -R 777 /opt/splunk/var/log/splunk
      - name: Copy pytest ini
        run: cp tests/unit/pytest-ci.ini pytest.ini
      - name: Run Pytest with coverage
        run: pytest --cov=./ --cov-report=xml --junitxml=test-results/junit.xml tests/unit
      - uses: actions/upload-artifact@v3
        if: success() || failure()
        with:
          name: test-results-unit-python_${{ matrix.python-version }}
          path: test-results/*

  build:
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
      - test-inventory
      - meta
      - compliance-copyrights
      - lint
      - review_secrets
      - semgrep
      - run-unit-tests
      - fossa-scan
    if: ${{ !cancelled() && (needs.run-unit-tests.result == 'success' || needs.run-unit-tests.result == 'skipped') }}
    outputs:
      buildname: ${{ steps.buildupload.outputs.name }}
    permissions:
      contents: write
      packages: read
    steps:
      - uses: actions/checkout@v3
        with:
          # Very Important semantic-release won't trigger a tagged
          # build if this is not set false
          persist-credentials: false
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: create requirements file for pip
        run: |
          if [ -f "poetry.lock" ]
          then
            echo " poetry.lock found "
            sudo pip3 install poetry==1.5.1 poetry-plugin-export==1.4.0
            poetry lock --check
            poetry export --without-hashes -o requirements.txt
            if [ "$(grep -cve '^\s*$' requirements.txt)" -ne 0 ]
            then
                echo "Prod dependencies were found, creating package/lib folder"
                mkdir -p package/lib || true
                mv requirements.txt package/lib
            else
                echo "No prod dependencies were found"
                rm requirements.txt
            fi
            poetry export --without-hashes --dev -o requirements_dev.txt
            cat requirements_dev.txt
          fi
      - name: Get pip cache dir
        id: pip-cache
        run: |
          echo "dir=$(pip cache dir)" >> "$GITHUB_OUTPUT"
      - name: Run Check there are libraries to scan
        id: checklibs
        run: if [ -f requirements_dev.txt ]; then echo "ENABLED=true" >> "$GITHUB_OUTPUT"; fi
      - name: pip cache
        if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
        uses: actions/cache@v3
        with:
          path: ${{ steps.pip-cache.outputs.dir }}
          key: ${{ runner.os }}-pip-${{ hashFiles('requirements_dev.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install deps
        if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
        run: pip install -r requirements_dev.txt
      - name: Semantic Release Get Next
        id: semantic
        if: github.event_name != 'pull_request'
        uses: splunk/semantic-release-action@v1.3
        with:
          dry_run: true
          git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
          git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
          gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
        env:
          GITHUB_TOKEN: ${{ github.token }}
      - name: Determine the version to build
        id: BuildVersion
        uses: splunk/addonfactory-get-splunk-package-version-action@v1
        with:
          SemVer: ${{ steps.semantic.outputs.new_release_version }}
          PrNumber: ${{ github.event.number }}
      - name: Download THIRDPARTY
        if: github.event_name != 'pull_request' && github.event_name != 'schedule'
        uses: actions/download-artifact@v3
        with:
          name: THIRDPARTY
      - name: Download THIRDPARTY (Optional for PR and schedule)
        if: github.event_name == 'pull_request' || github.event_name == 'schedule'
        continue-on-error: true
        uses: actions/download-artifact@v3
        with:
          name: THIRDPARTY
      - name: Update Notices
        run: |
          cp -f THIRDPARTY package/THIRDPARTY || echo "THIRDPARTY file not found (allowed for PR and schedule)"
      - name: Build Package
        id: uccgen
        uses: splunk/addonfactory-ucc-generator-action@v2
        with:
          version: ${{ steps.BuildVersion.outputs.VERSION }}
      - name: Slim Package
        id: slim
        uses: splunk/addonfactory-packaging-toolkit-action@v1
        with:
          source: ${{ steps.uccgen.outputs.OUTPUT }}
        if: always()
      - name: artifact-openapi
        uses: actions/upload-artifact@v3
        with:
          name: artifact-openapi
          path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/static/openapi.json
        if: ${{ !cancelled() && needs.test-inventory.outputs.ucc_modinput_functional == 'true' && needs.test-inventory.outputs.modinput_functional == 'true' }}
      - name: artifact-splunk-base
        uses: actions/upload-artifact@v3
        with:
          name: package-splunkbase
          path: ${{ steps.slim.outputs.OUTPUT }}
        if: ${{ !cancelled() }}
      - name: upload-build-to-s3
        id: buildupload
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        run: |
          echo "name=$(basename "${{ steps.slim.outputs.OUTPUT }}")" >> "$GITHUB_OUTPUT"
          basename "${{ steps.slim.outputs.OUTPUT }}"
          aws s3 cp "${{ steps.slim.outputs.OUTPUT }}" s3://ta-production-artifacts/ta-apps/
      - name: artifact-splunk-parts
        uses: actions/upload-artifact@v3
        with:
          name: package-deployment
          path: build/package/deployment**
        if: ${{ !cancelled() }}

  build-3_9:
    runs-on: ubuntu-latest
    needs:
      - setup-workflow
      - test-inventory
      - meta
      - compliance-copyrights
      - lint
      - review_secrets
      - semgrep
      - run-unit-tests-3_9
      - fossa-scan
    if: |
      always() &&
      (needs.run-unit-tests-3_9.result == 'success' || needs.run-unit-tests-3_9.result == 'skipped')
    permissions:
      contents: write
      packages: read
    steps:
      - uses: actions/checkout@v3
        with:
          # Very Important semantic-release won't trigger a tagged
          # build if this is not set false
          persist-credentials: false
      - name: Setup python
        uses: actions/setup-python@v4
        with:
          python-version: 3.9
      - name: create requirements file for pip
        run: |
          if [ -f "poetry.lock" ]
          then
            echo " poetry.lock found "
            sudo pip3 install poetry==1.5.1 poetry-plugin-export==1.4.0
            poetry export --without-hashes -o requirements.txt
            if [ "$(grep -cve '^\s*$' requirements.txt)" -ne 0 ]
            then
                echo "Prod dependencies were found, creating package/lib folder"
                mkdir -p package/lib || true
                mv requirements.txt package/lib
            else
                echo "No prod dependencies were found"
                rm requirements.txt
            fi
            poetry export --without-hashes --dev -o requirements_dev.txt
            cat requirements_dev.txt
          fi
      - id: pip-cache
        run: |
          echo "dir=$(pip cache dir)" >> "$GITHUB_OUTPUT"
      - name: pip cache
        uses: actions/cache@v3
        with:
          path: ${{ steps.pip-cache.outputs.dir }}
          key: ${{ runner.os }}-pip-python3_9-${{ hashFiles('requirements_dev.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-python3_9
      - run: pip install -r requirements_dev.txt
      - id: semantic
        if: github.event_name != 'pull_request'
        uses: splunk/semantic-release-action@v1.3
        with:
          dry_run: true
          git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
          git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
          gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
        env:
          GITHUB_TOKEN: ${{ github.token }}
      - id: BuildVersion
        uses: splunk/addonfactory-get-splunk-package-version-action@v1
        with:
          SemVer: ${{ steps.semantic.outputs.new_release_version }}
          PrNumber: ${{ github.event.number }}
      - id: uccgen
        uses: splunk/addonfactory-ucc-generator-action@v2
        with:
          version: ${{ steps.BuildVersion.outputs.VERSION }}

  security-virustotal:
    continue-on-error: true
    name: security-virustotal
    needs: build
    if: ${{ !cancelled() && needs.build.result == 'success' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: package-splunkbase
          path: build/package/
      - name: VirusTotal Scan
        uses: crazy-max/ghaction-virustotal@v3
        with:
          vt_api_key: ${{ secrets.VT_API_KEY }}
          files: |
            build/package/*

  run-requirements-unit-tests:
    runs-on: ubuntu-latest
    needs:
      - build
      - test-inventory
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.requirement_test == 'true' }}
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
      - name: Install Python 3
        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: run-tests
        uses: splunk/addonfactory-workflow-requirement-files-unit-tests@v1.4
        with:
          input-files: tests/requirement_test/logs
      - name: Archive production artifacts
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v3
        with:
          name: test-results
          path: |
            test_*.txt

  appinspect:
    name: quality-appinspect-${{ matrix.tags }}
    needs: build
    if: ${{ !cancelled() && needs.build.result == 'success' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        tags:
          - "cloud"
          - "appapproval"
          - "deprecated_feature"
          - "developer_guidance"
          - "future"
          - "self-service"
          - "splunk_appinspect"
          - "manual"
    steps:
      - uses: actions/checkout@v3
      - uses: actions/download-artifact@v3
        with:
          name: package-splunkbase
          path: build/package/
      - name: Scan
        uses: splunk/appinspect-cli-action@v1.12
        with:
          app_path: build/package/
          included_tags: ${{ matrix.tags }}
          result_file: appinspect_result_${{ matrix.tags }}.json
      - name: upload-appinspect-report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v3
        with:
          name: appinspect_${{ matrix.tags }}_checks.json
          path: appinspect_result_${{ matrix.tags }}.json
      - name: upload-markdown
        if: matrix.tags == 'manual'
        uses: actions/upload-artifact@v3
        with:
          name: check_markdown
          path: |
            *_markdown.txt

  appinspect-api:
    name: appinspect api ${{ matrix.tags }}
    needs: build
    if: |
      !cancelled() &&
      needs.build.result == 'success' &&
      ( github.base_ref == 'main' || github.ref_name == 'main' )
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        tags:
          - "cloud"
    steps:
      - uses: actions/checkout@v3
      - uses: actions/download-artifact@v3
        with:
          name: package-splunkbase
          path: build/package
      - name: AppInspect API
        uses: splunk/appinspect-api-action@v3.0
        with:
          username: ${{ secrets.SPL_COM_USER }}
          password: ${{ secrets.SPL_COM_PASSWORD }}
          app_path: build/package/
          included_tags: ${{ matrix.tags }}
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: appinspect-api-html-report-${{ matrix.tags }}
          path: AppInspect_response.html

  artifact-registry:
    runs-on: ubuntu-latest
    needs:
      - security-virustotal
      - meta
    if: ${{ !cancelled() && needs.security-virustotal.result == 'success' && needs.meta.result == 'success' }}
    outputs:
      artifact: ${{ steps.artifactid.outputs.result }}
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v3
      - uses: actions/download-artifact@v3
        with:
          name: package-splunkbase
          path: build/package/splunkbase
      - id: getappid
        run: |
          appid=$(jq -r '.info.id.name' package/app.manifest)
          echo appid="$appid"
          echo "result=$appid" >> "$GITHUB_OUTPUT"
      - run: |
          curl -LO https://github.com/oras-project/oras/releases/download/v0.12.0/oras_0.12.0_linux_amd64.tar.gz
          mkdir -p oras-install/
          tar -zxf oras_0.12.0_*.tar.gz -C oras-install/
          mv oras-install/oras /usr/local/bin/
          rm -rf oras_0.12.0_*.tar.gz oras-install/
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to GitHub Packages Docker Registry
        uses: docker/login-action@v2.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v4.6.0
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=semver,pattern=v{{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
            type=semver,pattern=v{{major}},prefix=${{ steps.getappid.outputs.result }}-
            type=semver,pattern=v{{version}},prefix=${{ steps.getappid.outputs.result }}-
            type=semver,pattern={{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
            type=semver,pattern={{major}},prefix=${{ steps.getappid.outputs.result }}-
            type=semver,pattern={{version}},prefix=${{ steps.getappid.outputs.result }}-
            type=ref,event=branch,prefix=${{ steps.getappid.outputs.result }}-
            type=ref,event=pr,prefix=${{ steps.getappid.outputs.result }}-
            type=sha,prefix=${{ steps.getappid.outputs.result }}-
            type=sha,format=long,prefix=${{ steps.getappid.outputs.result }}-
      - name: Upload artifacts
        run: |
          tee /tmp/tags &>/dev/null <<EOF
          ${{ steps.meta.outputs.tags }}
          EOF
          pushd build/package/splunkbase/
          PACKAGE=$(ls ./*)
          echo "$PACKAGE"
          mv "$PACKAGE" "${{ steps.getappid.outputs.result }}".spl
          while IFS= read -r line
          do
            echo ">>$line<<"
            oras push \
                --manifest-config /dev/null:application/vnd.splunk.ent.package.v1.tar+gzip \
                "$line" \
                "${{ steps.getappid.outputs.result }}".spl
            echo "  complete"
          done < /tmp/tags
          popd
      - name: Output artifact locator
        id: artifactid
        run: |
          echo "result= ${{ needs.meta.outputs.sc4s }}" >> "$GITHUB_OUTPUT"

  setup:
    needs:
      - build
      - test-inventory
    if: ${{ !cancelled() && needs.build.result == 'success' }}
    runs-on: ubuntu-latest
    outputs:
      argo-server: ${{ steps.test-setup.outputs.argo-server }}
      argo-http1: ${{ steps.test-setup.outputs.argo-http1 }}
      argo-secure: ${{ steps.test-setup.outputs.argo-secure }}
      spl-host-suffix: ${{ steps.test-setup.outputs.spl-host-suffix }}
      argo-href: ""
      argo-base-href: ${{ steps.test-setup.outputs.argo-base-href }}
      argo-workflow-tmpl-name: ${{ steps.test-setup.outputs.argo-workflow-tmpl-name }}
      argo-cancel-workflow-tmpl-name: ${{ steps.test-setup.outputs.argo-cancel-workflow-tmpl-name }}
      k8s-manifests-branch: ${{ steps.test-setup.outputs.k8s-manifests-branch }}
      argo-namespace: ${{ steps.test-setup.outputs.argo-namespace }}
      addon-name: ${{ steps.test-setup.outputs.addon-name }}
      job-name: ${{ steps.test-setup.outputs.job-name }}
      labels: ${{ steps.test-setup.outputs.labels }}
      addon-upload-path: ${{ steps.test-setup.outputs.addon-upload-path }}
      directory-path: ${{ steps.test-setup.outputs.directory-path }}
      s3-bucket: ${{ steps.test-setup.outputs.s3-bucket }}
    env:
      BUILD_NAME: ${{ needs.build.outputs.buildname }}
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
          token: ${{ secrets.GH_TOKEN_ADMIN }}
      - name: setup for test
        id: test-setup
        shell: bash
        run: |
          sudo apt-get install -y crudini
          ADDON_NAME=$(crudini --get package/default/app.conf id name | tr '[:lower:]' '[:upper:]')
          if [[ -n $(echo "${ADDON_NAME}" | awk -F 'SPLUNK_TA_' '{print $2}') ]];
          then
              ADDON_NAME=$(echo "${ADDON_NAME}" | awk -F 'SPLUNK_TA_' '{print $2}')
          elif [[ -n $(echo "${ADDON_NAME}" | awk -F '_FOR_SPLUNK' '{print $1}') ]];
          then
              ADDON_NAME=$(echo "${ADDON_NAME}" | awk -F '_FOR_SPLUNK' '{print $1}')
          fi
          JOB_NAME=$(echo "$ADDON_NAME" | tail -c 16)-$(echo "${GITHUB_SHA}" | tail -c 8)-TEST-TYPE-${GITHUB_RUN_ID}
          JOB_NAME=${JOB_NAME//[_.]/-}
          LABELS="addon-name=${ADDON_NAME}"
          ADDON_UPLOAD_PATH="s3://ta-production-artifacts/ta-apps/${{ needs.build.outputs.buildname }}"
          {
          echo "argo-server=argo.wfe.splgdi.com:443"
          echo "argo-http1=true"
          echo "argo-secure=true"
          echo "argo-base-href=\'\'"
          echo "argo-namespace=workflows"
          echo "argo-workflow-tmpl-name=ta-workflow"
          echo "argo-cancel-workflow-tmpl-name=cancel-workflow"
          echo "directory-path=/tmp"
          echo "s3-bucket=ta-production-artifacts"
          echo "addon-name=\"$ADDON_NAME\""
          echo "job-name=wf-$JOB_NAME"
          echo "labels=$LABELS"
          echo "addon-upload-path=$ADDON_UPLOAD_PATH"
          echo "spl-host-suffix=wfe.splgdi.com"
          echo "k8s-manifests-branch=main"
          } >> "$GITHUB_OUTPUT"
      - uses: actions/download-artifact@v3
        if: ${{ needs.test-inventory.outputs.ucc_modinput_functional == 'true' && needs.test-inventory.outputs.modinput_functional == 'true'}}
        id: download-openapi
        with:
          name: artifact-openapi
          path: ${{ github.workspace }}
      - name: Setup python
        if: steps.download-openapi.conclusion != 'skipped'
        uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: modinput-test-prerequisites
        if: steps.download-openapi.conclusion != 'skipped'
        shell: bash
        env:
          PYTHON_KEYRING_BACKEND: keyring.backends.null.Keyring
        run: |
          sudo pip3 install poetry==1.5.1 
          export POETRY_REPOSITORIES_SPLUNK_ADD_ON_UCC_MODINPUT_TEST_URL=https://github.com/splunk/addonfactory-ucc-test.git
          export POETRY_HTTP_BASIC_SPLUNK_ADD_ON_UCC_MODINPUT_TEST_USERNAME=${{ secrets.SA_GH_USER_NAME }}
          export POETRY_HTTP_BASIC_SPLUNK_ADD_ON_UCC_MODINPUT_TEST_PASSWORD=${{ secrets.GH_TOKEN_ADMIN }}
          poetry install --only modinput
          poetry run ucc-test-modinput -o ${{ steps.download-openapi.outputs.download-path }}/openapi.json -t ${{ steps.download-openapi.outputs.download-path }}/tmp/
      - name: upload-swagger-artifacts-to-s3
        if: steps.download-openapi.conclusion != 'skipped'
        id: swaggerupload
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        run: |
          swagger_name=swagger_$(basename "$BUILD_NAME" .spl)
          aws s3 sync "${{ steps.download-openapi.outputs.download-path }}/tmp/restapi_client/" "s3://ta-production-artifacts/ta-apps/$swagger_name/" --exclude "*" --include "README.md" --include "*swagger_client*" --only-show-errors

  run-knowledge-tests:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.knowledge == 'true' && (needs.setup-workflow.outputs.execute-ko == 'Yes' || needs.setup-workflow.outputs.execute-knowledge-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.python39 }}
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
        sc4s: ${{ fromJson(needs.meta.outputs.matrix_supportedSC4S) }}
        python39: [false]
        include:
            - splunk: ${{ fromJson(needs.meta.outputs.python39_splunk) }}
              sc4s: ${{ fromJson(needs.meta.outputs.python39_sc4s) }}
              python39: true
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "knowledge"
      TEST_ARGS: ""
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-ko == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: ""
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-ko }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          sc4s-version: ${{ matrix.sc4s.version }}
          sc4s-docker-registry: ${{ matrix.sc4s.docker_registry }}
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: Read secrets from AWS Secrets Manager again into environment variables in case credential rotation
        id: update-argo-token
        if: ${{ !cancelled() }}
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        shell: bash
        if: ${{ !cancelled() }}
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Upload cim-compliance-report for ${{ matrix.splunk.version }}
        uses: actions/upload-artifact@v3
        if: ${{ matrix.splunk.islatest == true }}
        with:
          name: cim-compliance-report
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results/cim-compliance-report.md
      - name: Upload cim-field-report for ${{ matrix.splunk.version }}
        uses: actions/upload-artifact@v3
        if: ${{ matrix.splunk.islatest == true }}
        with:
          name: cim-field-report
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results/cim_field_report.json
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*


  run-requirement-tests:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.requirement_test == 'true' && (needs.setup-workflow.outputs.execute-requirement_test == 'Yes' || needs.setup-workflow.outputs.execute-requirement-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.python39 }}
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_latestSplunk) }}
        sc4s: ${{ fromJson(needs.meta.outputs.matrix_supportedSC4S) }}
        python39: [false]
        include:
            - splunk: ${{ fromJson(needs.meta.outputs.python39_splunk) }}
              sc4s: ${{ fromJson(needs.meta.outputs.python39_sc4s) }}
              python39: true
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      TEST_TYPE: "requirement_test"
      TEST_ARGS: ""
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"  
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-requirement_test == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: ""
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-requirement_test }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          sc4s-version: ${{ matrix.sc4s.version }}
          sc4s-docker-registry: ${{ matrix.sc4s.docker_registry }}
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi  
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        shell: bash
        if: ${{ !cancelled() }}
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }} ${{ env.TEST_TYPE }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }} ${{ env.TEST_TYPE }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() }}
        with:
          name: splunk ${{ matrix.splunk.version }} ${{ env.TEST_TYPE }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }} ${{ env.TEST_TYPE }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  run-ui-tests:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.ui == 'true' && (needs.setup-workflow.outputs.execute-ui == 'Yes' || needs.setup-workflow.outputs.execute-ui-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.python39 }}
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
        browser: [ "chrome","firefox" ]
        vendor-version: ${{ fromJson(needs.meta.outputs.matrix_supportedUIVendors) }}
        python39: [false]
        include:
            - splunk: ${{ fromJson(needs.meta.outputs.python39_splunk) }}
              browser: "chrome"
              python39: true
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "ui"
      TEST_ARGS: "--browser ${{ matrix.browser }}"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"  
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}-${{ matrix.browser }}}
          JOB_NAME=${JOB_NAME//[_.:]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-ui == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: ${{ env.TEST_ARGS }}
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-ui }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          vendor-version: ${{ matrix.vendor-version.image }}
          sc4s-version: "No"
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: Read secrets from AWS Secrets Manager again into environment variables in case credential rotation
        id: update-argo-token
        if: ${{ !cancelled() }}
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted" ; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        shell: bash
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  run-modinput-tests:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.modinput_functional == 'true' && (needs.setup-workflow.outputs.execute-modinput_functional == 'Yes' || needs.setup-workflow.outputs.execute-modinput-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.python39 }}
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
        modinput-type: [ "modinput_functional" ]
        vendor-version: ${{ fromJson(needs.meta.outputs.matrix_supportedModinputFunctionalVendors) }}
        marker: ${{ fromJson(inputs.marker) }}
        python39: [false]
        include:
            - splunk: ${{ fromJson(needs.meta.outputs.python39_splunk) }}
              modinput-type: [ "modinput_functional" ]
              python39: true
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "modinput_functional"
      TEST_ARGS: ""
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-modinput_functional == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: create test argument
        id: create-test-arg
        shell: bash
        run: |
          export comparing_variable="[]"
          if [ "${{ inputs.marker }}" == "$comparing_variable" ]
          then
            TEST_ARG_M=""
          else
            TEST_ARG_M="-m"
          fi
          echo "test-arg=$TEST_ARG_M" >> "$GITHUB_OUTPUT"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: ${{ env.TEST_ARGS }} ${{ steps.create-test-arg.outputs.test-arg }} ${{ matrix.marker }}
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-modinput_functional }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          vendor-version: ${{ matrix.vendor-version.image }}
          sc4s-version: "No"
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: Read secrets from AWS Secrets Manager again into environment variables in case credential rotation
        id: update-argo-token
        if: ${{ !cancelled() }}
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.update-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        shell: bash
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  run-scripted-input-tests-full-matrix:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' && ( github.base_ref == 'main' || github.ref_name == 'main' ) && (needs.setup-workflow.outputs.execute-scripted_inputs == 'Yes' || needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    continue-on-error: ${{ matrix.python39 }}
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
        os: [ "ubuntu:14.04", "ubuntu:16.04","ubuntu:18.04","ubuntu:22.04", "centos:7", "redhat:8.0", "redhat:8.2", "redhat:8.3", "redhat:8.4", "redhat:8.5" ]
        python39: [false]
        include:
            - splunk: ${{ fromJson(needs.meta.outputs.python39_splunk) }}
              os: "ubuntu:22.04"
              python39: true
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "scripted_inputs"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-scripted_inputs == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: get os name and version
        id: os-name-version
        shell: bash
        run: |
          OS_NAME_VERSION=${{ matrix.os }}
          # shellcheck disable=SC2206
          OS_NAME_VERSION=(${OS_NAME_VERSION//:/ })
          OS_NAME=${OS_NAME_VERSION[0]}
          OS_VERSION=${OS_NAME_VERSION[1]}
          {
          echo "os-name=$OS_NAME"
          echo "os-version=$OS_VERSION"
          } >> "$GITHUB_OUTPUT"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: "--hostname=spl --os-name=${{ steps.os-name-version.outputs.os-name }} --os-version=${{ steps.os-name-version.outputs.os-version }} -m script_input"
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-scripted_inputs }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          vendor-version: ${{ matrix.vendor-version.image }}
          sc4s-version: "No"
          os-name: ${{ steps.os-name-version.outputs.os-name }}
          os-version: ${{ steps.os-name-version.outputs.os-version }}
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        shell: bash
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }}  test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  run-scripted-input-tests-canary:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' && ( github.base_ref == 'develop' || github.ref_name == 'develop' ) && (needs.setup-workflow.outputs.execute-scripted_inputs == 'Yes' || needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }}
        os: [ "ubuntu:22.04", "centos:7","redhat:8.5" ]
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "scripted_inputs"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details 
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-scripted_inputs == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: get os name and version
        id: os-name-version
        shell: bash
        run: |
          OS_NAME_VERSION=${{ matrix.os }}
          OS_NAME_VERSION=("${OS_NAME_VERSION//:/ }")
          OS_NAME=${OS_NAME_VERSION[0]}
          OS_VERSION=${OS_NAME_VERSION[1]}
          {
          echo "os-name=$OS_NAME"
          echo "os-version=$OS_VERSION"
          } >> "$GITHUB_OUTPUT"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: "--hostname=spl --os-name=${{ steps.os-name-version.outputs.os-name }} --os-version=${{ steps.os-name-version.outputs.os-version }} -m script_input"
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-scripted_inputs }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          vendor-version: ${{ matrix.vendor-version.image }}
          sc4s-version: "No"
          os-name: ${{ steps.os-name-version.outputs.os-name }}
          os-version: ${{ steps.os-name-version.outputs.os-version }}
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ !cancelled() }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() || steps.is-pod-deleted.outcome != 'success' }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ !cancelled() }}
        shell: bash
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ !cancelled() }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ !cancelled() }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() && !contains(matrix.splunk.version, 'unreleased-python3_9') }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }}  test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: Test Report Python 3.9
        continue-on-error: true
        id: test_report_python_3_9
        uses: dorny/test-reporter@v1
        if: ${{ !cancelled() && contains(matrix.splunk.version, 'unreleased-python3_9') }}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }}  test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  run-escu-tests:
    if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.escu == 'true' && ( github.base_ref == 'main' || github.ref_name == 'main' || github.base_ref == 'develop' || github.ref_name == 'develop' ) && (needs.setup-workflow.outputs.execute-escu == 'Yes' || needs.setup-workflow.outputs.execute-escu-labeled == 'true') }}
    needs:
      - build
      - test-inventory
      - setup
      - meta
      - setup-workflow
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        splunk: ${{ fromJson(needs.meta.outputs.matrix_latestSplunk) }}
    container:
      image: ghcr.io/splunk/workflow-engine-base:2.0.3
    env:
      ARGO_SERVER: ${{ needs.setup.outputs.argo-server }}
      ARGO_HTTP1: ${{ needs.setup.outputs.argo-http1 }}
      ARGO_SECURE: ${{ needs.setup.outputs.argo-secure }}
      ARGO_BASE_HREF: ${{ needs.setup.outputs.argo-href }}
      ARGO_NAMESPACE: ${{ needs.setup.outputs.argo-namespace }}
      SPLUNK_VERSION_BASE: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
      TEST_TYPE: "escu"
    permissions: 
      actions: read
      deployments: read
      contents: read
      packages: read
      statuses: read
      checks: write
    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: capture start time
        id: capture-start-time
        run: |
          echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT"
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
      - name: Read secrets from AWS Secrets Manager into environment variables
        id: get-argo-token
        run: |
          ARGO_TOKEN=$(aws secretsmanager get-secret-value --secret-id ta-github-workflow-automation-token | jq -r '.SecretString')
          echo "argo-token=$ARGO_TOKEN" >> "$GITHUB_OUTPUT"
      - name: create job name
        id: create-job-name
        shell: bash
        run: |
          RANDOM_STRING=$(head -3 /dev/urandom | tr -cd '[:lower:]' | cut -c -4)
          JOB_NAME=${{ needs.setup.outputs.job-name }}-${RANDOM_STRING}
          JOB_NAME=${JOB_NAME//TEST-TYPE/${{ env.TEST_TYPE }}}
          JOB_NAME=${JOB_NAME//[_.]/-}
          JOB_NAME=$(echo "$JOB_NAME" | tr '[:upper:]' '[:lower:]')
          echo "job-name=$JOB_NAME" >> "$GITHUB_OUTPUT"
      - name: Splunk instance details
        id: splunk-instance-details
        if: ${{ needs.setup-workflow.outputs.delay-destroy-escu == 'Yes' }}
        shell: bash 
        run: |
          BOLD="\033[1m"
          NORMAL="\033[0m"
          echo "Splunk Web UI will be available at https://${{ steps.create-job-name.outputs.job-name }}.${{ needs.setup.outputs.spl-host-suffix }}:8000 after test execution starts"
          echo -e "Splunk username is${BOLD} admin${NORMAL}"
          echo "Splunk password is available in SecretServer shared folder: Shared Splunk - GDI - Lab Credentials under SPLUNK_DEPLOYMENT_PASSWORD"
      - name: get escu detections
        id: get-escu-detections
        run: |
          RUN_TEST=false
          # shellcheck disable=SC2002
          DETECTIONS=$(cat tests/escu/.escu_detections | tr '\n' ',' | tr -d "[:space:]")
          if [ -z "$DETECTIONS" ]
          then
                echo "Detection list is empty."
          else
                RUN_TEST=true
          fi
          DETECTIONS="-tf $DETECTIONS"
          {
          echo "escu-detections=$DETECTIONS"
          echo "escu-test-run=$RUN_TEST"
          } >> "$GITHUB_OUTPUT"
      - name: run-tests
        id: run-tests
        timeout-minutes: 340
        continue-on-error: true
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        uses: splunk/wfe-test-runner-action@v1.6
        with:
          splunk: ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
          test-type: ${{ env.TEST_TYPE }}
          test-args: ${{ steps.get-escu-detections.outputs.escu-detections }}
          job-name: ${{ steps.create-job-name.outputs.job-name }}
          labels: ${{ needs.setup.outputs.labels }}
          workflow-tmpl-name: ${{ needs.setup.outputs.argo-workflow-tmpl-name }}
          workflow-template-ns: ${{ needs.setup.outputs.argo-namespace }}
          delay-destroy: ${{ needs.setup-workflow.outputs.delay-destroy-escu }}
          addon-url: ${{ needs.setup.outputs.addon-upload-path }}
          addon-name: ${{ needs.setup.outputs.addon-name }}
          vendor-version: ${{ matrix.vendor-version.image }}
          sc4s-version: "No"
          k8s-manifests-branch: ${{ needs.setup.outputs.k8s-manifests-branch }}
      - name: calculate timeout
        id: calculate-timeout
        run: |
          start_time=${{ steps.capture-start-time.outputs.start_time }}
          current_time=$(date +%s)
          remaining_time_minutes=$(( 350-((current_time-start_time)/60) ))
          echo "remaining_time_minutes=$remaining_time_minutes" >> "$GITHUB_OUTPUT"
      - name: Check if pod was deleted
        id: is-pod-deleted
        timeout-minutes: ${{ fromJson(steps.calculate-timeout.outputs.remaining_time_minutes) }}
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        run: |
          set -o xtrace
          if argo watch ${{ steps.run-tests.outputs.workflow-name }} -n workflows | grep "pod deleted"; then
            echo "retry-workflow=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Cancel workflow
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ cancelled() }}
        run: |
          cancel_response=$(argo submit -v -o json --from wftmpl/${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} -l workflows.argoproj.io/workflow-template=${{ needs.setup.outputs.argo-cancel-workflow-tmpl-name }} --argo-base-href '' -p workflow-to-cancel=${{ steps.run-tests.outputs.workflow-name }})
          cancel_workflow_name=$( echo "$cancel_response" |jq -r '.metadata.name' )
          cancel_logs=$(argo logs --follow "$cancel_workflow_name" -n workflows)
          if echo "$cancel_logs" | grep -q "workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"; then
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} stopped"
          else
            echo "Workflow ${{ steps.run-tests.outputs.workflow-name }} didn't stop"
            exit 1
          fi
      - name: Retrying workflow
        id: retry-wf
        shell: bash
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        run: |
          set -o xtrace
          set +e
          if [[ "${{ steps.is-pod-deleted.outputs.retry-workflow }}" == "true" ]]
          then
            WORKFLOW_NAME=$(argo resubmit -v -o json -n workflows "${{ steps.run-tests.outputs.workflow-name }}" | jq -r .metadata.name)
            echo "workflow-name=$WORKFLOW_NAME" >> "$GITHUB_OUTPUT"
            argo logs --follow "${WORKFLOW_NAME}" -n workflows || echo "... there was an error fetching logs, the workflow is still in progress. please wait for the workflow to complete ..."
          else
            echo "No retry required"
            argo wait "${{ steps.run-tests.outputs.workflow-name }}" -n workflows
            argo watch "${{ steps.run-tests.outputs.workflow-name }}" -n workflows | grep "test-addon"
          fi
      - name: check if workflow completed
        env:
          ARGO_TOKEN: ${{ steps.get-argo-token.outputs.argo-token }}
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        shell: bash
        run: |
          set +e
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          echo "Status of workflow:" "$ARGO_STATUS"
          while [ "$ARGO_STATUS" == "Running"  ] || [ "$ARGO_STATUS" == "Pending" ]
          do
              echo "... argo Workflow ${WORKFLOW_NAME} is running, waiting for it to complete."
              argo wait "${WORKFLOW_NAME}" -n workflows || true
              ARGO_STATUS=$(argo get "${WORKFLOW_NAME}" -n workflows -o json | jq -r '.status.phase')
          done
      - name: pull artifacts from s3 bucket
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        run: |
          echo "pulling artifacts"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/artifacts-${{ steps.create-job-name.outputs.job-name }}/${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
          tar -xf ${{ needs.setup.outputs.directory-path }}/${{ steps.create-job-name.outputs.job-name }}.tgz -C ${{ needs.setup.outputs.directory-path }}
      - name: pull logs from s3 bucket
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        run: |
          # shellcheck disable=SC2157
          if [ -z "${{ steps.retry-wf.outputs.workflow-name }}" ]; then
            WORKFLOW_NAME=${{ steps.run-tests.outputs.workflow-name }}
          else
            WORKFLOW_NAME="${{ steps.retry-wf.outputs.workflow-name }}"
          fi
          echo "pulling logs"
          mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive
      - uses: actions/upload-artifact@v3
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests artifacts
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results
      - uses: actions/upload-artifact@v3
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests logs
          path: |
            ${{ needs.setup.outputs.directory-path }}/argo-logs
      - name: Upload results
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' }}
        uses: actions/upload-artifact@v3
        with:
          name: escu-test-result
          path: |
            ${{ needs.setup.outputs.directory-path }}/test-results/escu-result.xml
      - name: Test Report
        id: test_report
        uses: dorny/test-reporter@v1
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' && !cancelled() && !contains(matrix.splunk.version, 'unreleased-python3_9')}}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: Test Report Python 3.9
        continue-on-error: true
        id: test_report_python_3_9
        uses: dorny/test-reporter@v1
        if: ${{ steps.get-escu-detections.outputs.escu-test-run == 'true' && !cancelled() && contains(matrix.splunk.version, 'unreleased-python3_9')}}
        with:
          name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} test report
          path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml"
          reporter: java-junit
      - name: pull diag from s3 bucket
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        run: |
          echo "pulling diag"
          aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/
      - uses: actions/upload-artifact@v3
        if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }}
        with:
          name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests diag
          path: |
            ${{ needs.setup.outputs.directory-path }}/diag*

  pre-publish:
    if: ${{ !cancelled() }}
    needs:
      - meta
      - compliance-copyrights
      - lint
      - review_secrets
      - semgrep
      - build
      - security-virustotal
      - test-inventory
      - run-unit-tests
      - appinspect
      - setup
      - run-knowledge-tests
      - run-modinput-tests
      - run-ui-tests
      - validate-pr-title
    runs-on: ubuntu-latest
    env:
      NEEDS: ${{ toJson(needs) }}
    steps:
      - name: check if tests have passed or skipped
        id: check
        shell: bash
        run: |
          RUN_PUBLISH=$(echo "$NEEDS" | jq ".[] |  select(  ( .result != \"skipped\" ) and .result != \"success\" ) | length == 0")
          if [[ "$RUN_PUBLISH" != *'false'* ]]
          then
              echo "run-publish=true" >> "$GITHUB_OUTPUT"
          else
              echo "run-publish=false" >> "$GITHUB_OUTPUT"
          fi
      - name: exit without publish
        if: ${{ steps.check.outputs.run-publish == 'false' || ( github.event.action == 'labeled' && github.event.label.name == 'preserve_infra' ) }}
        run: |
          echo " Some test job failed or Workflow has triggred on preserve_infra label. "
          exit 1

  publish:
    if: ${{ !cancelled() && needs.pre-publish.result == 'success' && github.event_name != 'pull_request' && github.event_name != 'schedule' }}
    needs:
      - pre-publish
      - run-escu-tests
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: read
      pull-requests: read
      statuses: write
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          submodules: false
          persist-credentials: false
      - name: Semantic Release
        id: semantic
        uses: splunk/semantic-release-action@v1.3
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
        with:
          git_committer_name: ${{ secrets.SA_GH_USER_NAME }}
          git_committer_email: ${{ secrets.SA_GH_USER_EMAIL }}
          gpg_private_key: ${{ secrets.SA_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.SA_GPG_PASSPHRASE }}
      - name: Download package-deployment
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        uses: actions/download-artifact@v3
        id: download-package-deployment
        with:
          name: package-deployment
          path: download/artifacts/
      - name: Download package-splunkbase
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        uses: actions/download-artifact@v3
        id: download-package-splunkbase
        with:
          name: package-splunkbase
          path: download/artifacts/deployment
      - name: Download cim-compliance-report
        id: download-cim-compliance-report
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        continue-on-error: true
        uses: actions/download-artifact@v3
        with:
          name: cim-compliance-report
          path: download/artifacts/deployment
      - name: Download cim-field-report
        id: download-cim-field-report
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        continue-on-error: true
        uses: actions/download-artifact@v3
        with:
          name: cim-field-report
          path: download/artifacts/deployment
      - name: Download escu-test-results
        id: download-escu-xml
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        continue-on-error: true
        uses: actions/download-artifact@v3
        with:
          name: escu-test-result
          path: download/artifacts/deployment
      - name: List of assets
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        run: |
          ls -la ${{ steps.download-package-splunkbase.outputs.download-path }}
      - name: Upload assets to release
        if: ${{ steps.semantic.outputs.new_release_published == 'true' }}
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ github.token }}
          file: ${{ steps.download-package-splunkbase.outputs.download-path }}/*
          overwrite: true
          file_glob: true
          tag: v${{ steps.semantic.outputs.new_release_version }}