-
Notifications
You must be signed in to change notification settings - Fork 35
233 lines (195 loc) · 7.96 KB
/
validations.yaml
File metadata and controls
233 lines (195 loc) · 7.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
name: "Validations"
on:
workflow_dispatch:
pull_request:
# needed for running release pre-checks on merges to the main branch
push:
branches:
- main
env:
CGO_ENABLED: "0"
permissions:
contents: read
jobs:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Static-Analysis:
name: "Static analysis"
permissions:
contents: read
runs-on: runs-on=${{ github.run_id }}/cpu=2/ram=8/family=m5+m6+m7+t3+t4/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Run static analysis
run: make static-analysis
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Unit-Test-Go:
name: "Unit tests (Go)"
permissions:
contents: read
runs-on: runs-on=${{ github.run_id }}/cpu=2/ram=8/family=m5+m6+m7+t3+t4/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
python: false
- name: Run go unit tests
run: make unit
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Unit-Test-Python:
name: "Unit tests (Python)"
permissions:
contents: read
runs-on: runs-on=${{ github.run_id }}/cpu=2/ram=8/family=m5+m6+m7+t3+t4/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
go: false
- name: Run python unit tests
run: make unit-python
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Build-Snapshot-Artifacts:
name: "Build snapshot artifacts"
permissions:
contents: read
runs-on: runs-on=${{ github.run_id }}/cpu=16/ram=32/family=c5+c6+c7/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
# why have another build cache key? We don't want unit/integration/etc test build caches to replace
# the snapshot build cache, which includes builds for all OSs and architectures. As long as this key is
# unique from the build-cache-key-prefix in other CI jobs, we should be fine.
#
# note: ideally this value should match what is used in release (just to help with build times).
build-cache-key-prefix: "snapshot"
bootstrap-apt-packages: ""
python: false
- name: Build snapshot artifacts
run: make snapshot
# why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
# see https://github.com/actions/upload-artifact/issues/199 for more info
- name: Upload snapshot artifacts
uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
Discover-Schema-Versions:
name: "Discover supported schema versions"
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
schema-versions: ${{ steps.read-schema-versions.outputs.schema-versions }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Read supported schema versions
id: read-schema-versions
run: |
content=`cat manager/src/grype_db_manager/data/schema-info.json | jq -c '[.available[] | select(.supported == true) | select(.validate != false) | .schema]'`
echo "schema-versions=$content" >> $GITHUB_OUTPUT
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Acceptance-Test:
name: "Acceptance tests"
needs: Discover-Schema-Versions
runs-on: runs-on=${{ github.run_id }}-acceptance-${{ strategy.job-index }}/family=i7ie/cpu=4+16/ram=32+64/spot=price-capacity-optimized
strategy:
matrix:
schema-version: ${{fromJson(needs.Discover-Schema-Versions.outputs.schema-versions)}}
# set the permissions granted to the github token to read the pull cache from ghcr.io
permissions:
contents: read
packages: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
submodules: true
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Login to ghcr.io
run: make ci-oras-ghcr-login
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_USERNAME: ${{ github.actor }}
- name: Pull latest vulnerability data
run: make download-all-provider-cache date=latest
- name: Build and validate the DB
env:
FORCE_COLOR: true
SCHEMA_VERSION: ${{ matrix.schema-version }}
run: make db-acceptance schema="$SCHEMA_VERSION"
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
# and possibly in branch protection rules
Acceptance-Test-Gate:
name: "DB acceptance tests"
needs: Acceptance-Test
if: always()
runs-on: ubuntu-latest
steps:
- name: Check acceptance test results
env:
ACCEPTANCE_RESULT: ${{ needs.Acceptance-Test.result }}
run: |
if [[ "$ACCEPTANCE_RESULT" != "success" ]]; then
echo "Acceptance tests failed with result: $ACCEPTANCE_RESULT"
exit 1
fi
echo "All acceptance tests passed"
Cli-Go-Linux:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Go-Linux)"
permissions:
contents: read
needs: [Build-Snapshot-Artifacts]
runs-on: runs-on=${{ github.run_id }}/cpu=2/ram=8/family=m5+m6+m7+t3+t4/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
python: false
- name: Restore CLI test-fixture cache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- name: Download snapshot build
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
- name: Run Go CLI Tests (Linux)
run: make cli-go
Cli-Python:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Python)"
permissions:
contents: read
runs-on: runs-on=${{ github.run_id }}/cpu=8/ram=32/family=m5+m6+m7+t3+t4/spot=price-capacity-optimized
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
submodules: true
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Run Python CLI Tests
run: make cli-python