feat: Add SSDLC lifecycle logging for security auditing #1506
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # This file is centrally managed as a template file in https://github.com/canonical/solutions-engineering-automation | |
| # To update the file: | |
| # - Edit it in the canonical/solutions-engineering-automation repository. | |
| # - Open a PR with the changes. | |
| # - When the PR merges, the soleng-terraform bot will open a PR to the target repositories with the changes. | |
| name: Tests | |
| on: | |
| workflow_call: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| branches: [main] | |
| paths-ignore: | |
| - "**.md" | |
| - "**.rst" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Complete git history is required to generate the version from git tags. | |
| - name: Set up Python 3.10 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Install dependencies | |
| run: | | |
| sudo apt update | |
| sudo apt install -y yamllint | |
| python -m pip install --upgrade pip | |
| # pin tox to the current major version to avoid | |
| # workflows breaking all at once when a new major version is released. | |
| python -m pip install 'tox<5' | |
| - name: Run linters | |
| run: tox -e lint | |
| - name: Lint yaml files | |
| run: | | |
| yamllint .yamllint snap/snapcraft.yaml | |
| unit: | |
| name: Unit | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ['3.10'] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install 'tox<5' | |
| - name: Run unit tests | |
| run: tox -e unit | |
| - name: Determine system architecture | |
| run: echo "SYSTEM_ARCH=$(uname -m)" >> $GITHUB_ENV | |
| - name: Create artifact name suffix | |
| run: | | |
| PYTHON_VERSION_SANITIZED=${{ matrix.python-version }} | |
| PYTHON_VERSION_SANITIZED=${PYTHON_VERSION_SANITIZED//./-} | |
| echo "ARTIFACT_SUFFIX=$PYTHON_VERSION_SANITIZED-${{ env.SYSTEM_ARCH }}" >> $GITHUB_ENV | |
| - name: Rename Unit Test Coverage Artifact | |
| run: | | |
| if [ -e ".coverage-unit" ]; then | |
| mv .coverage-unit .coverage-unit-${{ env.ARTIFACT_SUFFIX }} | |
| else | |
| echo "No coverage file found, skipping rename" | |
| fi | |
| - name: Upload Unit Test Coverage File | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| include-hidden-files: true | |
| if-no-files-found: ignore | |
| name: coverage-unit-${{ env.ARTIFACT_SUFFIX }} | |
| path: .coverage-unit-${{ env.ARTIFACT_SUFFIX }} | |
| build: | |
| needs: | |
| - lint | |
| runs-on: ${{ matrix.runs-on }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runs-on: [[ubuntu-24.04]] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Complete git history is required to generate the version from git tags. | |
| - name: Verify snap builds successfully | |
| id: build | |
| uses: canonical/action-build@v1 | |
| - name: Determine system architecture | |
| run: echo "SYSTEM_ARCH=$(uname -m)" >> $GITHUB_ENV | |
| - name: Upload the built snap | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: snap_${{ env.SYSTEM_ARCH }} | |
| path: ${{ steps.build.outputs.snap }} | |
| func: | |
| needs: | |
| - build | |
| runs-on: ${{ matrix.runs-on }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| runs-on: [[ubuntu-24.04]] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Complete git history is required to generate the version from git tags. | |
| - name: Determine system architecture | |
| run: echo "SYSTEM_ARCH=$(uname -m)" >> $GITHUB_ENV | |
| - name: Download snap file artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: snap_${{ env.SYSTEM_ARCH }} | |
| - name: Set up Python 3.10 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Setup Juju 3.6/stable environment | |
| uses: charmed-kubernetes/actions-operator@main | |
| with: | |
| provider: lxd | |
| juju-channel: 3.6/stable | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install 'tox<5' | |
| - name: Run func tests | |
| run: | | |
| export TEST_SNAP="$(pwd)/$(ls | grep '.*_.*\.snap$')" | |
| echo "$TEST_SNAP" | |
| tox -e func | |
| - name: Create artifact name suffix | |
| run: | | |
| BASE_VERSION_SANITIZED=${{ matrix.runs-on }} | |
| BASE_VERSION_SANITIZED=${BASE_VERSION_SANITIZED//./-} | |
| echo "ARTIFACT_SUFFIX=$BASE_VERSION_SANITIZED-${{ env.SYSTEM_ARCH }}" >> $GITHUB_ENV | |
| - name: Rename Functional Test Coverage Artifact | |
| run: | | |
| if [ -e ".coverage-func" ]; then | |
| mv .coverage-func .coverage-func-${{ env.ARTIFACT_SUFFIX }} | |
| else | |
| echo "No coverage file found, skipping rename" | |
| fi | |
| - name: Upload Functional Test Coverage Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| include-hidden-files: true | |
| if-no-files-found: ignore | |
| name: coverage-functional-${{ env.ARTIFACT_SUFFIX }} | |
| path: .coverage-func-${{ env.ARTIFACT_SUFFIX }} | |
| tics-analysis: | |
| runs-on: [self-hosted, linux, amd64, tiobe, jammy] | |
| if: > | |
| (github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
| (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') | |
| needs: func | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install coverage tools | |
| run: | | |
| pip install coverage[toml] | |
| # Install everything from all requirements.txt files otherwise TICS errors. | |
| - name: Install all snap dependencies | |
| env: | |
| # to ensure that zaza installs correctly | |
| TEST_JUJU3: "1" | |
| run: | | |
| for f in $(find -name '*requirements.txt'); do | |
| echo "${f}" | |
| pip3 install --requirement "${f}" | |
| done | |
| - name: Determine system architecture | |
| run: echo "SYSTEM_ARCH=$(uname -m)" >> $GITHUB_ENV | |
| - name: Download Coverage Files | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: coverage-*-${{ env.SYSTEM_ARCH }} | |
| merge-multiple: true | |
| path: artifacts/ | |
| continue-on-error: true | |
| - name: Merge coverage reports | |
| run: | | |
| # Create the path that is expected to have a coverage.xml for tics | |
| mkdir -p tests/report/ | |
| coverage_files=(./artifacts/.coverage*) | |
| if [ -e "${coverage_files[0]}" ]; then | |
| echo "Merging coverage files: ${coverage_files[*]}" | |
| coverage combine "${coverage_files[@]}" | |
| # Check if there is actual data to report before generating XML with merged reports | |
| if coverage report > /dev/null 2>&1; then | |
| coverage report --show-missing | |
| coverage xml -o tests/report/coverage.xml | |
| fi | |
| fi | |
| - name: Run TICS analysis | |
| uses: tiobe/tics-github-action@v3 | |
| with: | |
| mode: qserver | |
| project: charmed-openstack-upgrader | |
| viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=default | |
| branchdir: ${{ github.workspace }} | |
| ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }} | |
| installTics: true |