Skip to content
.github/workflows/ci.yaml

ci: Harden CI with 'content: read' default permissions #15

Sign in to view logs

ci: Harden CI with 'content: read' default permissions

ci: Harden CI with 'content: read' default permissions #15

Workflow file for this run

.github/workflows/ci.yaml at f26ed17
name: Build snap and run tests

Check failure on line 1 in .github/workflows/ci.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/ci.yaml

Invalid workflow file 

(Line: 11, Col: 3): Unexpected value 'content'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
pull_request:
permissions:
content: read
jobs:
build:
name: Build snap
uses: canonical/data-platform-workflows/.github/workflows/build_snap.yaml@v48.0.2
test:
name: "Tests (arch: ${{ matrix.system.arch }}, k8s: ${{ matrix.k8s_version }})"
runs-on: ${{ matrix.system.os }}
timeout-minutes: 90
needs:
- build
strategy:
fail-fast: false
matrix:
system:
- os: ubuntu-22.04
arch: amd64
- os: ubuntu-22.04-arm
arch: arm64
k8s_version:
- "1.28"
- "1.30"
- "1.32"
- "1.34"
steps:
- name: Download snap file
uses: actions/download-artifact@v6
with:
pattern: ${{ needs.build.outputs.artifact-prefix }}-*
merge-multiple: true
- name: Install tooling
run: |
sudo apt install pipx -y
pipx install azure-cli
- name: Install snap file
run: |
FILE=$(ls -1 *${{ matrix.system.arch }}.snap | tail -n1)
sudo snap install $FILE --dangerous
- name: Checkout repo
uses: actions/checkout@v6
- name: Setup microceph
run: |
sudo snap install microceph
sudo microceph cluster bootstrap
sudo microceph disk add loop,1G,3
sudo microceph enable rgw
sudo microceph.radosgw-admin user create --uid test --display-name test --access-key=foo --secret-key=bar
- name: Install Java
# Needed to have 'keytool' for integration tests
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "17"
- name: Setup MicroK8s
run: |
make microk8s K8S_VERSION=${{ matrix.k8s_version }}
- name: Run Integration Tests
env:
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
run: |
sg microk8s -c "make integration-tests"
- name: Setup microceph with SSL
run: |
# Remove previous instance of microceph
sudo snap remove --purge microceph
# Create certificates
mkdir -p /home/${USER}/certs
host_ip=$(ip route get 1.1.1.1 | awk '{print $7; exit}')
openssl genrsa -out /home/${USER}/certs/ca.key 2048
openssl req -x509 -new -nodes -key /home/${USER}/certs/ca.key -days 1024 -out /home/${USER}/certs/ca.crt -outform PEM -subj /C=US/ST=Denial/L=Springfield/O=Dis/CN=$host_ip
openssl genrsa -out /home/${USER}/certs/server.key
openssl req -new -key /home/${USER}/certs/server.key -out /home/${USER}/certs/server.csr -subj /C=US/ST=Denial/L=Springfield/O=Dis/CN=$host_ip
echo "subjectAltName = DNS:$host_ip, IP:$host_ip" > /home/${USER}/certs/extfile.cnf
openssl x509 -req -in /home/${USER}/certs/server.csr -CA /home/${USER}/certs/ca.crt -CAkey /home/${USER}/certs/ca.key -CAcreateserial -out /home/${USER}/certs/server.crt -days 365 -extfile /home/${USER}/certs/extfile.cnf
# Reinstall microceph
sudo snap install microceph
sudo microceph cluster bootstrap
sudo microceph disk add loop,1G,3
server_crt_base64=$(sudo base64 -w0 /home/${USER}/certs/server.crt)
server_key_base64=$(sudo base64 -w0 /home/${USER}/certs/server.key)
sudo microceph enable rgw --ssl-certificate $server_crt_base64 --ssl-private-key $server_key_base64
sudo microceph.radosgw-admin user create --uid test --display-name test --access-key=foo --secret-key=bar
- name: Run Integration Tests ssl
run: |
sg microk8s -c "make integration-tests-tls"