osv-scanner/.github/workflows/tests.yml at 34f6b73ce9a0414b34684a14116a039263cc83e5 · google/osv-scanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Tests

on:
  push:
    branches: ["main", "v1", "mcp"]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
      - ".github/workflows/*"
      - "!.github/workflows/tests.yml"
      - "!.github/workflows/test-action/**"
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["main", "v1", "mcp"]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
      - ".github/workflows/*"
      - "!.github/workflows/tests.yml"
      - "!.github/workflows/test-action/**"
  workflow_dispatch:

concurrency:
  # Pushing new changes to a branch will cancel any in-progress CI runs
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Restrict jobs in this workflow to have no permissions by default; permissions
# should be granted per job as needed using a dedicated `permissions` block
permissions: {}

jobs:
  prepare_test_image_testdata:
    permissions:
      contents: read # to fetch code (actions/checkout)
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - run: scripts/build_test_images.sh
      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}
          path: cmd/osv-scanner/scan/image/testdata/*.tar
          retention-days: 1
  tests:
    permissions:
      contents: read # to fetch code (actions/checkout)
    needs:
      - prepare_test_image_testdata
    name: Run unit tests
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - name: Check out code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          pattern: image-testdata-${{ github.run_number }}-*
          path: cmd/osv-scanner/scan/image/testdata/
      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          check-latest: true
      - name: Run test action
        uses: ./.github/workflows/test-action
        with:
          codecov_token: ${{ secrets.CODECOV_TOKEN }}
  docker:
    permissions:
      contents: read # to fetch code (actions/checkout)
    runs-on: ubuntu-latest
    env:
      # Required for buildx on docker 19.x
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Set up Go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          check-latest: true
          cache: false
      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Run GoReleaser
        id: run-goreleaser
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          distribution: goreleaser
          version: "~> v2"
          args: release --clean --snapshot
      - env:
          ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}
        run: |
          echo "$ARTIFACTS" > output.json
          jq -r '.[] | select(
            .type == "Docker Image" and
            .goarch == "amd64" and
            .goos == "linux" and
            .extra.DockerConfig.dockerfile == "goreleaser.dockerfile"
          ) | .name' output.json | while read -r image; do
            echo "Testing image $image"

            exit_code=0
            docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?

            # fail if we get a non-zero exit code other than "vulnerabilities were found"
            if [[ $exit_code -ne 0 && $exit_code -ne 1  ]]; then
              exit $exit_code
            fi
          done