sbom-upload/.github/workflows/pre-merge.yaml at d55f2f4d02daf4ac61e5a6bd91d4412d15020f2b · scality/sbom-upload · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Pre-merge Tests

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  test-sbom-upload:
    runs-on: ubuntu-latest
    timeout-minutes: 25
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Python 3.13
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"
          cache: "pip"

      - name: Install dependencies
        run: |
          pip install -r requirements.txt

      - name: Start Dependency Track
        run: |
          # Start DT with the official docker compose but use host networking for easier access
          cd tests/docker
          docker-compose -f docker-compose.yml up -d

      - name: Wait for Dependency Track
        run: |
          echo "⏳ Waiting for Dependency Track to be fully ready..."

          # Wait for health check to pass
          timeout 600 bash -c '
            until curl -f http://localhost:8081/api/version >/dev/null 2>&1; do
              echo "Waiting for Dependency Track API... ($(date))"
              sleep 15
            done
          '

          # Give extra time for full initialization
          echo "✅ API responding, waiting for full initialization..."
          sleep 60

          # Verify API is really ready
          curl -v http://localhost:8081/api/version

      - name: Setup Test Environment
        run: |
          bash .github/scripts/setup-ci.sh
          # Export API key to environment for subsequent steps
          if [ -f /tmp/api_key.txt ]; then
            API_KEY=$(cat /tmp/api_key.txt)
            echo "TEST_API_KEY=$API_KEY" >> $GITHUB_ENV
            echo "INPUT_API_KEY=$API_KEY" >> $GITHUB_ENV
            echo "✅ API key exported to environment"
          else
            echo "❌ No API key file found"
            exit 1
          fi
          # Set up other environment variables
          echo "INPUT_URL=http://localhost:8081" >> $GITHUB_ENV

      - name: Test CLI Help and Version Functions
        run: |
          echo "🧪 Testing CLI help..."
          python3 src/main.py --help

          echo "🧪 Testing version functions..."
          python3 tests/test_version.py

      - name: Test Input Validation
        run: |
          echo "🧪 Testing input validation..."
          python3 src/main.py validate-inputs

      - name: Test Connection (Expected Auth Failure)
        continue-on-error: true
        run: |
          echo "🧪 Testing connection (expecting auth failure with test key)..."
          python3 src/main.py test-connection

      - name: Test Single SBOM Upload (Dry Run)
        run: |
          echo "🧪 Testing single SBOM upload (dry run)..."
          python3 src/main.py upload-auto \
            --sbom-file "tests/single_sbom/nginx_12.9.1.json" \
            --project-name "test-nginx" \
            --project-version "12.9.1" \
            --dry-run

      - name: Test Multiple SBOM Upload (Dry Run)
        run: |
          echo "🧪 Testing multiple SBOM upload (dry run)..."
          python3 src/main.py upload-nested \
            --parent-name "test-multi-app" \
            --parent-version "1.0.0" \
            --sbom-dir "tests/multiple_sbom/" \
            --dry-run

      - name: Test Hierarchy Upload (Dry Run)
        run: |
          echo "🧪 Testing hierarchy upload (dry run)..."
          python3 src/main.py upload-hierarchy \
            --config-file "tests/hierarchy-example.json" \
            --dry-run

      - name: Test GitHub Action Style Uploads
        run: |
          echo "🧪 Testing GitHub Action style upload (single)..."
          export INPUT_PROJECT_SBOM="tests/single_sbom/nginx_12.9.1.json"
          export INPUT_PROJECT_NAME="gh-action-test"
          export INPUT_PROJECT_VERSION="1.0.0"
          export INPUT_IS_LATEST="true"
          python3 src/main.py upload

          echo "🧪 Testing GitHub Action style upload (multiple)..."
          unset INPUT_PROJECT_SBOM
          export INPUT_PROJECT_SBOM_LIST="tests/sbom-list-example.txt"
          export INPUT_PROJECT_PREFIX="gh-multi-"
          python3 src/main.py upload

      - name: Verify Project Hierarchy
        run: |
          echo "🔍 Verifying project hierarchy..."
          python3 src/main.py show-hierarchy --project-name "meta_app" || echo "Hierarchy display completed"

      - name: Test End-to-End Suite
        run: |
          echo "🧪 Running end-to-end test suite..."
          ./test-e2e.sh

      - name: Check Docker Logs (Debug)
        if: failure()
        run: |
          echo "🔍 Dependency Track logs:"
          cd tests/docker
          docker-compose -f docker-compose-ci.yml logs apiserver --tail=100

      - name: Cleanup
        if: always()
        run: |
          echo "🧹 Cleaning up..."
          cd tests/docker
          docker-compose -f docker-compose-ci.yml down -v || true
          docker system prune -f || true
          rm -f ../../api_key.txt