Publish a conformance report (#322)

* Bump python version in action & workflows

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* Add summary report publishing:

* The action now publishes json results as GitHub artifact
* A workflow is added that looks for those results in projects known to use
  tuf-conformance
* A report is generated and published on GH pages

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* publish-report workflow: make client branch a variable

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

---------

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

.github/scripts/generate_client_report.py

@@ -0,0 +1,115 @@
+# Generate an html summary from client conformance results
+
+import argparse
+import json
+from dataclasses import dataclass
+from datetime import UTC, datetime
+from pathlib import Path
+
+
+@dataclass
+class Result:
+    name: str
+    results_found: bool = False
+    total: int = -1
+    passed: int = -1
+    failed: int = -1
+    xfailed: int = -1
+    skipped: int = -1
+
+    def __init__(self, report_path: Path) -> None:
+        with report_path.open() as f:
+            data = json.load(f)
+
+        self.name = report_path.name.replace(".json", "")
+
+        if data == {}:
+            return  # no results found
+        self.results_found = True
+
+        summary = data["summary"]
+        self.total = summary["total"]
+        self.passed = summary.get("passed", 0) + summary.get("subtests passed", 0)
+        self.failed = summary.get("failed", 0) + summary.get("subtests failed", 0)
+        self.xfailed = summary.get("xfailed", 0) + summary.get("subtests xfailed", 0)
+        self.skipped = summary.get("skipped", 0) + summary.get("subtests skipped", 0)
+
+        # TODO: parse data["tests"] and add feature checks like
+        # self.supports_delegated_targets
+
+
+def _generate_html(results: list[Result]) -> str:
+    html = f"""
+    <html>
+    <head>
+        <title>TUF Client Conformance Results</title>
+        <style>
+            body {{ font-family: sans-serif; margin: 2em; }}
+            table {{ border-collapse: collapse; }}
+            th, td {{ border: 1px solid #ccc; padding: 8px 12px; }}
+            th {{ background-color: #f4f4f4; }}
+            .failed {{ background-color: #ffe0e0; }}
+            .passed {{ background-color: #e0ffe0; }}
+            .not-found {{ background-color: #eeeeee; }}
+        </style>
+    </head>
+    <body>
+        <h1>TUF Client Conformance Results</h1>
+        <p>Last updated: {datetime.now(UTC).isoformat(timespec="minutes")}Z</p>
+        <table>
+            <thead>
+                <tr>
+                    <th>Client</th>
+                    <th>Pass Rate</th>
+                    <th>Passed</th>
+                    <th>Failed</th>
+                    <th>Skipped</th>
+                    <th>Xfailed</th>
+                </tr>
+            </thead>
+            <tbody>
+    """
+    for res in results:
+        if not res.results_found:
+            status_class = "not-found"
+        elif res.failed == 0:
+            status_class = "passed"
+        else:
+            status_class = "failed"
+        passrate = round(100 * res.passed / res.total) if res.total > 0 else 0
+        html += f"""
+                <tr class="{status_class}">
+                    <td><strong>{res.name}</strong></td>
+                    <td>{f"{passrate}%" if res.results_found else ""}</td>
+                    <td>{res.passed if res.results_found else ""}</td>
+                    <td>{res.failed if res.results_found else ""}</td>
+                    <td>{res.skipped if res.results_found else ""}</td>
+                    <td>{res.xfailed if res.results_found else ""}</td>
+                </tr>
+        """
+    html += """
+            </tbody>
+        </table>
+    </body>
+    </html>
+    """
+    return html
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--reports-dir", required=True)
+    parser.add_argument("--output", required=True)
+    args = parser.parse_args()
+
+    # Read all client results
+    results: list[Result] = []
+    for report_path in Path(args.reports_dir).glob("**/*.json"):
+        results.append(Result(report_path))
+    results.sort(key=lambda result: result.name)
+
+    # Write summary HTML
+    output_file = Path(args.output)
+    output_file.parent.mkdir(parents=True, exist_ok=True)
+    with output_file.open("w") as f:
+        f.write(_generate_html(results))

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: "3.11"
+          python-version: "3.14"
           cache: "pip"
 
       - name: Install lint dependencies

.github/workflows/publish-report.yml

@@ -0,0 +1,104 @@
+name: Publish client conformance report
+
+on:
+  schedule:
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+jobs:
+  fetch-results:
+    name: Fetch ${{ matrix.name }} results
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false # Don't stop if one client results download fails
+      matrix:
+        include:
+          - name: python-tuf
+            repo: theupdateframework/python-tuf
+            workflow: conformance.yml
+            branch: develop
+          - name: tuf-js
+            repo: theupdateframework/tuf-js
+            workflow: conformance.yml
+            branch: main
+          - name: sigstore-java
+            repo: sigstore/sigstore-java
+            workflow: tuf-conformance.yml
+            branch: main
+          - name: sigstore-ruby
+            repo: sigstore/sigstore-ruby
+            workflow: ci.yml
+            branch: main
+
+
+    steps:
+      - name: Download artifact
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
+        with:
+          # A token is required to read other repos' artifacts. This token is a fine grained token
+          # with read-only "public repositories" access only. It is set to expire in 1 year
+          # (maximum accepted by OpenSSF)
+          github_token: ${{ secrets.READ_ONLY_TOKEN }}
+          repo: ${{ matrix.repo }}
+          workflow: ${{ matrix.workflow }}
+          branch: ${{ matrix.branch }}
+          name: tuf-conformance-results
+          workflow_conclusion: success
+          path: ./results/
+        continue-on-error: true
+
+      - name: Rename artifact for aggregation
+        run: |
+          if [ -f "./results/tuf-conformance-report.json" ]; then
+            mv ./results/tuf-conformance-report.json "./results/${{ matrix.name }}.json"
+          else
+            # create empty file so report generator can still include the client as "not found"
+            mkdir ./results
+            echo "{}" > "./results/${{ matrix.name }}.json"
+          fi
+
+      - name: Upload ${{ matrix.name }} results
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: ${{ matrix.name }}-result
+          path: ./results/${{ matrix.name }}.json
+
+  build-report:
+    name: Build client conformance report
+    runs-on: ubuntu-latest
+    needs: [fetch-results]
+    if: always()
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Download all individual results
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          pattern: '*-result'
+          path: ./results
+
+      - name: Generate report
+        run: |
+          python .github/scripts/generate_client_report.py \
+            --reports-dir ./results \
+            --output results/index.html
+
+      - name: Upload report for Pages
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+        with:
+          path: results/
+
+  deploy-pages:
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build-report
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

Makefile

@@ -33,7 +33,7 @@ dev: faketime env/pyvenv.cfg
 .PHONY: test-all
 test-all: test-python-tuf test-go-tuf
 
-lint_dirs = tuf_conformance clients/python-tuf
+lint_dirs = tuf_conformance clients/python-tuf .github/scripts
 lint: env/pyvenv.cfg
 	./env/bin/ruff format --diff $(lint_dirs)
 	./env/bin/ruff check $(lint_dirs)

action.yml

@@ -17,7 +17,7 @@ runs:
     - name: Set up Python
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
-        python-version: "3.11"
+        python-version: "3.14"
 
     - name: Install test
       run: |
@@ -42,7 +42,7 @@ runs:
         fi
 
         # run test suite
-        pytest -v "$TEST_LOCATION" \
+        pytest -v --json-report --json-report-file=tuf-conformance-report.json "$TEST_LOCATION" \
           --entrypoint "$ENTRYPOINT" \
           --repository-dump-dir ./test-repositories \
       shell: bash
@@ -53,3 +53,11 @@ runs:
       with:
         name: ${{ steps.tuf-conformance.outputs.NAME }}
         path: test-repositories
+
+    - name: Upload conformance result
+      uses: actions/upload-artifact@v4
+      with:
+        name: tuf-conformance-results
+        overwrite: true
+        path: ./tuf-conformance-report.json
+        retention-days: 7

pyproject.toml

@@ -7,7 +7,8 @@ name = "tuf-conformance"
 dependencies = [
     "securesystemslib[crypto]==1.3.1",
     "tuf==6.0.0",
-    "pytest==8.4.2"
+    "pytest==8.4.2",
+    "pytest-json-report==1.5.0"
 ]
 dynamic = ["version"]
 requires-python = ">= 3.10"