Merge pull request #505 from kubescape/ac-nodes #589
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: pr-tests | |
on: | |
push: | |
branches: [ master, main ] | |
pull_request: | |
# run for every chnage in the PR | |
types: [ opened, synchronize, reopened, ready_for_review ] | |
# Do not run the pipeline if only Markdown files changed | |
paths-ignore: ['**.md'] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
REGO_ARTIFACT_KEY_NAME: rego_artifact | |
REGO_ARTIFACT_PATH: releaseDev | |
jobs: | |
# testing link checks | |
markdown-link-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
- name: Check links | |
uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 | |
with: | |
use-verbose-mode: 'yes' | |
# main job of testing and building the env. | |
test_pr_checks: | |
# needs: [markdown-link-check] | |
permissions: | |
pull-requests: write | |
uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main | |
with: | |
GO_VERSION: 1.19 | |
BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/... | |
secrets: inherit | |
# test-coverage: | |
# needs: [test_pr_checks] | |
# uses: kubescape/workflows/.github/workflows/coverage-check.yaml@main | |
# if: | | |
# ${{ (always() && | |
# (contains(needs.*.result, 'success')) && | |
# !(contains(needs.*.result, 'skipped')) && | |
# !(contains(needs.*.result, 'failure')) && | |
# !(contains(needs.*.result, 'cancelled'))) }} | |
# with: | |
# COVERAGELIMIT: "58" | |
# SHA: ${{ github.sha }} | |
build-and-rego-test: | |
name: Build and test rego artifacts | |
runs-on: ubuntu-latest | |
if: | | |
${{ (always() && | |
(contains(needs.*.result, 'success')) && | |
!(contains(needs.*.result, 'skipped')) && | |
!(contains(needs.*.result, 'failure')) && | |
!(contains(needs.*.result, 'cancelled'))) }} | |
# needs: [test_pr_checks] | |
outputs: | |
REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }} | |
REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }} | |
steps: | |
- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f | |
name: checkout repo content | |
with: | |
token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
# Test using Golang OPA hot rule compilation | |
- name: Set up Go | |
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 | |
with: | |
go-version: 1.19 | |
# testing rego library | |
- name: Test Regoes | |
working-directory: testrunner | |
run: | | |
apt update && apt install -y cmake | |
GOPATH=$(go env GOPATH) make | |
- name: setup python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.10.6 | |
# validate control-ID duplications | |
- run: python ./scripts/validations.py | |
# generating subsections ids | |
- name: Update frameworks subsections | |
run: bash ./scripts/generate_subsections_ids.sh | |
# run export script to generate regolibrary artifacts | |
# releaseDev clean up is for old compatability. should be removed at end of 2023. | |
- name: Run export script | |
run: | | |
OUTPUT=pre-release python ./scripts/export.py | |
rm -r -f releaseDev | |
cp -R pre-release releaseDev | |
- name: Set outputs | |
id: set_outputs | |
run: | | |
echo "REGO_ARTIFACT_KEY_NAME=${{ env.REGO_ARTIFACT_KEY_NAME }}" >> $GITHUB_OUTPUT | |
echo "REGO_ARTIFACT_PATH=${{ env.REGO_ARTIFACT_PATH }}" >> $GITHUB_OUTPUT | |
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/[email protected] | |
name: Upload artifact | |
with: | |
name: ${{ env.REGO_ARTIFACT_KEY_NAME }} | |
path: ${{ env.REGO_ARTIFACT_PATH }}/ | |
if-no-files-found: error | |
# test kubescape with regolibrary artifacts | |
ks-and-rego-test: | |
uses: kubescape/workflows/.github/workflows/kubescape-cli-e2e-tests.yaml@main | |
if: | | |
${{ (always() && | |
(contains(needs.*.result, 'success')) && | |
!(contains(needs.*.result, 'skipped')) && | |
!(contains(needs.*.result, 'failure')) && | |
!(contains(needs.*.result, 'cancelled'))) }} | |
needs: [build-and-rego-test] | |
with: | |
DOWNLOAD_ARTIFACT_KEY_NAME: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_KEY_NAME }} | |
BINARY_TESTS: '[ "scan_nsa", | |
"scan_mitre", | |
"scan_with_exceptions", | |
"scan_repository", | |
"scan_local_file", | |
"scan_local_glob_files", | |
"scan_nsa_and_submit_to_backend", | |
"scan_mitre_and_submit_to_backend", | |
"scan_local_repository_and_submit_to_backend", | |
"scan_repository_from_url_and_submit_to_backend", | |
"host_scanner", | |
"scan_local_list_of_files", | |
"scan_compliance_score" | |
]' | |
DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }} | |
secrets: inherit | |
clean-up: | |
name: Remove pre-release folder and clean up | |
runs-on: ubuntu-latest | |
needs: [ks-and-rego-test] | |
steps: | |
- uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f | |
name: checkout repo content | |
with: | |
token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
- name: Remove pre-release folder | |
run: rm -r -f pre-release |