Skip to content

Bump github/codeql-action from 3.26.9 to 3.26.10 #7799

Bump github/codeql-action from 3.26.9 to 3.26.10

Bump github/codeql-action from 3.26.9 to 3.26.10 #7799

Workflow file for this run

name: Test Incoming Changes
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
permissions:
contents: read
env:
REGISTRY: quay.io
REGISTRY_LOCAL: localhost
CERTSUITE_IMAGE_NAME: redhat-best-practices-for-k8s/certsuite
CERTSUITE_IMAGE_NAME_LEGACY: testnetworkfunction/cnf-certification-test
CERTSUITE_IMAGE_TAG: unstable
OCT_IMAGE_NAME: redhat-best-practices-for-k8s/oct
OCT_IMAGE_TAG: latest
PROBE_IMAGE_NAME: redhat-best-practices-for-k8s/certsuite-probe
PROBE_IMAGE_TAG: v0.0.9
CERTSUITE_CONFIG_DIR: /tmp/certsuite/config
CERTSUITE_OUTPUT_DIR: /tmp/certsuite/output
SMOKE_TESTS_LOG_LEVEL: debug
SMOKE_TESTS_LABELS_FILTER: all
SKIP_PRELOAD_IMAGES: true
TERM: xterm-color
CM_BIN: /usr/local/bin/checkmake
CM_URL_LINUX: https://github.com/mrtazz/checkmake/releases/download/0.2.2/checkmake-0.2.2.linux.amd64 # yamllint disable-line
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: true
jobs:
lint:
name: Run Linters and Vet
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
steps:
- name: Set up Go 1.23
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.23.1
- name: Disable default go problem matcher
run: echo "::remove-matcher owner=go::"
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Install yaml dependency
uses: ./.github/actions/install-yaml-dep
- name: Extract dependent Pull Requests
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install checkmake
run: |
curl --location --output $CM_BIN --silent $CM_URL_LINUX
chmod +x $CM_BIN
- name: Install Shfmt
uses: mfinelli/setup-shfmt@031e887e39d899d773a7e9b6dd6472c2c23ff50d # v3.0.1
- name: Golangci-lint
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: v1.60
args: --timeout 10m0s
- name: Checkmake
run: checkmake --config=.checkmake Makefile
- name: Hadolint
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: Dockerfile
recursive: true
- name: Shfmt
run: shfmt -d script
- name: Markdownlint
uses: nosborn/github-action-markdown-cli@9b5e871c11cc0649c5ac2526af22e23525fa344d # v3.3.0
with:
files: .
- name: ShellCheck
uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master
# - name: Typos
# uses: crate-ci/typos@master
- name: Yamllint
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
config_file: .yamllint.yml
- name: Go vet
run: make vet
unit-tests:
name: Run Unit Tests
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-22.04]
env:
SHELL: /bin/bash
steps:
- name: Set up Go 1.23
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.23.1
- name: Disable default go problem matcher
run: echo "::remove-matcher owner=go::"
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Install yaml dependency
uses: ./.github/actions/install-yaml-dep
- name: Extract dependent Pull Requests
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run Tests
run: make test
env:
SHELL: /bin/bash
- name: Quality Gate - Test coverage shall be above threshold
env:
TESTCOVERAGE_THRESHOLD: 15
run: |
echo "Quality Gate: checking test coverage is above threshold ..."
echo "Threshold : $TESTCOVERAGE_THRESHOLD %"
totalCoverage=`UNIT_TEST='true' cat cover.out.tmp | grep -v "_moq.go" > cover.out; go tool cover -func=cover.out | grep total | grep -Eo '[0-9]+\.[0-9]+'`
echo "Current test coverage : $totalCoverage %"
if (( $(echo "$totalCoverage $TESTCOVERAGE_THRESHOLD" | awk '{print ($1 > $2)}') )); then
echo OK
else
echo "Current test coverage is below threshold. Please add more unit tests or adjust threshold to a lower value."
echo "Failed"
exit 1
fi
precheck-images:
name: Precheck Images
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
steps:
- name: Pull the images to verify they exist
run: |
docker pull ${REGISTRY}/${OCT_IMAGE_NAME}:${OCT_IMAGE_TAG}
docker pull ${REGISTRY}/${PROBE_IMAGE_NAME}:${PROBE_IMAGE_TAG}
smoke-tests-local:
name: Run Local Smoke Tests
needs: precheck-images
if: needs.precheck-images.result == 'success'
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
KUBECONFIG: '/home/runner/.kube/config'
PFLT_DOCKERCONFIG: '/home/runner/.docker/config'
steps:
- name: Write temporary docker file
run: |
mkdir -p /home/runner/.docker
touch ${PFLT_DOCKERCONFIG}
echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG}
- name: Set up Go 1.23
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.23.1
- name: Disable default go problem matcher
run: echo "::remove-matcher owner=go::"
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Install yaml dependency
uses: ./.github/actions/install-yaml-dep
- name: Extract dependent Pull Requests
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Update the CNF containers, helm charts and operators DB.
- name: Update the CNF DB
run: |
mkdir -p "${GITHUB_WORKSPACE}"/offline-db
docker run \
--env OCT_DUMP_ONLY=true \
--rm \
--volume "${GITHUB_WORKSPACE}"/offline-db:/tmp/dump:Z \
${REGISTRY}/${OCT_IMAGE_NAME}:${OCT_IMAGE_TAG}
docker system prune --volumes -f
- name: Build the Certsuite tool
run: make build-certsuite-tool
- name: Remove go mod cache to save disk space.
run: |
df -h
go clean -modcache || true
df -h
- name: Setup partner cluster
uses: ./.github/actions/setup-partner-cluster
with:
make-command: 'install'
# Perform smoke tests.
- name: 'Test: Run test suites'
run: ./certsuite run --label-filter="${SMOKE_TESTS_LABELS_FILTER}" --output-dir=certsuite-out --log-level="${SMOKE_TESTS_LOG_LEVEL}"
- name: Upload smoke test results as an artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: smoke-tests
path: |
certsuite-out/*.tar.gz
- name: Check the smoke test results against the expected results template
run: ./certsuite check results --log-file="certsuite-out/certsuite.log"
- name: 'Test: Run preflight specific test suite'
run: ./certsuite run --label-filter=preflight --log-level="${SMOKE_TESTS_LOG_LEVEL}"
- name: Upload preflight smoke test results as an artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: preflight-smoke-tests
path: |
certsuite-out/*.tar.gz
- name: Remove tarball(s) to save disk space
run: rm -f certsuite-out/*.tar.gz
smoke-tests-container:
name: Run Container Smoke Tests
needs: precheck-images
if: needs.precheck-images.result == 'success'
runs-on: ubuntu-22.04
env:
SHELL: /bin/bash
KUBECONFIG: '/home/runner/.kube/config'
PFLT_DOCKERCONFIG: '/home/runner/.docker/config'
steps:
- name: Write temporary docker file
run: |
mkdir -p /home/runner/.docker
touch ${PFLT_DOCKERCONFIG}
echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG}
# needed by depends-on-action
- name: Set up Go 1.23
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: 1.23.1
# Perform smoke tests using a Certsuite container.
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Setup partner cluster
uses: ./.github/actions/setup-partner-cluster
with:
make-command: 'install'
- name: Extract dependent Pull Requests
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Build the `certsuite` image
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
timeout_minutes: 90
max_attempts: 3
command: make build-image-local
env:
IMAGE_TAG: ${CERTSUITE_IMAGE_TAG}
# Clean up unused container image layers. We need to filter out a possible error return code
# from docker with "|| true" as some images might still be used by running kind containers and
# will not be removed.
- name: Remove unnamed/dangling container images to save space. Show disk space before and after removing them.
run: |
df -h
docker rmi $(docker images -f "dangling=true" -q) || true
df -h
- name: Create required Certsuite config files and directories
run: |
mkdir -p $CERTSUITE_CONFIG_DIR $CERTSUITE_OUTPUT_DIR
cp /home/runner/.kube/config $CERTSUITE_CONFIG_DIR/kubeconfig
cp /home/runner/.docker/config $CERTSUITE_CONFIG_DIR/dockerconfig
cp config/*.yml $CERTSUITE_CONFIG_DIR
shell: bash
- name: 'Test: Run without any TS, just get diagnostic information'
run: |
docker run --rm --network host \
-v $CERTSUITE_CONFIG_DIR:/usr/certsuite/config:Z \
-v $CERTSUITE_OUTPUT_DIR:/usr/certsuite/output:Z \
${REGISTRY_LOCAL}/${CERTSUITE_IMAGE_NAME}:${CERTSUITE_IMAGE_TAG} \
certsuite run \
--output-dir=/usr/certsuite/output \
--preflight-dockerconfig=/usr/certsuite/config/dockerconfig \
--offline-db=/usr/offline-db \
--log-level=${SMOKE_TESTS_LOG_LEVEL} \
--config-file=/usr/certsuite/config/certsuite_config.yml \
--kubeconfig=/usr/certsuite/config/kubeconfig \
- name: 'Test: Run Smoke Tests in a Certsuite container with the certsuite command'
run: |
docker run --rm --network host \
-v $CERTSUITE_CONFIG_DIR:/usr/certsuite/config:Z \
-v $CERTSUITE_OUTPUT_DIR:/usr/certsuite/output:Z \
${REGISTRY_LOCAL}/${CERTSUITE_IMAGE_NAME}:${CERTSUITE_IMAGE_TAG} \
certsuite run \
--output-dir=/usr/certsuite/output \
--preflight-dockerconfig=/usr/certsuite/config/dockerconfig \
--offline-db=/usr/offline-db \
--enable-data-collection=true \
--log-level=${SMOKE_TESTS_LOG_LEVEL} \
--config-file=/usr/certsuite/config/certsuite_config.yml \
--kubeconfig=/usr/certsuite/config/kubeconfig \
--label-filter="${SMOKE_TESTS_LABELS_FILTER}"
- name: Upload container test results as an artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: smoke-tests-container
path: |
${CERTSUITE_OUTPUT_DIR}/*.tar.gz
- name: Remove tarball(s) to save disk space.
run: rm -f ${CERTSUITE_OUTPUT_DIR}/*.tar.gz
- name: Build the Certsuite tool
run: make build-certsuite-tool
- name: Check the smoke test results against the expected results template
run: ./certsuite check results --log-file="${CERTSUITE_OUTPUT_DIR}"/certsuite.log
- name: 'Test: Run Preflight Specific Smoke Tests in a Certsuite container with the certsuite command'
run: |
docker run --rm --network host \
-v $CERTSUITE_CONFIG_DIR:/usr/certsuite/config:Z \
-v $CERTSUITE_OUTPUT_DIR:/usr/certsuite/output:Z \
${REGISTRY_LOCAL}/${CERTSUITE_IMAGE_NAME}:${CERTSUITE_IMAGE_TAG} \
certsuite run \
--output-dir=/usr/certsuite/output \
--preflight-dockerconfig=/usr/certsuite/config/dockerconfig \
--offline-db=/usr/offline-db \
--log-level=${SMOKE_TESTS_LOG_LEVEL} \
--config-file=/usr/certsuite/config/certsuite_config.yml \
--kubeconfig=/usr/certsuite/config/kubeconfig \
--label-filter="preflight"
# Only run this job if the previous jobs are successful that build the ARM and x86 images.
create-manifest-multiarch-legacy:
name: Create manifest list for multi-arch image (legacy)
needs: [unit-tests, smoke-tests-container]
runs-on: ubuntu-22.04
if: github.event_name != 'pull_request' && needs.smoke-tests-container.result == 'success' && needs.unit-tests.result == 'success'
steps:
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to Quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_ROBOT_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
- name: Build and push the unstable images for multi-arch
uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.REGISTRY }}/${{ env.CERTSUITE_IMAGE_NAME_LEGACY }}:${{ env.CERTSUITE_IMAGE_TAG }}
- name: (if on main and upstream) Send chat msg to dev team if failed to create container image.
if: ${{ failure() && github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
uses: ./.github/actions/slack-webhook-sender
with:
message: 'Failed to create the *unstable* container manifest'
slack_webhook: '${{ secrets.SLACK_ALERT_WEBHOOK_URL }}'
# Only run this job if the previous jobs are successful that build the ARM and x86 images.
create-manifest-multiarch:
name: Create manifest list for multi-arch image
needs: [unit-tests, smoke-tests-container]
runs-on: ubuntu-22.04
if: github.event_name != 'pull_request' && needs.smoke-tests-container.result == 'success' && needs.unit-tests.result == 'success'
steps:
- name: Check out code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Login to Quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_ROBOT_USERNAME_K8S }}
password: ${{ secrets.QUAY_ROBOT_TOKEN_K8S }}
- name: Build and push the unstable images for multi-arch
uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0
if: ${{ github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
with:
context: .
file: Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.REGISTRY }}/${{ env.CERTSUITE_IMAGE_NAME }}:${{ env.CERTSUITE_IMAGE_TAG }}
- name: (if on main and upstream) Send chat msg to dev team if failed to create container image.
if: ${{ failure() && github.ref == 'refs/heads/main' && github.repository_owner == 'redhat-best-practices-for-k8s' }}
uses: ./.github/actions/slack-webhook-sender
with:
message: 'Failed to create the *unstable* container manifest'
slack_webhook: '${{ secrets.SLACK_ALERT_WEBHOOK_URL }}'
check-all-dependencies-are-merged:
name: Check all the PR dependencies are merged
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Check all dependent Pull Requests are merged
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
check-unmerged-pr: true