adding xeol scan in CI #394
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Validations" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| env: | |
| GO_VERSION: "1.20.x" | |
| PYTHON_VERSION: "3.10" | |
| permissions: | |
| contents: read | |
| jobs: | |
| Static-Analysis: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Static analysis" | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - name: Restore tool cache | |
| id: tool-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/.tmp | |
| key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} | |
| - name: Restore go cache | |
| id: go-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| - name: (cache-miss) Bootstrap all project dependencies | |
| if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' | |
| run: make bootstrap | |
| - name: Bootstrap CI environment dependencies | |
| run: make ci-bootstrap | |
| - name: Run static analysis | |
| run: make static-analysis | |
| # allow for PRs to skip validating the syft version to allow for incremental updates of syft before release. | |
| # In this way checks against the main branch (which are required for release) will fail, but PR checks will not | |
| - name: Ensure syft version is a release version | |
| run: | | |
| echo "GitHub reference: ${GITHUB_REF##*/}" | |
| git fetch origin main | |
| git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && make validate-syft-release-version || echo "skipping syft version check" | |
| Unit-Test: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Unit tests" | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v2.5.0 | |
| - name: Restore tool cache | |
| id: tool-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/.tmp | |
| key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} | |
| - name: Restore go cache | |
| id: go-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| - name: (cache-miss) Bootstrap all project dependencies | |
| if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' | |
| run: make bootstrap | |
| - name: Bootstrap CI environment dependencies | |
| run: make ci-bootstrap | |
| - name: Run unit tests | |
| run: make unit | |
| - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: unit-test-results | |
| path: test/results/**/* | |
| # Quality-Test: | |
| # # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| # name: "Quality tests" | |
| # runs-on: ubuntu-20.04 | |
| # steps: | |
| # - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| # with: | |
| # go-version: ${{ env.GO_VERSION }} | |
| # - uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0 | |
| # with: | |
| # python-version: ${{ env.PYTHON_VERSION }} | |
| # - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| # with: | |
| # submodules: true | |
| # - name: Restore tool cache | |
| # id: tool-cache | |
| # uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| # with: | |
| # path: ${{ github.workspace }}/.tmp | |
| # key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} | |
| # - name: Restore go cache | |
| # id: go-cache | |
| # uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| # with: | |
| # path: ~/go/pkg/mod | |
| # key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| # - name: Restore python cache | |
| # id: python-cache | |
| # uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| # with: | |
| # path: | | |
| # test/quality/venv | |
| # test/quality/vulnerability-match-labels/venv | |
| # key: ${{ runner.os }}-go-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/test/quality/**/requirements.txt') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-go-${{ env.PYTHON_VERSION }}- | |
| # - name: (cache-miss) Bootstrap all project dependencies | |
| # if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' | |
| # run: make bootstrap | |
| # - name: Run quality tests | |
| # run: make quality | |
| Integration-Test: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Integration tests" | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - name: Restore tool cache | |
| id: tool-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/.tmp | |
| key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} | |
| - name: Restore go cache | |
| id: go-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| - name: (cache-miss) Bootstrap all project dependencies | |
| if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' | |
| run: make bootstrap | |
| - name: Bootstrap CI environment dependencies | |
| run: make ci-bootstrap | |
| - name: Build key for tar cache | |
| run: make integration-fingerprint | |
| - name: Restore integration test cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/test/integration/test-fixtures/cache | |
| key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }} | |
| - name: Run integration tests | |
| run: make integration | |
| Build-Snapshot-Artifacts: | |
| name: "Build snapshot artifacts" | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | |
| - name: Restore tool cache | |
| id: tool-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/.tmp | |
| key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} | |
| - name: Restore go cache | |
| id: go-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| - name: (cache-miss) Bootstrap all project dependencies | |
| if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' | |
| run: make bootstrap | |
| - name: Build snapshot artifacts | |
| run: make snapshot snapshot-docker-assets | |
| - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: artifacts | |
| path: snapshot/**/* | |
| Acceptance-Linux: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Acceptance tests (Linux)" | |
| needs: [Build-Snapshot-Artifacts] | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: artifacts | |
| path: snapshot | |
| - name: Build key for image cache | |
| run: make install-fingerprint | |
| - name: Restore install.sh test image cache | |
| id: install-test-image-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/test/install/cache | |
| key: ${{ runner.os }}-install-test-image-cache-${{ hashFiles('test/install/cache.fingerprint') }} | |
| - name: Load test image cache | |
| if: steps.install-test-image-cache.outputs.cache-hit == 'true' | |
| run: make install-test-cache-load | |
| - name: Run install.sh tests (Linux) | |
| run: make install-test | |
| - name: (cache-miss) Create test image cache | |
| if: steps.install-test-image-cache.outputs.cache-hit != 'true' | |
| run: make install-test-cache-save | |
| Acceptance-Mac: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Acceptance tests (Mac)" | |
| needs: [Build-Snapshot-Artifacts] | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: artifacts | |
| path: snapshot | |
| - name: Run install.sh tests (Mac) | |
| run: make install-test-ci-mac | |
| Cli-Linux: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "CLI tests (Linux)" | |
| needs: [Build-Snapshot-Artifacts] | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.5.0 | |
| - name: Restore go cache | |
| id: go-cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ env.GO_VERSION }}- | |
| - name: (cache-miss) Bootstrap go dependencies | |
| if: steps.go-cache.outputs.cache-hit != 'true' | |
| run: make bootstrap-go | |
| - name: Build key for tar cache | |
| run: make cli-fingerprint | |
| - name: Restore CLI test cache | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| path: ${{ github.workspace }}/test/cli/test-fixtures/cache | |
| key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }} | |
| - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: artifacts | |
| path: snapshot | |
| - name: Run CLI Tests (Linux) | |
| run: make cli |