Strict patch #4086

Workflow file for this run

.github/workflows/integration.yaml at 9cc883c

	name: Integration Tests

	on:
	push:
	paths-ignore:
	- 'docs/**'
	branches:
	- main
	- autoupdate/strict
	- autoupdate/moonray
	- 'release-[0-9]+.[0-9]+'
	- 'autoupdate/release-[0-9]+.[0-9]+-strict'
	- 'autoupdate/sync/**'
	pull_request:
	paths-ignore:
	- 'docs/**'

	permissions:
	contents: read

	jobs:
	build:
	name: Build
	runs-on: ubuntu-20.04

	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Install lxd
	run: \|
	sudo snap refresh lxd --channel 5.21/stable
	sudo lxd init --auto
	sudo usermod --append --groups lxd $USER
	sg lxd -c 'lxc version'
	- name: Install snapcraft
	run: \|
	sudo snap install snapcraft --classic
	- name: Build snap
	run: \|
	sg lxd -c 'snapcraft --use-lxd'
	mv k8s_*.snap k8s.snap
	- name: Uploading snap
	uses: actions/upload-artifact@v4
	with:
	name: k8s.snap
	path: k8s.snap

	test-branches:
	name: Test Branch Management
	runs-on: ubuntu-20.04
	steps:
	- name: Check out code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.8'
	- name: Install tox
	run: pip install tox
	- name: Run branch_management tests
	run: \|
	tox -c tests/branch_management -e test

	test-integration:
	name: Test ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	os: ["ubuntu:20.04", "ubuntu:22.04", "ubuntu:24.04"]
	runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"]
	needs: build

	steps:
	- name: Check out code
	uses: actions/checkout@v4
	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.10'
	- name: Install tox
	run: pip install tox
	- name: Install lxd
	run: \|
	sudo snap refresh lxd --channel 5.21/stable
	sudo lxd init --auto
	sudo usermod --append --groups lxd $USER
	sg lxd -c 'lxc version'
	sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
	sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	- name: Download snap
	uses: actions/download-artifact@v4
	with:
	name: k8s.snap
	path: ${{ github.workspace }}/build
	- name: Run end to end tests
	env:
	TEST_SNAP: ${{ github.workspace }}/build/k8s.snap
	TEST_SUBSTRATE: lxd
	TEST_LXD_IMAGE: ${{ matrix.os }}
	TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports
	# Test the latest (up to) 6 releases for the flavour
	# TODO(ben): upgrade nightly to run all flavours
	TEST_VERSION_UPGRADE_CHANNELS: "recent 6 classic"
	# Upgrading from 1.30 is not supported.
	TEST_VERSION_UPGRADE_MIN_RELEASE: "1.31"
	TEST_MIRROR_LIST: '[{"name": "ghcr.io", "port": 5000, "remote": "https://ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}, {"name": "docker.io", "port": 5001, "remote": "https://registry-1.docker.io", "username": "", "password": ""}, {"name": "rocks.canonical.com", "port": 5002, "remote": "https://rocks.canonical.com/cdk"}]'
	run: \|
	tags="pull_request"
	# Run all tests if there are test changes. In case of a PR, we'll
	# get a merge commit that includes all changes.
	if git diff HEAD HEAD~1 --name-only \| grep "tests/"; then
	tags="up_to_weekly"
	fi
	# Run all tests on backports.
	if echo ${{ github.base_ref }} \| grep "release-"; then
	tags="up_to_weekly"
	fi
	cd tests/integration && sg lxd -c "tox -e integration -- --tags $tags"
	- name: Prepare inspection reports
	if: failure()
	run: \|
	tar -czvf inspection-reports.tar.gz -C ${{ github.workspace }} inspection-reports
	echo "artifact_name=inspection-reports-${{ matrix.os }}" \| sed 's/:/-/g' >> $GITHUB_ENV
	- name: Upload inspection report artifact
	if: failure()
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.artifact_name }}
	path: ${{ github.workspace }}/inspection-reports.tar.gz

	security-scan:
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	name: Security scan
	runs-on: ubuntu-20.04
	needs: build
	steps:
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	# We run into rate limiting issues if we don't authenticate
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Checking out repo
	uses: actions/checkout@v4
	- name: Fetch snap
	uses: actions/download-artifact@v4
	with:
	name: k8s.snap
	path: build
	- name: Setup Trivy vulnerability scanner
	run: \|
	mkdir -p manual-trivy/sarifs
	pushd manual-trivy
	VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest \| awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
	wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
	tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
	popd
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: "fs"
	ignore-unfixed: true
	format: "sarif"
	output: "trivy-k8s-repo-scan--results.sarif"
	severity: "MEDIUM,HIGH,CRITICAL"
	env:
	TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
	- name: Gather Trivy repo scan results
	run: \|
	cp trivy-k8s-repo-scan--results.sarif ./manual-trivy/sarifs/
	- name: Run Trivy vulnerability scanner on the snap
	run: \|
	for var in $(env \| grep -o '^TRIVY_[^=]*'); do
	unset "$var"
	done
	cp build/k8s.snap .
	unsquashfs k8s.snap
	./manual-trivy/trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > ./manual-trivy/sarifs/snap.sarif
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "./manual-trivy/sarifs"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strict patch #4086

Workflow file

Strict patch #4086

Jobs

Run details

Workflow file for this run