-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7cf4d33
commit 6773854
Showing
4 changed files
with
217 additions
and
136 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,14 +2,15 @@ name: Continuous image testing | |
|
||
on: | ||
schedule: | ||
- cron: "0 1 * * *" | ||
- cron: "*/4 * * * *" | ||
|
||
jobs: | ||
list-released-images: | ||
prepare-test-matrix: | ||
runs-on: ubuntu-latest | ||
name: List the revisions of released images | ||
name: Prepare released image revisions to be tested | ||
outputs: | ||
released-revisions-matrix: ${{ steps.prepare-test-matrix.outputs.released-revisions-matrix }} | ||
last-scan: ${{ steps.last-scan.outputs.date }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/setup-python@v4 | ||
|
@@ -21,43 +22,24 @@ jobs: | |
id: prepare-test-matrix | ||
run: ./src/tests/get_released_revisions.py --oci-images-path $PWD/oci | ||
|
||
dispatch-tests: | ||
runs-on: ubuntu-latest | ||
name: Dispatch tests for released images | ||
needs: [list-released-images] | ||
strategy: | ||
fail-fast: false | ||
matrix: ${{ fromJSON(needs.list-released-images.outputs.released-revisions-matrix) }} | ||
steps: | ||
- name: Run tests for ${{ matrix.source-image }} | ||
# Using this actions cause others can have this problem: | ||
# https://github.com/convictional/trigger-workflow-and-wait/issues/61 | ||
uses: mathze/[email protected] | ||
id: run-tests | ||
env: | ||
IS_A_ROCK: ${{ matrix.dockerfile-build == '' && true || false }} | ||
with: | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
ref: ${{ github.ref_name }} | ||
fail-on-error: true | ||
workflow-name: Tests.yaml | ||
# For continuous auditing, let's assume all images are NOT ROCKs and | ||
# thus only run the most generic tests | ||
payload: '{ "oci-image-name": "${{ matrix.source-image }}", "oci-image-path": "oci/${{ matrix.name }}", "is-a-rock": false, "test-from": "registry"}' | ||
trigger-timeout: "5m" | ||
wait-timeout: "45m" | ||
run-id: dummy | ||
use-marker-step: true | ||
|
||
- name: Write step summary | ||
- name: Infer date of last scan | ||
id: last-scan | ||
run: | | ||
url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ steps.run-tests.outputs.run-id }}' | ||
echo " - Triggered tests for '${{ matrix.source-image }}' at [${url}](${url})" >> "$GITHUB_STEP_SUMMARY" | ||
# This is scheduled to run every day, so let's look at the previous | ||
# 26 hours, roughly | ||
set -ex | ||
last_scan="$(date --date='26 hours ago' +'%Y-%m-%dT%H:%M:00Z')" | ||
echo "date=$last_scan" >> "$GITHUB_OUTPUT" | ||
- name: Enforce test conclusion | ||
if: ${{ steps.run-tests.outputs.run-conclusion != 'success' }} | ||
# The previous step doesn't always raise an error | ||
run: | | ||
url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ steps.run-tests.outputs.run-id }}' | ||
echo "Testing of image '${{ matrix.source-image }}' failed at [${url}](${url})." | ||
exit 1 | ||
run-tests: | ||
name: Run tests for released images | ||
needs: [prepare-test-matrix] | ||
strategy: | ||
fail-fast: false | ||
matrix: ${{ fromJSON(needs.prepare-test-matrix.outputs.released-revisions-matrix) }} | ||
uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main | ||
with: | ||
oci-image-name: "${{ matrix.source-image }}" | ||
oci-image-path: "oci/${{ matrix.name }}" | ||
date-last-scan: ${{ needs.prepare-test-matrix.outputs.last-scan }} | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,11 +31,6 @@ on: | |
required: false | ||
type: string | ||
default: '.vulnerability-report.json' | ||
external_ref_id: #(1) | ||
description: 'Optional ID for unique run detection' | ||
required: false | ||
type: string | ||
default: "default-id" | ||
workflow_dispatch: | ||
inputs: | ||
oci-image-name: | ||
|
@@ -84,6 +79,8 @@ jobs: | |
fetch-oci-image: | ||
runs-on: ubuntu-22.04 | ||
name: Fetch OCI image for testing | ||
outputs: | ||
test-cache-key: ${{ steps.cache.outputs.key }} | ||
steps: | ||
- name: ${{ inputs.external_ref_id }} #(2) | ||
run: echo 'Started by ${{ inputs.external_ref_id }}' >> "$GITHUB_STEP_SUMMARY" | ||
|
@@ -118,6 +115,10 @@ jobs: | |
path: ${{ env.TEST_IMAGE_NAME}} | ||
key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }} | ||
|
||
- name: Save cache key | ||
id: cache | ||
run: echo "key=${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}" >> "$GITHUB_OUTPUT" | ||
|
||
|
||
test-oci-compliance: | ||
runs-on: ubuntu-22.04 | ||
|
@@ -127,7 +128,7 @@ jobs: | |
- uses: actions/cache/restore@v3 | ||
with: | ||
path: ${{ env.TEST_IMAGE_NAME}} | ||
key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }} | ||
key: ${{ needs.fetch-oci-image.outputs.test-cache-key }} | ||
|
||
- name: Install Umoci | ||
run: | | ||
|
@@ -155,7 +156,7 @@ jobs: | |
- uses: actions/cache/restore@v3 | ||
with: | ||
path: ${{ env.TEST_IMAGE_NAME}} | ||
key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }} | ||
key: ${{ needs.fetch-oci-image.outputs.test-cache-key }} | ||
|
||
- name: Copy image to Docker daemon | ||
run: | | ||
|
@@ -189,7 +190,7 @@ jobs: | |
- uses: actions/cache/restore@v3 | ||
with: | ||
path: ${{ env.TEST_IMAGE_NAME}} | ||
key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }} | ||
key: ${{ needs.fetch-oci-image.outputs.test-cache-key }} | ||
|
||
- name: Copy image to Docker daemon | ||
run: | | ||
|
@@ -212,74 +213,16 @@ jobs: | |
test-vulnerabilities: | ||
runs-on: ubuntu-22.04 | ||
name: Vulnerability scan | ||
needs: [fetch-oci-image] | ||
outputs: | ||
vulnerability-report: ${{ steps.vulnerability-report.outputs.name }} | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- id: vulnerability-report | ||
run: | | ||
full_name="${{ inputs.oci-image-name }}${{ inputs.vulnerability-report-suffix }}" | ||
final_name="$(echo ${full_name} | sed 's/ghcr.io\/canonical\/oci-factory\///g' | tr ':' '_')" | ||
echo "name=$final_name" >> "$GITHUB_OUTPUT" | ||
- uses: actions/cache/restore@v3 | ||
with: | ||
path: ${{ env.TEST_IMAGE_NAME}} | ||
key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }} | ||
|
||
- name: Copy image to Docker daemon | ||
run: | | ||
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | ||
-v $PWD:/workdir -w /workdir \ | ||
${{ env.SKOPEO_IMAGE }} \ | ||
copy oci:${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }} \ | ||
docker-daemon:${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }} | ||
- name: Check for .trivyignore | ||
id: trivyignore | ||
run: | | ||
if [ -f ${{ inputs.oci-image-path }}/.trivyignore ] | ||
then | ||
file=${{ inputs.oci-image-path }}/.trivyignore | ||
else | ||
# dummy .trivyignore file | ||
file=.trivyignore | ||
touch $file | ||
fi | ||
echo "file=$file" >> "$GITHUB_OUTPUT" | ||
- name: Scan for vulnerabilities | ||
uses: aquasecurity/[email protected] | ||
with: | ||
# NOTE: we're allowing images with vulnerabilities to be published | ||
ignore-unfixed: true | ||
trivyignores: ${{ steps.trivyignore.outputs.file }} | ||
format: 'cosign-vuln' | ||
severity: 'HIGH,CRITICAL' | ||
exit-code: '1' | ||
# NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto | ||
# CVE-2021-43565, CVE-2022-27191 | ||
skip-files: /bin/pebble | ||
# missing ${{ runner.arch }} | ||
output: '${{ steps.vulnerability-report.outputs.name }}' | ||
image-ref: '${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }}' | ||
|
||
- if: ${{ always() }} | ||
run: | | ||
cat ${{ steps.vulnerability-report.outputs.name }} | ||
echo "report=$report" >> "$GITHUB_OUTPUT" | ||
uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main | ||
with: | ||
oci-image-name: "${{ inputs.oci-image-name }}" | ||
oci-image-path: "${{ inputs.oci-image-path }}" | ||
cache-key: "${{ needs.fetch-oci-image.outputs.test-cache-key }}" | ||
vulnerability-report-suffix: "${{ inputs.vulnerability-report-suffix}}" | ||
|
||
- uses: actions/cache/save@v3 | ||
if: ${{ always() }} | ||
with: | ||
path: ${{ steps.vulnerability-report.outputs.name }} | ||
key: ${{ github.run_id }}-${{ steps.vulnerability-report.outputs.name }} | ||
|
||
|
||
test-malware: | ||
runs-on: ubuntu-22.04 | ||
name: Malware scan | ||
|
@@ -314,26 +257,3 @@ jobs: | |
- name: Scan for malware | ||
run: | | ||
./src/tests/malware_scan.py --filesystem ./raw/rootfs | ||
upload-test-artefacts: | ||
name: Upload test artefacts | ||
runs-on: ubuntu-22.04 | ||
if: ${{ always() }} | ||
needs: | ||
- test-vulnerabilities | ||
- test-black-box | ||
- test-oci-compliance | ||
- test-malware | ||
- test-efficiency | ||
steps: | ||
- name: Restore vulnerability report for upload | ||
uses: actions/cache/restore@v3 | ||
with: | ||
path: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }} | ||
key: ${{ github.run_id }}-${{ needs.test-vulnerabilities.outputs.vulnerability-report }} | ||
|
||
- uses: actions/upload-artifact@v3 | ||
with: | ||
name: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }} | ||
path: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }} |
Oops, something went wrong.