-
Notifications
You must be signed in to change notification settings - Fork 15
166 lines (133 loc) · 5.16 KB
/
validations.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: "Validations"
on:
workflow_dispatch:
pull_request:
# needed for running release pre-checks on merges to the main branch
push:
branches:
- main
env:
CGO_ENABLED: "0"
jobs:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Static-Analysis:
name: "Static analysis"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
python: false
- name: Run static analysis
run: make static-analysis
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Unit-Test:
name: "Unit tests"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Install dependencies and package
run: |
cd publish && poetry install
- name: Run unit tests
run: make unit
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Build-Snapshot-Artifacts:
name: "Build snapshot artifacts"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
# why have another build cache key? We don't want unit/integration/etc test build caches to replace
# the snapshot build cache, which includes builds for all OSs and architectures. As long as this key is
# unique from the build-cache-key-prefix in other CI jobs, we should be fine.
#
# note: ideally this value should match what is used in release (just to help with build times).
build-cache-key-prefix: "snapshot"
bootstrap-apt-packages: ""
python: false
- name: Build snapshot artifacts
run: make snapshot
# why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
# see https://github.com/actions/upload-artifact/issues/199 for more info
- name: Upload snapshot artifacts
uses: actions/cache/save@v3
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
Discover-Schema-Versions:
name: "Discover supported schema versions"
runs-on: ubuntu-20.04
outputs:
schema-versions: ${{ steps.read-schema-versions.outputs.schema-versions }}
steps:
- uses: actions/checkout@v3
- name: Read supported schema versions
id: read-schema-versions
run: |
content=`cat grype-schema-version-mapping.json | jq -c 'keys'`
echo "schema-versions=$content" >> $GITHUB_OUTPUT
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Acceptance-Test:
name: "Acceptance tests"
needs: Discover-Schema-Versions
runs-on: ubuntu-20.04
strategy:
matrix:
schema-version: ${{fromJson(needs.Discover-Schema-Versions.outputs.schema-versions)}}
# set the permissions granted to the github token to read the pull cache from ghcr.io
permissions:
contents: read
packages: read
steps:
- uses: actions/checkout@v3
with:
# this downloads and initializes LFS, but does not pull the objects
lfs: true
- name: Checkout LFS objects
# lfs pull does a lfs fetch and lfs checkout, this is NOT the same as "git pull"
run: git lfs pull
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Install dependencies and package
run: |
cd test/acceptance && poetry install
- name: Login to ghcr.io
run: |
echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin
- name: Pull vulnerability data
run: make download-all-provider-cache
- name: Build DB
run: |
cd test/acceptance && \
poetry run python grype-ingest.py generate --schema-version ${{ matrix.schema-version }}
- name: Test DB
run: |
cd test/acceptance && \
poetry run python grype-ingest.py test --schema-version ${{ matrix.schema-version }}
Cli-Linux:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Linux)"
needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Restore CLI test-fixture cache
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- name: Download snapshot build
uses: actions/cache/restore@v3
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
- name: Run CLI Tests (Linux)
run: make cli