fix: install trivy for security hub and parallelize release (#680)

defenseunicorns · Jun 10, 2024 · 16ce2ac · 16ce2ac
1 parent 24b56b5
commit 16ce2ac
Show file tree

Hide file tree

Showing 4 changed files with 137 additions and 20 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -38,13 +38,130 @@ jobs:
           path: build/
           retention-days: 1
 
-  validate:
+  test-bundle:
     runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
+
+      - name: Run e2e bundle tests
+        run: |
+          build/uds run test:bundle --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          name: build
+
+  test-dev:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
+
+      - name: Run e2e dev tests
+        run: |
+          build/uds run test:dev --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          name: test-dev
+
+  test-variables:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
+
+      - name: Run e2e variable tests
+        run: |
+          build/uds run test:variable --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          name: test-variables
+
+  test-optional-bundle:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
+
+      - name: Run e2e optional bundle tests
+        run: |
+          build/uds run test:optional-bundle --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          name: test-optional-bundle
+
+  test-vendor:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
+
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
+      - name: Run e2e vendor tests
+        run: |
+          build/uds run test:vendor --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          name: test-vendor
+
+  test-ghcr:
+    runs-on: ubuntu-latest
+    needs: build
     permissions:
       packages: write
-    needs: build
     steps:
-      # Checkout the repo and setup the tooling for this job
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
@@ -56,15 +173,8 @@ jobs:
           name: build-artifacts
           path: build/
 
-      - name: Setup golang
-        uses: ./.github/actions/golang
-
-      - name: Make UDS-CLI executable
-        run: |
-          chmod +x build/uds
-
-      - name: Setup K3d
-        uses: ./.github/actions/k3d
+      - name: setup-using-previous-job
+        uses: ./.github/actions/setup-from-previous
 
       - name: Login to GHCR
         uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
@@ -73,9 +183,9 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Run e2e tests
+      - name: Run GHCR tests
         run: |
-          build/uds run test:e2e --no-progress
+          build/uds run test:e2e-ghcr --no-progress
         env:
           GITHUB_TOKEN: secrets.GITHUB_TOKEN
 

diff --git a/.github/workflows/test-e2e-pr.yaml b/.github/workflows/test-e2e-pr.yaml
@@ -147,6 +147,14 @@ jobs:
       - name: setup-using-previous-job
         uses: ./.github/actions/setup-from-previous
 
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
       - name: Run e2e vendor tests
         run: |
           build/uds run test:vendor --no-progress

diff --git a/src/test/e2e/security_hub_test.go b/src/test/e2e/security_hub_test.go
@@ -15,22 +15,21 @@ import (
 func TestScanCommand(t *testing.T) {
 	t.Log("E2E: Scan Command")
 
-	t.Run("scan packages/uds/gitlab-runner", func(t *testing.T) {
+	t.Run("scan remote Zarf init pkg", func(t *testing.T) {
 		t.Parallel()
 
 		// Create a temporary directory for the test output file
 		tempDir, err := os.MkdirTemp("", "scan-test")
 		require.NoError(t, err)
 		defer os.RemoveAll(tempDir)
-		outputFile := filepath.Join(tempDir, "gitlab-runner.csv")
+		outputFile := filepath.Join(tempDir, "zarf-init.csv")
 
-		stdOut, stdErr, err := e2e.UDS("scan", "--org", "defenseunicorns", "--package-name", "packages/uds/gitlab-runner", "--tag", "16.10.0-uds.0-upstream", "--output-file", outputFile)
-		require.NoError(t, err, stdOut, stdErr)
+		_, stdErr, err := e2e.UDS("scan", "--org", "defenseunicorns", "--package-name", "packages/init", "--tag", "v0.34.0", "--output-file", outputFile)
+		require.NoError(t, err, stdErr)
 		require.FileExists(t, outputFile)
 		fileInfo, err := os.Stat(outputFile)
 		require.NoError(t, err)
 		require.Greater(t, fileInfo.Size(), int64(10), "output file size should be greater than 10 bytes")
-		require.NotEmpty(t, stdOut)
 		require.NotEmpty(t, stdErr)
 	})
 }
diff --git a/tasks/tests.yaml b/tasks/tests.yaml
@@ -49,7 +49,7 @@ tasks:
   - name: vendor
     description: only run tests in zarf_test.go and runner_test.go
     actions:
-      - cmd: cd src/test/e2e && go test -failfast -v -timeout 30m zarf_test.go runner_test.go commands_test.go main_test.go
+      - cmd: cd src/test/e2e && go test -failfast -v -timeout 30m zarf_test.go runner_test.go security_hub_test.go commands_test.go main_test.go
 
   - name: push-test-artifacts
     description: push artifacts that UDS CLI tests rely on to GHCR