From 16ce2ac49955ec2fdde00267e0b5b40dc545a9c6 Mon Sep 17 00:00:00 2001 From: UncleGedd <42304551+UncleGedd@users.noreply.github.com> Date: Mon, 10 Jun 2024 12:52:02 -0500 Subject: [PATCH] fix: install trivy for security hub and parallelize release (#680) --- .github/workflows/release.yaml | 138 ++++++++++++++++++++++++++--- .github/workflows/test-e2e-pr.yaml | 8 ++ src/test/e2e/security_hub_test.go | 9 +- tasks/tests.yaml | 2 +- 4 files changed, 137 insertions(+), 20 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b70398a5..292fda75 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,13 +38,130 @@ jobs: path: build/ retention-days: 1 - validate: + test-bundle: runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous + + - name: Run e2e bundle tests + run: | + build/uds run test:bundle --no-progress + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + name: build + + test-dev: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous + + - name: Run e2e dev tests + run: | + build/uds run test:dev --no-progress + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + name: test-dev + + test-variables: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous + + - name: Run e2e variable tests + run: | + build/uds run test:variable --no-progress + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + name: test-variables + + test-optional-bundle: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous + + - name: Run e2e optional bundle tests + run: | + build/uds run test:optional-bundle --no-progress + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + name: test-optional-bundle + + test-vendor: + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous + + - name: Install Trivy + run: | + sudo apt-get install wget apt-transport-https gnupg -y + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy -y + + - name: Run e2e vendor tests + run: | + build/uds run test:vendor --no-progress + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + name: test-vendor + + test-ghcr: + runs-on: ubuntu-latest + needs: build permissions: packages: write - needs: build steps: - # Checkout the repo and setup the tooling for this job - name: Checkout uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: @@ -56,15 +173,8 @@ jobs: name: build-artifacts path: build/ - - name: Setup golang - uses: ./.github/actions/golang - - - name: Make UDS-CLI executable - run: | - chmod +x build/uds - - - name: Setup K3d - uses: ./.github/actions/k3d + - name: setup-using-previous-job + uses: ./.github/actions/setup-from-previous - name: Login to GHCR uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 @@ -73,9 +183,9 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Run e2e tests + - name: Run GHCR tests run: | - build/uds run test:e2e --no-progress + build/uds run test:e2e-ghcr --no-progress env: GITHUB_TOKEN: secrets.GITHUB_TOKEN diff --git a/.github/workflows/test-e2e-pr.yaml b/.github/workflows/test-e2e-pr.yaml index 47577a92..ac5f23be 100644 --- a/.github/workflows/test-e2e-pr.yaml +++ b/.github/workflows/test-e2e-pr.yaml @@ -147,6 +147,14 @@ jobs: - name: setup-using-previous-job uses: ./.github/actions/setup-from-previous + - name: Install Trivy + run: | + sudo apt-get install wget apt-transport-https gnupg -y + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy -y + - name: Run e2e vendor tests run: | build/uds run test:vendor --no-progress diff --git a/src/test/e2e/security_hub_test.go b/src/test/e2e/security_hub_test.go index 83e2dcdd..537c34cf 100644 --- a/src/test/e2e/security_hub_test.go +++ b/src/test/e2e/security_hub_test.go @@ -15,22 +15,21 @@ import ( func TestScanCommand(t *testing.T) { t.Log("E2E: Scan Command") - t.Run("scan packages/uds/gitlab-runner", func(t *testing.T) { + t.Run("scan remote Zarf init pkg", func(t *testing.T) { t.Parallel() // Create a temporary directory for the test output file tempDir, err := os.MkdirTemp("", "scan-test") require.NoError(t, err) defer os.RemoveAll(tempDir) - outputFile := filepath.Join(tempDir, "gitlab-runner.csv") + outputFile := filepath.Join(tempDir, "zarf-init.csv") - stdOut, stdErr, err := e2e.UDS("scan", "--org", "defenseunicorns", "--package-name", "packages/uds/gitlab-runner", "--tag", "16.10.0-uds.0-upstream", "--output-file", outputFile) - require.NoError(t, err, stdOut, stdErr) + _, stdErr, err := e2e.UDS("scan", "--org", "defenseunicorns", "--package-name", "packages/init", "--tag", "v0.34.0", "--output-file", outputFile) + require.NoError(t, err, stdErr) require.FileExists(t, outputFile) fileInfo, err := os.Stat(outputFile) require.NoError(t, err) require.Greater(t, fileInfo.Size(), int64(10), "output file size should be greater than 10 bytes") - require.NotEmpty(t, stdOut) require.NotEmpty(t, stdErr) }) } diff --git a/tasks/tests.yaml b/tasks/tests.yaml index 364ab24c..9a8987e3 100644 --- a/tasks/tests.yaml +++ b/tasks/tests.yaml @@ -49,7 +49,7 @@ tasks: - name: vendor description: only run tests in zarf_test.go and runner_test.go actions: - - cmd: cd src/test/e2e && go test -failfast -v -timeout 30m zarf_test.go runner_test.go commands_test.go main_test.go + - cmd: cd src/test/e2e && go test -failfast -v -timeout 30m zarf_test.go runner_test.go security_hub_test.go commands_test.go main_test.go - name: push-test-artifacts description: push artifacts that UDS CLI tests rely on to GHCR