From 9e8b1d80cbf73d03da15de58cb50019068192a98 Mon Sep 17 00:00:00 2001 From: unclegedd Date: Wed, 21 Feb 2024 13:16:45 -0600 Subject: [PATCH 1/2] chore: ensure PR workflows can't write to GHCR --- .github/workflows/nightly-ghcr.yaml | 40 +++++++++++++++++++ .../{test-e2e.yaml => test-e2e-pr.yaml} | 13 +----- Makefile | 7 +++- src/test/e2e/bundle_test.go | 4 ++ src/test/e2e/ghcr_test.go | 5 ++- 5 files changed, 53 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/nightly-ghcr.yaml rename .github/workflows/{test-e2e.yaml => test-e2e-pr.yaml} (70%) diff --git a/.github/workflows/nightly-ghcr.yaml b/.github/workflows/nightly-ghcr.yaml new file mode 100644 index 00000000..7a048db4 --- /dev/null +++ b/.github/workflows/nightly-ghcr.yaml @@ -0,0 +1,40 @@ +name: Test GHCR Write +on: + schedule: + - cron: '0 7 * * *' ## Every day at 0700 UTC + + workflow_dispatch: ## Give us the ability to run this manually + +permissions: + contents: read + +# Abort prior jobs in the same workflow / PR +concurrency: + group: e2e-ghcr-write-${{ github.ref }} + cancel-in-progress: true + +jobs: + test: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup golang + uses: ./.github/actions/golang + + - name: Build UDS-CLI binary + run: make build-cli-linux-amd ARCH=amd64 + + - name: Setup K3d + uses: ./.github/actions/k3d + + - name: Run e2e tests + run: | + make test-e2e-ghcr + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs diff --git a/.github/workflows/test-e2e.yaml b/.github/workflows/test-e2e-pr.yaml similarity index 70% rename from .github/workflows/test-e2e.yaml rename to .github/workflows/test-e2e-pr.yaml index 1a547d77..1f53723a 100644 --- a/.github/workflows/test-e2e.yaml +++ b/.github/workflows/test-e2e-pr.yaml @@ -23,8 +23,6 @@ concurrency: jobs: test: runs-on: ubuntu-latest - permissions: - packages: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -38,18 +36,9 @@ jobs: - name: Setup K3d uses: ./.github/actions/k3d - - name: Login to GHCR - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Run e2e tests run: | - make test-e2e - env: - GITHUB_TOKEN: secrets.GITHUB_TOKEN + make test-e2e-no-ghcr-write - name: Save logs if: always() diff --git a/Makefile b/Makefile index 22cce695..d91a26c4 100644 --- a/Makefile +++ b/Makefile @@ -30,10 +30,13 @@ test-unit: ## Run Unit Tests test-e2e: ## Run End to End (e2e) tests cd src/test/e2e && go test -failfast -v -timeout 30m -test-e2e-no-ghcr: ## Run End to End (e2e) tests without GHCR +test-e2e-ghcr: ## Run End to End (e2e) tests with GHCR (contains writes) + cd src/test/e2e && go test -failfast -v -timeout 30m -run ".*GHCR.*" + +test-e2e-no-ghcr-write: ## Run End to End (e2e) tests without GHCR cd src/test/e2e && go test -failfast -v -timeout 30m -skip ".*GHCR.*" -test-e2e-only-tasks: ## Run End to End (e2e) tests for task runner only +test-e2e-runner: ## Run End to End (e2e) tests for task runner only cd src/test/e2e && go test -failfast -v -timeout 30m -run TestTaskRunner schema: ## Update JSON schema for uds-bundle.yaml diff --git a/src/test/e2e/bundle_test.go b/src/test/e2e/bundle_test.go index d89ed309..766484ca 100644 --- a/src/test/e2e/bundle_test.go +++ b/src/test/e2e/bundle_test.go @@ -121,6 +121,10 @@ func TestBundle(t *testing.T) { //Test create using custom tmpDir runCmd(t, "create "+bundleDir+" --tmpdir ./customtmp --confirm --insecure") + // remove customtmp folder if it exists + err := os.RemoveAll("./customtmp") + require.NoError(t, err) + } func TestPackagesFlag(t *testing.T) { diff --git a/src/test/e2e/ghcr_test.go b/src/test/e2e/ghcr_test.go index bfb44932..f4b3f152 100644 --- a/src/test/e2e/ghcr_test.go +++ b/src/test/e2e/ghcr_test.go @@ -15,8 +15,9 @@ import ( // NOTE: These tests need to have the string "GHCR" in their names // to ensure they are not run by the test-e2e-no-ghcr make target +// Also, these tests are run nightly and on releases, not on PRs -func TestBundleDeployFromOCIFromGHCR(t *testing.T) { +func TestBundleCreateAndPublishGHCR(t *testing.T) { deployZarfInit(t) bundleName := "ghcr-test" @@ -51,7 +52,7 @@ func TestBundleDeployFromOCIFromGHCR(t *testing.T) { } // test the create -o path -func TestBundleCreateAndDeployGHCR(t *testing.T) { +func TestBundleCreateRemoteAndDeployGHCR(t *testing.T) { deployZarfInit(t) bundleDir := "src/test/bundles/06-ghcr" From 9459e55a82d2d627fd7d7ac3e7f05a4fc2cd7155 Mon Sep 17 00:00:00 2001 From: unclegedd Date: Wed, 21 Feb 2024 15:00:43 -0600 Subject: [PATCH 2/2] fix: ghcr --- .github/workflows/nightly-ghcr.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/nightly-ghcr.yaml b/.github/workflows/nightly-ghcr.yaml index 7a048db4..c15088ba 100644 --- a/.github/workflows/nightly-ghcr.yaml +++ b/.github/workflows/nightly-ghcr.yaml @@ -31,9 +31,18 @@ jobs: - name: Setup K3d uses: ./.github/actions/k3d + - name: Login to GHCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Run e2e tests run: | make test-e2e-ghcr + env: + GITHUB_TOKEN: secrets.GITHUB_TOKEN - name: Save logs if: always()