name: "Validations" on: workflow_dispatch: pull_request: push: branches: - main permissions: contents: read jobs: Static-Analysis: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Static analysis" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap - name: Run static analysis run: make static-analysis Unit-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Unit tests" # we need more storage than what's on the default runner # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Run unit tests run: make unit Integration-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Integration tests" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Validate syft output against the CycloneDX schema run: make validate-cyclonedx-schema - name: Run integration tests run: make integration Build-Snapshot-Artifacts: name: "Build snapshot artifacts" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=build steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" - name: Build snapshot artifacts run: make snapshot - name: Smoke test snapshot build run: make snapshot-smoke-test - name: Upload snapshot artifacts uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v6.0.0 with: name: snapshot path: snapshot/ retention-days: 30 # # upload each platform artifact individually so downstream jobs can download only what they need # - run: npm install @actions/artifact@2.3.2 # # - name: Upload individual platform artifacts # uses: actions/github-script@v8 # env: # ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: 10 # with: # script: | # const { readdirSync } = require('fs') # const { DefaultArtifactClient } = require('@actions/artifact') # const artifact = new DefaultArtifactClient() # const ls = d => readdirSync(d, { withFileTypes: true }) # const baseDir = "./snapshot" # const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name) # const uploads = [] # # // filter to only amd64 and arm64 architectures # const supportedArchs = ['amd64', 'arm64'] # const filteredDirs = dirs.filter(dir => # supportedArchs.some(arch => dir.includes(arch)) # ) # # // upload platform subdirectories # for (const dir of filteredDirs) { # // uploadArtifact returns Promise<{id, size}> # uploads.push(artifact.uploadArtifact( # // name of the archive: # `${dir}`, # // array of all files to include: # ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`), # // base directory to trim from entries: # `${baseDir}/${dir}`, # { retentionDays: 30 } # )) # } # # // upload RPM and DEB packages for supported architectures # const packageFiles = ls(baseDir).filter(f => # f.isFile() && # (f.name.endsWith('.deb') || f.name.endsWith('.rpm')) && # supportedArchs.some(arch => f.name.includes(`_${arch}.`)) # ) # for (const file of packageFiles) { # uploads.push(artifact.uploadArtifact( # file.name, # [`${baseDir}/${file.name}`], # baseDir, # { retentionDays: 30 } # )) # } # # // upload SBOM files for supported architectures # const sbomFiles = ls(baseDir).filter(f => # f.isFile() && # f.name.endsWith('.sbom') && # supportedArchs.some(arch => f.name.includes(`_${arch}.`)) # ) # for (const file of sbomFiles) { # uploads.push(artifact.uploadArtifact( # file.name, # [`${baseDir}/${file.name}`], # baseDir, # { retentionDays: 30 } # )) # } # # // upload checksums file (needed by install tests) # const rootFiles = ls(baseDir).filter(f => f.isFile() && f.name.match(/syft_.*_checksums\.txt$/)) # if (rootFiles.length > 0) { # const checksumsFile = rootFiles[0].name # uploads.push(artifact.uploadArtifact( # 'syft_checksums.txt', # [`${baseDir}/${checksumsFile}`], # baseDir, # { retentionDays: 30 } # )) # } # # // wait for all uploads to finish # try { # const results = await Promise.all(uploads) # console.log(`Successfully uploaded ${results.length} artifacts`) # } catch (error) { # console.error('Upload failed:', error) # throw error # } Acceptance-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Linux)" needs: [Build-Snapshot-Artifacts] # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download snapshot artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: snapshot path: snapshot # - name: Download checksums file # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # name: syft_checksums.txt # path: snapshot # # - name: Download Linux amd64 snapshot # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # name: linux-build_linux_amd64_v1 # path: snapshot/linux-build_linux_amd64_v1 # # - name: Download Linux amd64 deb # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # pattern: syft_*_linux_amd64.deb # path: snapshot # # - name: Download Linux amd64 rpm # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # pattern: syft_*_linux_amd64.rpm # path: snapshot # # - name: Download Linux amd64 sbom # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # pattern: syft_*_linux_amd64.sbom # path: snapshot - name: Run comparison tests (Linux) run: make compare-linux - name: Load test image cache if: steps.install-test-image-cache.outputs.cache-hit == 'true' run: make install-test-cache-load - name: Run install.sh tests (Linux) run: make install-test - name: (cache-miss) Create test image cache if: steps.install-test-image-cache.outputs.cache-hit != 'true' run: make install-test-cache-save Acceptance-Mac: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Mac)" needs: [Build-Snapshot-Artifacts] # note: macos runners aren't supported yet for runs-on managed runners. runs-on: macos-latest steps: - name: Install Cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" go-dependencies: false download-test-fixture-cache: true - name: Download snapshot artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: snapshot path: snapshot # - name: Download checksums file # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # name: syft_checksums.txt # path: snapshot # # - name: Download macOS Intel snapshot # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # name: darwin-build_darwin_amd64_v1 # path: snapshot/darwin-build_darwin_amd64_v1 # # - name: Download macOS amd64 sbom # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # pattern: syft_*_darwin_amd64.sbom # path: snapshot - name: Run comparison tests (Mac) run: make compare-mac - name: Run install.sh tests (Mac) run: make install-test-ci-mac Cli-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "CLI tests (Linux)" needs: [Build-Snapshot-Artifacts] # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download snapshot artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: snapshot path: snapshot # - name: Download Linux amd64 snapshot # uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 # with: # name: linux-build_linux_amd64_v1 # path: snapshot/linux-build_linux_amd64_v1 - name: Run CLI Tests (Linux) run: make cli