name: "Validations" on: workflow_dispatch: pull_request: push: branches: - main permissions: contents: read jobs: Static-Analysis: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Static analysis" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap - name: Run static analysis run: make static-analysis Unit-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Unit tests" # we need more storage than what's on the default runner # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Run unit tests run: make unit Integration-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Integration tests" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Validate syft output against the CycloneDX schema run: make validate-cyclonedx-schema - name: Run integration tests run: make integration Build-Snapshot-Artifacts: name: "Build snapshot artifacts" # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=build steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" - name: Build snapshot artifacts run: make snapshot - name: Smoke test snapshot build run: make snapshot-smoke-test # upload each platform artifact individually so downstream jobs can download only what they need - run: npm install @actions/artifact@2.3.2 - name: Upload individual platform artifacts uses: actions/github-script@v8 env: ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: 10 with: script: | const { readdirSync } = require('fs') const { DefaultArtifactClient } = require('@actions/artifact') const artifact = new DefaultArtifactClient() const ls = d => readdirSync(d, { withFileTypes: true }) const baseDir = "./snapshot" const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name) const uploads = [] // filter to only amd64 and arm64 architectures const supportedArchs = ['amd64', 'arm64'] const filteredDirs = dirs.filter(dir => supportedArchs.some(arch => dir.includes(arch)) ) // upload platform subdirectories for (const dir of filteredDirs) { // uploadArtifact returns Promise<{id, size}> uploads.push(artifact.uploadArtifact( // name of the archive: `${dir}`, // array of all files to include: ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`), // base directory to trim from entries: `${baseDir}/${dir}`, { retentionDays: 30 } )) } // upload RPM and DEB packages for supported architectures const packageFiles = ls(baseDir).filter(f => f.isFile() && (f.name.endsWith('.deb') || f.name.endsWith('.rpm')) && supportedArchs.some(arch => f.name.includes(`_${arch}.`)) ) for (const file of packageFiles) { uploads.push(artifact.uploadArtifact( file.name, [`${baseDir}/${file.name}`], baseDir, { retentionDays: 30 } )) } // upload SBOM files for supported architectures const sbomFiles = ls(baseDir).filter(f => f.isFile() && f.name.endsWith('.sbom') && supportedArchs.some(arch => f.name.includes(`_${arch}.`)) ) for (const file of sbomFiles) { uploads.push(artifact.uploadArtifact( file.name, [`${baseDir}/${file.name}`], baseDir, { retentionDays: 30 } )) } // upload checksums file (needed by install tests) const rootFiles = ls(baseDir).filter(f => f.isFile() && f.name.match(/syft_.*_checksums\.txt$/)) if (rootFiles.length > 0) { const checksumsFile = rootFiles[0].name uploads.push(artifact.uploadArtifact( 'syft_checksums.txt', [`${baseDir}/${checksumsFile}`], baseDir, { retentionDays: 30 } )) } // wait for all uploads to finish try { const results = await Promise.all(uploads) console.log(`Successfully uploaded ${results.length} artifacts`) } catch (error) { console.error('Upload failed:', error) throw error } Acceptance-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Linux)" needs: [Build-Snapshot-Artifacts] # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download checksums file uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: syft_checksums.txt path: snapshot - name: Download Linux amd64 snapshot uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: linux-build_linux_amd64_v1 path: snapshot/linux-build_linux_amd64_v1 - name: Download Linux amd64 deb uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: pattern: syft_*_linux_amd64.deb path: snapshot - name: Download Linux amd64 rpm uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: pattern: syft_*_linux_amd64.rpm path: snapshot - name: Download Linux amd64 sbom uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: pattern: syft_*_linux_amd64.sbom path: snapshot - name: Run comparison tests (Linux) run: make compare-linux - name: Load test image cache if: steps.install-test-image-cache.outputs.cache-hit == 'true' run: make install-test-cache-load - name: Run install.sh tests (Linux) run: make install-test - name: (cache-miss) Create test image cache if: steps.install-test-image-cache.outputs.cache-hit != 'true' run: make install-test-cache-save Acceptance-Mac: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Mac)" needs: [Build-Snapshot-Artifacts] # note: macos runners aren't supported yet for runs-on managed runners. runs-on: macos-latest steps: - name: Install Cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" go-dependencies: false download-test-fixture-cache: true - name: Download checksums file uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: syft_checksums.txt path: snapshot - name: Download macOS Intel snapshot uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: darwin-build_darwin_amd64_v1 path: snapshot/darwin-build_darwin_amd64_v1 - name: Download macOS amd64 sbom uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: pattern: syft_*_darwin_amd64.sbom path: snapshot - name: Run comparison tests (Mac) run: make compare-mac - name: Run install.sh tests (Mac) run: make install-test-ci-mac Cli-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "CLI tests (Linux)" needs: [Build-Snapshot-Artifacts] # Runner definition: workflows/.github/runs-on.yml runs-on: runs-on=${{ github.run_id }}/runner=small steps: # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) - uses: runs-on/action@v2 - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download Linux amd64 snapshot uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 with: name: linux-build_linux_amd64_v1 path: snapshot/linux-build_linux_amd64_v1 - name: Run CLI Tests (Linux) run: make cli