name: "Validations" on: workflow_dispatch: pull_request: push: branches: - main permissions: contents: read jobs: Static-Analysis: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Static analysis" runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap - name: Run static analysis run: make static-analysis Unit-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Unit tests" runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Run unit tests run: make unit Integration-Test: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Integration tests" runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Validate syft output against the CycloneDX schema run: make validate-cyclonedx-schema - name: Run integration tests run: make integration Build-Snapshot-Artifacts: name: "Build snapshot artifacts" runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" - name: Build snapshot artifacts run: make snapshot # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach). # see https://github.com/actions/upload-artifact/issues/199 for more info - name: Upload snapshot artifacts uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3 with: # we need to preserve the snapshot data itself as well as the task data that confirms if the # snapshot build is stale or not. Otherwise the downstream jobs will attempt to rebuild the snapshot # even though it already exists. path: | snapshot .task key: snapshot-build-${{ github.run_id }} Upload-Snapshot-Artifacts: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Upload snapshot artifacts" needs: [Build-Snapshot-Artifacts] runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download snapshot build id: snapshot-cache uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3 with: path: | snapshot .task fail-on-cache-miss: true key: snapshot-build-${{ github.run_id }} # workaround for https://github.com/actions/cache/issues/1265 - name: (cache-miss) Snapshot build missing if: steps.snapshot-cache.outputs.cache-hit != 'true' run: echo "unable to download snapshots from previous job" && false - run: npm install @actions/artifact@2.2.2 - uses: actions/github-script@v7 with: script: | const { readdirSync } = require('fs') const { DefaultArtifactClient } = require('@actions/artifact') const artifact = new DefaultArtifactClient() const ls = d => readdirSync(d, { withFileTypes: true }) const baseDir = "./snapshot" const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name) const uploads = [] for (const dir of dirs) { // uploadArtifact returns Promise<{id, size}> uploads.push(artifact.uploadArtifact( // name of the archive: `${dir}`, // array of all files to include: ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`), // base directory to trim from entries: `${baseDir}/${dir}`, { retentionDays: 30 } )) } // wait for all uploads to finish Promise.all(uploads) Acceptance-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Linux)" needs: [Build-Snapshot-Artifacts] runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download snapshot build id: snapshot-cache uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3 with: path: | snapshot .task fail-on-cache-miss: true key: snapshot-build-${{ github.run_id }} # workaround for https://github.com/actions/cache/issues/1265 - name: (cache-miss) Snapshot build missing if: steps.snapshot-cache.outputs.cache-hit != 'true' run: echo "unable to download snapshots from previous job" && false - name: Run comparison tests (Linux) run: make compare-linux - name: Load test image cache if: steps.install-test-image-cache.outputs.cache-hit == 'true' run: make install-test-cache-load - name: Run install.sh tests (Linux) run: make install-test - name: (cache-miss) Create test image cache if: steps.install-test-image-cache.outputs.cache-hit != 'true' run: make install-test-cache-save Acceptance-Mac: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "Acceptance tests (Mac)" needs: [Build-Snapshot-Artifacts] runs-on: macos-latest steps: - name: Install Cosign uses: sigstore/cosign-installer@v3.8.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: bootstrap-apt-packages: "" go-dependencies: false download-test-fixture-cache: true - name: Download snapshot build id: snapshot-cache uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3 with: path: | snapshot .task fail-on-cache-miss: true key: snapshot-build-${{ github.run_id }} # workaround for https://github.com/actions/cache/issues/1265 - name: (cache-miss) Snapshot build missing if: steps.snapshot-cache.outputs.cache-hit != 'true' run: echo "unable to download snapshots from previous job" && false - name: Run comparison tests (Mac) run: make compare-mac - name: Run install.sh tests (Mac) run: make install-test-ci-mac Cli-Linux: # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline name: "CLI tests (Linux)" needs: [Build-Snapshot-Artifacts] runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Bootstrap environment uses: ./.github/actions/bootstrap with: download-test-fixture-cache: true - name: Download snapshot build id: snapshot-cache uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 #v4.2.3 with: path: | snapshot .task fail-on-cache-miss: true key: snapshot-build-${{ github.run_id }} # workaround for https://github.com/actions/cache/issues/1265 - name: (cache-miss) Snapshot build missing if: steps.snapshot-cache.outputs.cache-hit != 'true' run: echo "unable to download snapshots from previous job" && false - name: Run CLI Tests (Linux) run: make cli Cleanup-Cache: name: "Cleanup snapshot cache" if: github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-24.04 permissions: actions: write needs: - Acceptance-Linux - Acceptance-Mac - Cli-Linux - Upload-Snapshot-Artifacts steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Delete snapshot cache run: gh cache delete "snapshot-build-${{ github.run_id }}" env: GH_TOKEN: ${{ github.token }}