mirror of
https://github.com/anchore/syft.git
synced 2026-06-15 08:48:24 +02:00
6a27678036
Bumps the actions-minor-patch group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](de0fac2e45...df4cb1c069) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](b3e328b5ae...b0c30a8040) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](9de27be11e...39fe5f7111) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
230 lines
7.7 KiB
YAML
230 lines
7.7 KiB
YAML
name: "Validations"
|
|
|
|
# we should cancel any in-progress runs for the same workflow + PR/ref
|
|
# so that we can avoid redundant work / save on CI minutes
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
Static-Analysis:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "Static analysis"
|
|
# runs-on.com: memory & general purpose instances for testing
|
|
# spot enabled: ok to interrupt non-production workloads
|
|
# tmpfs: faster io-intensive workflows
|
|
# note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
|
|
# shared cache backend that the trusted release workflow reads from (cache poisoning).
|
|
runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=tmpfs"
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
# the self-consistency tests for the output of the capabilities code generation depends on unit test
|
|
# output from ./syft/pkg/... packages. Therefore we need to download the test fixture cache here
|
|
# so that running the few unit tests as part of static analysis works correctly.
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Run static analysis
|
|
run: make static-analysis
|
|
|
|
Unit-Test:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "Unit tests"
|
|
runs-on: *test-runner
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Run unit tests
|
|
run: make unit
|
|
|
|
- name: Check for capability drift
|
|
run: make check-capability-drift
|
|
|
|
Integration-Test:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "Integration tests"
|
|
runs-on: *test-runner
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Validate syft output against the CycloneDX schema
|
|
run: make validate-cyclonedx-schema
|
|
|
|
- name: Run integration tests
|
|
run: make integration
|
|
|
|
Build-Snapshot-Artifacts:
|
|
name: "Build snapshot artifacts"
|
|
# runs-on.com: compute instances for parallel builds
|
|
# spot disabled: reliability for build workflows (used for releases too)
|
|
# goreleaser uses parallelism of 12, so we need more CPUs
|
|
# tmpfs: faster io-intensive workflows
|
|
# note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
|
|
# shared cache backend that the trusted release workflow reads from (cache poisoning).
|
|
runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=tmpfs"
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
bootstrap-apt-packages: ""
|
|
|
|
- name: Build snapshot artifacts
|
|
run: make snapshot
|
|
|
|
- name: Smoke test snapshot build
|
|
run: make snapshot-smoke-test
|
|
|
|
- name: Upload snapshot artifacts
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
|
|
with:
|
|
name: snapshot
|
|
path: snapshot/
|
|
retention-days: 30
|
|
|
|
Acceptance-Linux:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "Acceptance tests (Linux)"
|
|
needs: [Build-Snapshot-Artifacts]
|
|
runs-on: *test-runner
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Download snapshot artifacts
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
|
|
with:
|
|
name: snapshot
|
|
path: snapshot
|
|
|
|
- name: Restore binary permissions
|
|
run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
|
|
|
|
- name: Run comparison tests (Linux)
|
|
run: make compare-linux
|
|
|
|
- name: Load test image cache
|
|
if: steps.install-test-image-cache.outputs.cache-hit == 'true'
|
|
run: make install-test-cache-load
|
|
|
|
- name: Run install.sh tests (Linux)
|
|
run: make install-test
|
|
|
|
- name: (cache-miss) Create test image cache
|
|
if: steps.install-test-image-cache.outputs.cache-hit != 'true'
|
|
run: make install-test-cache-save
|
|
|
|
Acceptance-Mac:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "Acceptance tests (Mac)"
|
|
needs: [Build-Snapshot-Artifacts]
|
|
# note: macos runners aren't supported yet for runs-on managed runners.
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
|
|
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
bootstrap-apt-packages: ""
|
|
go-dependencies: false
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Download snapshot artifacts
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
|
|
with:
|
|
name: snapshot
|
|
path: snapshot
|
|
|
|
- name: Restore binary permissions
|
|
run: chmod +x snapshot/*/syft 2>/dev/null || true
|
|
|
|
- name: Run comparison tests (Mac)
|
|
run: make compare-mac
|
|
|
|
- name: Run install.sh tests (Mac)
|
|
run: make install-test-ci-mac
|
|
|
|
Cli-Linux:
|
|
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
|
|
name: "CLI tests (Linux)"
|
|
needs: [Build-Snapshot-Artifacts]
|
|
runs-on: *test-runner
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
with:
|
|
download-test-fixture-cache: true
|
|
|
|
- name: Download snapshot artifacts
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
|
|
with:
|
|
name: snapshot
|
|
path: snapshot
|
|
|
|
- name: Restore binary permissions
|
|
run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
|
|
|
|
- name: Run CLI Tests (Linux)
|
|
run: make cli
|