Skip to content
This repository has been archived by the owner on Jun 26, 2024. It is now read-only.

Bump github/codeql-action from 2 to 3 #2421

Bump github/codeql-action from 2 to 3

Bump github/codeql-action from 2 to 3 #2421

Workflow file for this run

name: PR checks
on:
pull_request:
branches:
- master
- 'release-v**.x'
env:
GO111MODULE: on
SDK_VERSION: "1.17.0"
MINIKUBE_WANTUPDATENOTIFICATION: false
MINIKUBE_WANTREPORTERRORPROMPT: false
K8S_VERSION: "1.21.3"
MINIKUBE_VERSION: "1.26.0"
OLM_VERSION: "0.22.0"
TEST_ACCEPTANCE_CLI: "kubectl"
TEST_RESULTS: "out/acceptance-tests"
jobs:
lint:
name: Code Quality
runs-on: ubuntu-20.04
steps:
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "^1.18"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Checkout repo
uses: actions/checkout@v4
- name: Run linters
run: make lint
unit:
name: Unit Tests with Code coverage
runs-on: ubuntu-20.04
steps:
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: "^1.18"
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Unit Tests with Code Coverage
run: |
make test
- name: Upload Code Coverage Report
uses: codecov/codecov-action@v3
with:
file: cover.out
verbose: true
fail_ci_if_error: true
acceptance:
name: Acceptance Tests with Kubernetes and using OLM
runs-on: ubuntu-20.04
timeout-minutes: 90
env:
EXTRA_BEHAVE_ARGS: "--tags=~@knative --tags=~@openshift --tags=~@examples --tags=~@supported-operator --tags=~@optional-annotations --tags=~@workload-resource-mapping --tags=~@upgrade-with-olm --tags=~@disable-github-actions"
TEST_RUN: Acceptance_tests_Kubernetes_with_OLM
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Setup-cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
export CATSRC_NAME=sbo-pr-checks
make SKIP_REGISTRY_LOGIN=true -o registry-login test-acceptance-with-bundle
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: operators
olm-namespace: olm
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: kubernetes-with-olm-test-results
path: ${{ env.TEST_RESULTS }}
acceptance-optional-annotations:
name: Optional Annotations Acceptance Tests with Kubernetes and using OLM
runs-on: ubuntu-20.04
env:
EXTRA_BEHAVE_ARGS: "--tags=@optional-annotations --tags=~@disable-github-actions"
TEST_RUN: Optional_Annotations_Acceptance_tests_Kubernetes_with_OLM
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Setup-cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
export CATSRC_NAME=sbo-pr-checks
make SKIP_REGISTRY_LOGIN=true -o registry-login test-acceptance-with-bundle
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: operators
olm-namespace: olm
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: optional-annotations
path: ${{ env.TEST_RESULTS }}
acceptance-supported-operators:
name: Supported Operators Acceptance Tests with Kubernetes and using OLM
runs-on: ubuntu-20.04
env:
EXTRA_BEHAVE_ARGS: "--tags=@supported-operator --tags=~@disable-github-actions"
TEST_RUN: Supported_Operators_Acceptance_tests_Kubernetes_with_OLM
DELETE_NAMESPACE: never
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Setup-cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
export CATSRC_NAME=sbo-pr-checks
make SKIP_REGISTRY_LOGIN=true -o registry-login test-acceptance-with-bundle
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: operators
olm-namespace: olm
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: supported-operators-kubernetes
path: ${{ env.TEST_RESULTS }}
acceptance-workload-resource-mapping:
name: Workload Resource Mapping Acceptance Tests with Kubernetes and using OLM
runs-on: ubuntu-20.04
env:
EXTRA_BEHAVE_ARGS: "--tags=@workload-resource-mapping --tags=~@disable-github-actions"
TEST_RUN: Workload_Resource_Mapping_Acceptance_tests_Kubernetes_with_OLM
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Setup-cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
export CATSRC_NAME=sbo-pr-checks
make SKIP_REGISTRY_LOGIN=true -o registry-login test-acceptance-with-bundle
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: operators
olm-namespace: olm
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: workload-resource-mapping
path: ${{ env.TEST_RESULTS }}
acceptance-upgrade-with-olm:
name: Acceptance Tests for upgrading SBO with OLM on Kubernetes
runs-on: ubuntu-20.04
env:
EXTRA_BEHAVE_ARGS: "--tags=@upgrade-with-olm --tags=~@disable-github-actions"
TEST_RUN: Acceptance_tests_Upgrade_with_OLM
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Setup-cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Install OLM
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 10
run: |
kubectl get crd clusterserviceversions.operators.coreos.com || curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v${OLM_VERSION}/install.sh | bash -s v${OLM_VERSION}
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
export PATH=$PATH:$(pwd)/bin
make opm yq
source ./hack/upgrade-sbo-env.sh
make SKIP_REGISTRY_LOGIN=true -o registry-login test-acceptance
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: operators
olm-namespace: olm
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: upgrade-with-olm
path: ${{ env.TEST_RESULTS }}
acceptance_without_olm:
name: Acceptance tests running on Kubernetes without using OLM
runs-on: ubuntu-20.04
timeout-minutes: 90
env:
EXTRA_BEHAVE_ARGS: "--tags=~@knative --tags=~@openshift --tags=~@olm --tags=~@disable-github-actions"
TEST_RUN: Acceptance_tests_Kubernetes_without_OLM
UMOCI_VERSION: "0.4.5"
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Check if acceptance tests can be skipped
id: check-skip-acceptance
uses: ./.github/actions/check-skip-acceptance-tests
- name: Set up Python
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-python@v5
with:
python-version: "3.11"
architecture: "x64"
- name: Set up CLI
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: ./.github/actions/setup-cli
with:
start-minikube: true
- name: Set up Go
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: actions/setup-go@v4
with:
go-version: "^1.16"
- name: Setup umoci cli
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
curl -Lo umoci https://github.com/opencontainers/umoci/releases/download/v${UMOCI_VERSION}/umoci.amd64
chmod +x umoci
mv -v umoci $GITHUB_WORKSPACE/bin/
- name: Wait for push
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Extract image references
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Acceptance tests against vanilla k8s without OLM
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
timeout-minutes: 60
run: |
source ./operator.refs
eval $(minikube docker-env)
make release-manifests deploy-cert-manager
kubectl apply -f out/release.yaml
kubectl rollout status -n service-binding-operator deploy/service-binding-operator -w --timeout=120s
make TEST_ACCEPTANCE_START_SBO=remote test-acceptance
- name: Collect Kube resources
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
continue-on-error: true
uses: ./.github/actions/collect-kube-resources
with:
operator-namespace: service-binding-operator
test-namespace-file: out/test-namespace
output-path: ${{env.TEST_RESULTS}}
- name: Setup Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
- name: Publish tests results to Testspace
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' }}
run: |
testspace [${{ env.TEST_RUN }}]${{ env.TEST_RESULTS }}/TEST*.xml
- uses: actions/upload-artifact@v3
if: ${{ steps.check-skip-acceptance.outputs.can_skip != 'true' && always() }}
with:
name: kubernetes-without-olm-test-results
path: ${{ env.TEST_RESULTS }}
single-commit:
name: Single commit PR
runs-on: ubuntu-20.04
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Verify number of commits in the PR is 1
run: |
COMMIT_COUNT="$(git log --oneline ${{github.event.pull_request.base.sha}}..${{github.event.pull_request.head.sha}} | wc -l)"
if ! [ $COMMIT_COUNT -eq 1 ]; then
echo "Number of commits in the PR ($COMMIT_COUNT) must not be greater than one."
echo "Please squash all PR commits into a single one (https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History#_squashing)"
exit 1
fi
security-scan:
name: Security vulnerability scan
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Wait for push
uses: lewagon/wait-on-check-action@e106e5c43e8ca1edea6383a39a01c5ca495fd812
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: "Push operator images (PR)"
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 60
- name: Download image references
uses: pmacik/action-download-multiple-artifacts@node16
with:
names: operator-refs-${{github.event.pull_request.number}}-${{github.event.pull_request.head.sha}}
- name: Extract operator image ref
id: operator-image-ref
run: |
source ./operator.refs
echo "operator-image-ref=${OPERATOR_IMAGE_REF}" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.operator-image-ref.outputs.operator-image-ref }}
format: 'sarif'
ignore-unfixed: true
output: 'trivy-results.sarif'
severity: CRITICAL,HIGH,UNKNOWN
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
source-scan:
name: Gosec code scanning
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run gosec
uses: securego/[email protected]
with:
args: '-no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload gosec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'gosec.sarif'