-
Notifications
You must be signed in to change notification settings - Fork 238
165 lines (135 loc) · 4.89 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Test kube-linter
on:
pull_request:
# Workflows triggered by Dependabot on the "push" event run with read-only access.
# Uploading Code Scanning results requires write access. Ignore dependabot branches for auto-merge.
push:
branches-ignore: "dependabot/**"
tags:
- "*"
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Checkout all repo history to make tags available for figuring out kube-linter version during build.
fetch-depth: 0
- name: Setup Go environment
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Go Build Cache
uses: actions/cache@v4
with:
path: ~/.cache
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
- name: Go Mod Cache
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Build binaries
run: make build
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: bin
path: bin
- name: Run lint checks
run: make lint
- name: Ensure generated files are up-to-date
run: make generated-srcs && git diff --exit-code HEAD
- name: Run unit tests
run: make test
- name: Upload coverage reports to Codecov
uses: codecov/[email protected]
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: stackrox/kube-linter
flags: unit
- name: Run E2E tests
run: make e2e-test
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.5.0
- name: Run bats tests
run: make e2e-bats
- name: Upload coverage reports to Codecov
uses: codecov/[email protected]
with:
token: ${{ secrets.CODECOV_TOKEN }}
slug: stackrox/kube-linter
flags: bats
- name: Upload Linux binary
uses: actions/upload-artifact@v4
with:
name: kube-linter
path: dist/kube-linter_linux_amd64_v1/kube-linter
- name: Upload Windows binary
uses: actions/upload-artifact@v4
with:
name: kube-linter.exe
path: dist/kube-linter_windows_amd64_v1/kube-linter.exe
test-sarif:
needs: build-and-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download executable
uses: actions/download-artifact@v4
with:
name: kube-linter
- name: Set permissions to file
run: chmod +x kube-linter
- name: Print kube-linter version
run: ./kube-linter version
- name: Run kube-linter on a sample file with SARIF output
run: ./kube-linter lint --format=sarif tests/testdata/splunk.yaml > results.sarif
continue-on-error: true
- name: Dump output file and check it is not empty
# The if part will generate no-zero exit code if the file is empty. See https://github.com/stedolan/jq/issues/1142#issuecomment-432003984
run: jq -es 'if . == [] then null else .[] | . end' results.sarif
- name: Upload output file as GitHub artifact for manual investigation
uses: actions/upload-artifact@v4
with:
name: results.sarif
path: results.sarif
- name: Install yajsv
run: curl https://github.com/neilpa/yajsv/releases/download/v1.4.0/yajsv.linux.amd64 -LsSfo yajsv && chmod +x yajsv
- name: Check if output file is valid according to SARIF schema
run: |
set -ex
schema=$(jq -r '.["$schema"]' results.sarif)
[ "$schema" = https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json ]
./yajsv -s ./scripts/sarif/sarif-schema-2.1.0.json results.sarif
- name: Upload SARIF output file to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
windows-sanity-test:
name: Windows sanity test
needs: build-and-test
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
# Checkout all repo history to make tags available for figuring out kube-linter version during build.
fetch-depth: 0
- name: Download windows executable
uses: actions/download-artifact@v4
with:
name: kube-linter.exe
path: tmp/
- shell: bash
run: |
tmp/kube-linter.exe version
# Make sure the lint command can run without errors.
# TODO: run the full suite of E2E tests on Windows.
tmp/kube-linter.exe lint "tests/checks/access-to-create-pods.yml"