Bump securego/gosec from 2.21.4 to 2.22.0 in the github-actions group #885
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI-Tests | |
on: | |
push: | |
branches: | |
- main | |
- release-[0-9]+.[0-9]+ | |
pull_request: | |
branches: | |
- main | |
- release-[0-9]+.[0-9]+ | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
verify-and-unit-tests: | |
name: Run verify and unit tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Verify modules | |
run: | | |
go mod tidy | |
go mod verify | |
git diff --exit-code | |
- name: Verify format | |
run: | | |
make fmt | |
git diff --exit-code | |
make lint | |
- name: Verify manifests | |
run: | | |
# The 'release' target calls the 'manifests' target | |
make release | |
git diff --exit-code | |
- name: Verify imported manifests | |
run: | | |
make import-manifests | |
git diff --exit-code | |
- name: Verify bindata | |
run: | | |
make update-bindata | |
git diff --exit-code | |
- name: Unit and Integration Tests | |
run: | | |
make test | |
echo "::group::Test coverage" | |
make test-coverage | |
echo "::endgroup::" | |
- name: Run Gosec Security Scanner | |
uses: securego/[email protected] | |
with: | |
args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./... | |
- name: Store the GitHub triggering event for the sonarcloud workflow | |
if: | | |
github.repository_owner == 'stolostron' | |
run: | | |
cat <<'EOF' > event.json | |
${{ toJSON(github.event) }} | |
EOF | |
- name: Upload artifacts | |
if: | | |
github.repository_owner == 'stolostron' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: artifacts | |
path: | | |
event.json | |
gosec.json | |
coverage_unit.out | |
e2e-tests: | |
name: Run e2e tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Download binaries | |
run: | | |
make download-binaries | |
- name: Create K8s KinD Cluster | |
run: | | |
make test-cluster | |
- name: Build and Push Test Container Image to KIND node | |
run: | | |
make docker-build IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kind load docker-image localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
- name: E2E Tests | |
run: | | |
make deploy-ci NAMESPACE=gatekeeper-system IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kubectl -n gatekeeper-system wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s | |
kubectl -n gatekeeper-system logs deployment/gatekeeper-operator-controller -c manager -f 2>&1 | tee operator.log & | |
make test-e2e NAMESPACE=gatekeeper-system | |
- name: Debug | |
if: ${{ failure() }} | |
run: | | |
echo "::group:Deployments" | |
kubectl -n gatekeeper-system get all | |
echo "---" | |
kubectl -n gatekeeper-system get deployment/gatekeeper-operator-controller -o yaml | |
echo "::endgroup::" | |
echo "::group::Operator Logs" | |
cat operator.log | |
echo "::endgroup::" | |
e2e-openshift-tests: | |
name: Run e2e Openshift tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Download binaries | |
run: | | |
make download-binaries | |
- name: Create K8s KinD Cluster | |
run: | | |
make test-cluster | |
make test-openshift-setup | |
- name: Build and Push Test Container Image to KIND node | |
run: | | |
make docker-build IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kind load docker-image localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
- name: E2E Openshift Tests | |
run: | | |
make deploy-ci NAMESPACE=openshift-gatekeeper-system IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kubectl -n openshift-gatekeeper-system wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s | |
kubectl -n openshift-gatekeeper-system logs deployment/gatekeeper-operator-controller -c manager -f 2>&1 | tee operator.log & | |
make test-e2e-openshift | |
- name: Debug | |
if: ${{ failure() }} | |
run: | | |
echo "::group:Deployments" | |
kubectl -n openshift-gatekeeper-system get all | |
echo "---" | |
kubectl -n openshift-gatekeeper-system get deployment/gatekeeper-operator-controller -o yaml | |
echo "::endgroup::" | |
echo "::group::Operator Logs" | |
cat operator.log | |
echo "::endgroup::" | |
gatekeeper-e2e-tests: | |
name: Run gatekeeper e2e tests | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: gatekeeper-operator | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: gatekeeper-operator | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: gatekeeper-operator/go.mod | |
cache-dependency-path: gatekeeper-operator/go.sum | |
- name: Download binaries | |
run: | | |
make download-binaries | |
- name: Create K8s KinD Cluster | |
run: | | |
make test-cluster | |
- name: Build and Push Test Container Image to KIND node | |
run: | | |
make docker-build IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kind load docker-image localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
- name: Set Up Environment Variables | |
run: | | |
GATEKEEPER_VERSION=v$(cat GATEKEEPER_VERSION 2>/dev/null || cat VERSION) | |
echo "GATEKEEPER_VERSION=${GATEKEEPER_VERSION}" >> ${GITHUB_ENV} | |
- name: Deploy operator | |
env: | |
NAMESPACE: gatekeeper-system | |
run: | | |
make deploy-ci IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA | |
kubectl -n ${NAMESPACE} wait deployment/gatekeeper-operator-controller --for condition=Available --timeout=90s | |
echo "BATS_PATH=$PWD/ci-tools/bin" >> ${GITHUB_ENV} | |
make test-gatekeeper-e2e | |
# Checkout a local copy of Gatekeeper to use its bats e2e tests. | |
- name: Checkout Gatekeeper to verify imported manifests | |
uses: actions/checkout@v4 | |
with: | |
repository: open-policy-agent/gatekeeper | |
ref: ${{ env.GATEKEEPER_VERSION }} | |
path: gatekeeper | |
- name: Gatekeeper E2E Tests | |
working-directory: gatekeeper | |
run: | | |
echo "::group::Patch Gatekeeper tests / Build and push test image" | |
export PATH=${{ env.BATS_PATH }}:$PATH | |
echo "* Patching test command for exempt namespaces:" | |
replace='num_namespaces=$(($(kubectl get ns -o json | jq '\''.items | length'\'')-$(kubectl get ns | grep excluded | wc -l)))' | |
sed -i "s/num_namespaces=.*/$replace/" test/bats/test.bats | |
echo "* Patching svc manifest NodePort (See https://github.com/open-policy-agent/gatekeeper/pull/3267):" | |
yq '.spec.type = "NodePort"' -i test/bats/tests/mutations/mutate_svc.yaml | |
test/externaldata/dummy-provider/scripts/generate-tls-certificate.sh | |
docker build -t dummy-provider:test -f test/externaldata/dummy-provider/Dockerfile test/externaldata/dummy-provider | |
kind load docker-image --name kind dummy-provider:test | |
echo "::endgroup::" | |
make test-e2e GATEKEEPER_NAMESPACE=${NAMESPACE} ENABLE_MUTATION_TESTS=1 |