-
Notifications
You must be signed in to change notification settings - Fork 3
135 lines (116 loc) · 4.07 KB
/
sub_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Sub - test image
on:
workflow_call:
secrets:
KOSLI_API_TOKEN:
required: true
SNYK_TOKEN:
required: true
inputs:
KOSLI_HOST:
default: https://app.kosli.com
required: false
type: string
IMAGE_TAG:
required: true
type: string
env:
KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}
KOSLI_HOST: ${{ inputs.KOSLI_HOST }}
KOSLI_ORG: ${{ vars.KOSLI_ORG }}
KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}
KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
jobs:
branch-coverage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Run tests, save results to evidence.json file, report to Kosli flow
run: |
source ./sh/run_tests_with_coverage.sh
if run_tests_with_coverage; then KOSLI_COMPLIANT=true; else KOSLI_COMPLIANT=false; fi
kosli report evidence artifact generic cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }} \
--artifact-type=docker \
--compliant=${KOSLI_COMPLIANT} \
--description="server & client branch-coverage reports" \
--name=branch-coverage \
--user-data=./test/reports/evidence.json
snyk-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
run:
snyk container test cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
--file=Dockerfile
--json-file-output=snyk.json
--policy-path=.snyk
- name: Report Snyk results to Kosli flow
run: |
IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
docker pull ${IMAGE_NAME}
kosli report evidence artifact snyk ${IMAGE_NAME} \
--artifact-type=docker \
--name=snyk-scan \
--scan-results=snyk.json
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- uses: ruby/setup-ruby@v1
with:
ruby-version: 3.2.0
bundler-cache: true
- name: Run Rubocop linter on source, report results to Kosli flow
run: |
repo_root() { git rev-parse --show-toplevel; }
export LINT_EVIDENCE_DIR=/tmp/evidence/lint
mkdir -p "${LINT_EVIDENCE_DIR}"
cp "$(repo_root)/.rubocop.yml" "${LINT_EVIDENCE_DIR}"/.rubocop.yml
gem install rubocop
if [ rubocop "$(repo_root)" | tee "${LINT_EVIDENCE_DIR}"/rubocop.log ]; then
export KOSLI_LINT_COMPLIANT=true
else
export KOSLI_LINT_COMPLIANT=false
fi
kosli report evidence commit generic \
--compliant="${KOSLI_LINT_COMPLIANT}" \
--evidence-paths="${LINT_EVIDENCE_DIR}" \
--name=lint
pull-request:
if: ${{ github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
pull-requests: read
steps:
- uses: actions/checkout@v4
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version: ${{ vars.KOSLI_CLI_VERSION }}
- name: Report pull-request evidence to Kosli
run: |
IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
docker pull ${IMAGE_NAME}
kosli report evidence artifact pullrequest github ${IMAGE_NAME} \
--artifact-type=docker \
--github-token ${{ secrets.GITHUB_TOKEN }} \
--name=pull-request