200 lines (197 loc) · 7.24 KB
/
tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
name: Tests
on:
push:
paths-ignore:
- .github/workflows/release.yml
pull_request:
paths-ignore:
- .github/workflows/release.yml
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.10"
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
- name: Get pip cache
id: pip-cache
run: |
python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
- name: pip cache
uses: actions/cache@v1
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dev dependencies
run: |
pip install -U pip setuptools wheel
pip install -U https://github.com/scitt-community/scitt-api-emulator/archive/e89a60584fa717382f279ae24b8a1a93d458bb4d.zip
pip install -e .[dev]
python -m pip freeze
- name: Build
run: |
python -m build .
- name: Generate SBOM
id: generate-sbom
uses: pdxjohnny/sbom4python@github-action
with:
python-version: ${{ matrix.python-version }}
module-name: httptest
output-directory: sbom
- name: in-toto attestation for cyclonedx SBOM
id: in-toto-cyclonedx
env:
MODULE_NAME: httptest
run: |
echo "attestation<<GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
(python -m json.tool --sort-keys | tee -a $GITHUB_OUTPUT) <<EOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [
{
"name": "$(cd dist/ && echo *.tar.gz)",
"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.tar.gz) | awk '{print $1}')"}
},
{
"name": "$(cd dist/ && echo *.whl)",
"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.whl) | awk '{print $1}')"}
}
],
"predicateType": "https://cyclonedx.org/bom/v1.4",
"predicate": $(cat "${MODULE_NAME}-py${{ matrix.python-version }}.json")
}
EOF
echo "GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
- name: Checkout public-keys branch
uses: actions/checkout@v4
with:
ref: public-keys
path: public-keys
- name: Generate keypair to sign SCITT statement
id: scitt-gen-keypair
run: |
ssh-keygen -q -f ssh-private -t ecdsa -b 384 -N '' -C "$(head -n 100 /dev/urandom | sha384sum | awk '{print $1}')" -I "$(date -Iseconds)" <<<y
cat ssh-private | python -c 'import sys; from cryptography.hazmat.primitives import serialization; print(serialization.load_ssh_private_key(sys.stdin.buffer.read(), password=None).private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode().rstrip())' > private-key.pem
cat ssh-private.pub | tee -a public-keys/authorized_keys
rm -v ssh-private
- name: Push new public key
env:
GH_TOKEN: ${{ github.token }}
run: |
set -xe
cd public-keys
gh auth setup-git
git config --global --add safe.directory "${PWD}"
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
git add -A
# If no delta clean exit
git commit -sm "Snapshot" || exit 0
git push -uf origin "HEAD:public-keys"
# Wait for propagation
set +e
found=1
while [ ${found} -eq 1 ]; do
curl -vfL https://raw.githubusercontent.com/pdxjohnny/httptest/public-keys/authorized_keys | tee authorized_keys
grep "$(cat ../ssh-private.pub | awk '{print $NF}')" authorized_keys
found=$?
done
- name: Submit SBOM to SCITT
id: scitt-submit-sbom
uses: pdxjohnny/scitt-api-emulator@github-action
with:
issuer: did:web:raw.githubusercontent.com:pdxjohnny:httptest:public-keys:authorized_keys
subject: pkg:github/${{ github.repository }}@${{ github.sha }}
payload: ${{ steps.in-toto-cyclonedx.outputs.attestation }}
private-key-pem: private-key.pem
scitt-url: https://scitt.unstable.chadig.com
- name: Create Pull Request
if: ${{ steps.generate-sbom.outputs.changed }}
uses: peter-evans/create-pull-request@v5.0.2
with:
commit-message: "chore: update SBOM for Python ${{ matrix.python-version }}"
title: "chore: update SBOM for Python ${{ matrix.python-version }}"
branch: chore-sbom-py${{ matrix.python-version }}
delete-branch: true
author: GitHub Actions <actions@github.com>
add-paths: sbom
- name: Install vexctl
uses: openvex/setup-vexctl@main
- uses: pdxjohnny/generate-vex@patch-1
name: Run vexctl
id: vexctl
with:
product: pkg:github/${{ github.repository }}@${{ github.sha }}
- name: Submit OpenVEX to SCITT
id: scitt-submit-openvex
uses: pdxjohnny/scitt-api-emulator@github-action
with:
issuer: did:web:raw.githubusercontent.com:pdxjohnny:httptest:public-keys:authorized_keys
subject: pkg:github/${{ github.repository }}@${{ github.sha }}
payload: ${{ steps.vexctl.outputs.openvex }}
private-key-pem: private-key.pem
scitt-url: https://scitt.unstable.chadig.com
- name: Remove private key used in keypair to sign SCITT statement
run: |
rm -v private-key.pem
unittest:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
python-version:
- "3.10"
- "3.11"
- "3.12"
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache
id: pip-cache
run: |
python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
- name: pip cache
uses: actions/cache@v1
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dev dependencies
run: |
pip install -U pip setuptools wheel
pip install -e .[dev]
python -m pip freeze
- name: Test without coverage
if: ${{ matrix.python-version != '3.10' }}
run: |
python -m unittest discover -v
- name: Coverage Test
if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
run: |
python -m coverage run -m unittest discover -v
python -m coverage report -m
- name: Upload coverage to codecov
if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
run: |
pip install -U codecov
codecov