Skip to content

Sync registry.k8s.io/pause and ghcr.io/canonical/k8s-snap/pause #930

Sync registry.k8s.io/pause and ghcr.io/canonical/k8s-snap/pause

Sync registry.k8s.io/pause and ghcr.io/canonical/k8s-snap/pause #930

Workflow file for this run

name: Integration Tests
on:
push:
branches:
- main
- autoupdate/strict
- 'release-[0-9]+.[0-9]+'
- 'release-[0-9]+.[0-9]+-strict'
pull_request:
branches:
- main
- 'release-[0-9].[0-9]+'
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install lxd
run: |
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Install snapcraft
run: |
sudo snap install snapcraft --classic
- name: Build snap
run: |
sg lxd -c 'snapcraft --use-lxd'
mv k8s_*.snap k8s.snap
- name: Uploading snap
uses: actions/upload-artifact@v4
with:
name: k8s.snap
path: k8s.snap
test-integration:
name: Test ${{ matrix.os }}
strategy:
matrix:
os: ["ubuntu:20.04", "ubuntu:22.04"]
runs-on: ubuntu-20.04
needs: build
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.8'
- name: Install tox
run: pip install tox
- name: Install lxd
run: |
sudo snap refresh lxd --channel 5.19/stable
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Download snap
uses: actions/download-artifact@v4
with:
name: k8s.snap
path: build
- name: Run end to end tests
run: |
export TEST_SNAP="$PWD/build/k8s.snap"
export TEST_SUBSTRATE=lxd
export TEST_LXD_IMAGE=${{ matrix.os }}
cd tests/integration && sg lxd -c 'tox -e integration'
security-scan:
name: Security scan
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Fetch snap
uses: actions/download-artifact@v4
with:
name: k8s.snap
path: build
- name: Setup Trivy vulnerability scanner
run: |
mkdir -p sarifs
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-k8s-repo-scan--results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
- name: Gather Trivy repo scan results
run: |
cp trivy-k8s-repo-scan--results.sarif ./sarifs/
- name: Run Trivy vulnerability scanner on the snap
run: |
cp build/k8s.snap .
unsquashfs k8s.snap
./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarifs"