Test #1480
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests | |
| on: | |
| pull_request_target: | |
| branches: | |
| - main | |
| - "[0-9]+.[0-9]+" | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - main | |
| - "[0-9]+.[0-9]+" | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| init-hermit: | |
| name: Init Hermit Tools | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| with: | |
| init-tools: 'true' | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }} | |
| # If the event is push to branch use the default ref. | |
| # If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run lint over the PR's code. | |
| - name: Initialize hermit | |
| shell: bash | |
| run: | | |
| ./bin/hermit env --raw >> "$GITHUB_ENV" | |
| - name: Initialize poetry | |
| shell: bash | |
| run: | | |
| pip3 install poetry | |
| (cd security-policies && poetry install --no-root) | |
| - name: Pre-commit Hooks | |
| env: | |
| # Skipping golangci-lint as it's tested by golangci-lint | |
| SKIP: golangci-lint | |
| shell: bash | |
| run: | | |
| pre-commit run --all-files | |
| - name: golangci-lint | |
| shell: bash | |
| run: golangci-lint run --out-format github-actions | |
| - name: Mage Check | |
| shell: bash | |
| run: mage check | |
| - name: Mage checkLicenseHeaders | |
| shell: bash | |
| run: mage checkLicenseHeaders | |
| - name: Validate mocks | |
| shell: bash | |
| run: just validate-mocks | |
| - name: Terraform fmt | |
| shell: bash | |
| run: terraform fmt -check -recursive | |
| unit-test: | |
| name: Unit Test | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }} | |
| # If the event is push to branch use the default ref. | |
| # If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run unit tests over the PR's code. | |
| - name: Initialize hermit | |
| shell: bash | |
| run: | | |
| ./bin/hermit env --raw >> "$GITHUB_ENV" | |
| - name: Build opa bundle | |
| shell: bash | |
| run: mage buildOpaBundle | |
| - name: Unit-Test | |
| shell: bash | |
| run: | | |
| go install gotest.tools/gotestsum | |
| GOOS=linux TEST_DIRECTORY=./... gotestsum --format pkgname -- -race -coverpkg=./... -coverprofile=cover.out.tmp | |
| cat cover.out.tmp | grep -v "mock_.*.go" > cover.out # remove mock files from coverage report | |
| - name: Upload coverage artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-file | |
| path: cover.out | |
| overwrite: true | |
| - name: Send coverage | |
| env: | |
| COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| shell: bash | |
| run: | | |
| go install github.com/mattn/goveralls@latest | |
| goveralls -coverprofile=cover.out -service=github | |
| ci-azure: | |
| needs: [ init-hermit ] | |
| name: CIS Azure CI | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Run Azure integration tests | |
| uses: ./.github/actions/azure-ci | |
| with: | |
| elk-version: ${{ env.ELK_VERSION }} | |
| azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} | |
| azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} | |
| azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} | |
| ci-aws: | |
| needs: [ init-hermit ] | |
| name: CIS AWS CI | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Run AWS integration tests | |
| uses: ./.github/actions/aws-ci | |
| with: | |
| elk-version: ${{ env.ELK_VERSION }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} | |
| aws-account-type: single-account | |
| ci-gcp: | |
| needs: [ init-hermit ] | |
| name: CIS GCP CI | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Run GCP integration tests | |
| uses: ./.github/actions/gcp-ci | |
| with: | |
| elk-version: ${{ env.ELK_VERSION }} | |
| workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| gcp-project-id: 'elastic-security-test' | |
| gcp-account-type: 'single-account' | |
| ci-cnvm: | |
| needs: [ init-hermit ] | |
| name: CNVM CI | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Run CNVM integration tests | |
| uses: ./.github/actions/cnvm-ci | |
| with: | |
| elk-version: ${{ env.ELK_VERSION }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: 'us-east-2' | |
| docker-images: | |
| needs: [ init-hermit ] | |
| name: Build docker images | |
| # Since we build the cloudbeat in the worker's OS and as non static, | |
| # we need to keep the OS version same as elastic-agent docker image base. | |
| # docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release' | |
| runs-on: ubuntu-20.04 | |
| timeout-minutes: 40 | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| docker-images: true | |
| swap-storage: true | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Build docker images | |
| uses: ./.github/actions/docker-images | |
| with: | |
| build-docker-images: 'true' | |
| ci-k8s: | |
| needs: [ init-hermit, docker-images ] | |
| name: ${{ matrix.test-target }}-${{ matrix.kind-config }} | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 120 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - test-target: pre_merge | |
| kind-config: kind-multi | |
| values-file: tests/test_environments/values/ci.yml | |
| - test-target: pre_merge_agent | |
| kind-config: kind-multi | |
| values-file: tests/test_environments/values/ci-sa-agent.yml | |
| - test-target: k8s_file_system_rules | |
| kind-config: kind-test-files | |
| values-file: tests/test_environments/values/ci-test-k8s-files.yml | |
| - test-target: k8s_object_psp_rules | |
| kind-config: kind-multi | |
| values-file: tests/test_environments/values/ci-test-k8s-objects.yml | |
| - test-target: k8s_process_rules | |
| kind-config: kind-test-proc-conf1 | |
| values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml | |
| - test-target: k8s_process_rules | |
| kind-config: kind-test-proc-conf2 | |
| values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| docker-images: true | |
| swap-storage: true | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Hermit Environment | |
| uses: ./.github/actions/hermit | |
| - name: Get docker images | |
| uses: ./.github/actions/docker-images | |
| with: | |
| build-docker-images: 'false' | |
| docker-images-folder: '/tmp/.docker-images' | |
| - name: Run k8s integration tests | |
| uses: ./.github/actions/k8s-ci | |
| with: | |
| kind-config: ${{ matrix.kind-config }} | |
| test-target: ${{ matrix.test-target }} | |
| values-file: ${{ matrix.values-file }} | |
| docker-images-folder: '/tmp/.docker-images' | |
| upload-allure-results: | |
| needs: | |
| - ci-azure | |
| - ci-aws | |
| - ci-gcp | |
| - ci-cnvm | |
| - ci-k8s | |
| name: Upload integration tests results | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| permissions: | |
| pull-requests: write | |
| if: ${{ always() }} | |
| env: | |
| AWS_REGION: "eu-west-1" | |
| ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci" | |
| S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci" | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| if: ${{ always() }} | |
| with: | |
| pattern: allure-results-ci-* | |
| path: tests/allure/results/ | |
| merge-multiple: true | |
| - name: log | |
| if: ${{ always() }} | |
| shell: bash | |
| run: | | |
| ls -lahR tests/allure/results/ || true | |
| - name: Publish allure report | |
| if: ${{ always() }} | |
| uses: andrcuns/[email protected] | |
| env: | |
| GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| with: | |
| storageType: s3 | |
| resultsGlob: "tests/allure/results" | |
| updatePr: actions | |
| collapseSummary: false | |
| summary: suites | |
| summaryTableType: markdown | |
| copyLatest: true | |
| bucket: csp-allure-reports | |
| prefix: allure_reports/cloudbeat/ci/${{ github.event.number }} | |
| ignoreMissingResults: true | |
| debug: false | |
| - name: Allure Summary | |
| if: ${{ success() && github.event_name != 'push' }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json | |
| allure_result=./history-trend.json | |
| allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html | |
| ./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url" | |
| allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url") | |
| # saving result into env variable (with multiline handling) | |
| echo "ALLURE_SUMMARY<<EOF" >> $GITHUB_ENV | |
| echo "$allure_summary" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| - name: Comment test success result | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| if: ${{ success() && github.event_name != 'push' }} | |
| with: | |
| header: CI Test Results | |
| number: ${{ github.event.number }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| message: | | |
| ${{ env.ALLURE_SUMMARY }} | |
| - if: ${{ success() }} | |
| name: Cleanup docker image artifacts | |
| uses: geekyeggo/delete-artifact@v5 | |
| with: | |
| name: docker-images | |
| failOnError: false |