Disable runc static PIE builds on arm64 (#143) #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: End to End Tests | |
| on: | |
| push: | |
| branches: [main, autoupdate/strict] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checking out repo | |
| uses: actions/checkout@v4 | |
| - name: Install lxd | |
| run: | | |
| sudo lxd init --auto | |
| sudo usermod --append --groups lxd $USER | |
| sg lxd -c 'lxc version' | |
| - name: Install snapcraft | |
| run: | | |
| sudo snap install snapcraft --classic | |
| - name: Build snap | |
| run: | | |
| sg lxd -c 'snapcraft --use-lxd' | |
| mv k8s_*.snap k8s.snap | |
| - name: Uploading snap | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: k8s.snap | |
| path: k8s.snap | |
| test-e2e: | |
| name: Test ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: ["ubuntu:20.04", "ubuntu:22.04"] | |
| runs-on: ubuntu-20.04 | |
| needs: build | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.8' | |
| - name: Install tox | |
| run: pip install tox | |
| - name: Install lxd | |
| run: | | |
| sudo snap refresh lxd --channel 5.19/stable | |
| sudo lxd init --auto | |
| sudo usermod --append --groups lxd $USER | |
| sg lxd -c 'lxc version' | |
| - name: Download snap | |
| uses: actions/[email protected] | |
| with: | |
| name: k8s.snap | |
| path: build | |
| - name: Run end to end tests | |
| run: | | |
| export TEST_SNAP="$PWD/build/k8s.snap" | |
| export TEST_SUBSTRATE=lxd | |
| export TEST_LXD_IMAGE=${{ matrix.os }} | |
| cd tests/e2e && sg lxd -c 'tox -e e2e' | |
| - name: Setup tmate session | |
| uses: mxschmitt/action-tmate@v3 | |
| with: | |
| # Print connection details and continue with the job. | |
| # Waits at the end of the job for the tmate session to exit. | |
| # If no user connects within 10min the connection exits gracefully. | |
| detached: true | |
| # Only the user who started the workflow can access the tmate session. | |
| limit-access-to-actor: true | |
| if: ${{ failure() }} | |
| security-scan: | |
| name: Security scan | |
| runs-on: ubuntu-20.04 | |
| needs: build | |
| steps: | |
| - name: Checking out repo | |
| uses: actions/checkout@v4 | |
| - name: Fetch snap | |
| uses: actions/[email protected] | |
| with: | |
| name: k8s.snap | |
| path: build | |
| - name: Setup Trivy vulnerability scanner | |
| run: | | |
| mkdir -p sarifs | |
| VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | |
| wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | |
| tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: "fs" | |
| ignore-unfixed: true | |
| format: "sarif" | |
| output: "trivy-k8s-repo-scan--results.sarif" | |
| severity: "MEDIUM,HIGH,CRITICAL" | |
| - name: Gather Trivy repo scan results | |
| run: | | |
| cp trivy-k8s-repo-scan--results.sarif ./sarifs/ | |
| - name: Run Trivy vulnerability scanner on the snap | |
| run: | | |
| cp build/k8s.snap . | |
| unsquashfs k8s.snap | |
| ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "sarifs" |