Scan images using trivy #1736
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
schedule: | |
- cron: '44 4 */2 * *' | |
pull_request: | |
repository_dispatch: | |
concurrency: | |
group: integration-tests-${{ github.ref_name }} | |
cancel-in-progress: true | |
jobs: | |
format: | |
name: Ensure code is black formatted | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout source code | |
uses: actions/checkout@v4 | |
- name: Install necessary software | |
run: | | |
set -e | |
sudo apt update | |
sudo apt -y install jo tox | |
- name: Test formatting with black | |
run: tox -e format -- --check | |
gentestmatrix: | |
name: Generate test matrix | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.setmatrix.outputs.matrix }} | |
steps: | |
- name: checkout source code | |
uses: actions/checkout@v4 | |
# jo is used only to generate matrix using json easily | |
- name: Install necessary software | |
run: sudo apt update && sudo apt install jo tox | |
- id: setmatrix | |
run: | | |
stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d' | jo -a) | |
echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT | |
unit-tests: | |
name: Unit tests | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
python_version: ["3.6", "3.9", "3.10", "3.11"] | |
container: | |
image: registry.suse.com/bci/python:${{ matrix.python_version }} | |
steps: | |
- name: checkout source code | |
uses: actions/checkout@v4 | |
- name: Install tox | |
run: | | |
python3 --version | |
python3 -m ensurepip | |
python3 -m pip install tox | |
- run: 'tox -e py$(echo $PY_VER | tr -d . )-unit -- -n auto' | |
env: | |
SETUPTOOLS_SCM_PRETEND_VERSION: 1.2.3 | |
PY_VER: ${{ matrix.python_version }} | |
documentation: | |
name: Build documentation | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.x' | |
- name: Install tox | |
run: sudo apt update && sudo apt install tox | |
- run: tox -e doc | |
lint: | |
name: Lint source code | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.x' | |
- name: Install tox | |
run: sudo apt update && sudo apt install tox | |
- run: tox -e lint | |
test-containers: | |
name: tox | |
runs-on: ubuntu-latest | |
needs: gentestmatrix | |
strategy: | |
fail-fast: false | |
matrix: | |
toxenv: ${{fromJson(needs.gentestmatrix.outputs.matrix)}} | |
container_runtime: | |
- DOCKER | |
- PODMAN | |
os_version: | |
- 15.5 | |
- "tumbleweed" | |
include: | |
- toxenv: repository | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.5 | |
- toxenv: base | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.3 | |
- toxenv: all | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.3 | |
- toxenv: base | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.4 | |
- toxenv: all | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.4 | |
- toxenv: metadata | |
container_runtime: PODMAN | |
testing_target: ibs-released | |
os_version: 15.4 | |
- toxenv: base | |
container_runtime: DOCKER | |
os_version: basalt | |
- toxenv: base | |
container_runtime: PODMAN | |
os_version: basalt | |
- toxenv: all | |
container_runtime: DOCKER | |
os_version: basalt | |
- toxenv: all | |
container_runtime: PODMAN | |
os_version: basalt | |
- toxenv: build | |
container_runtime: DOCKER | |
os_version: 15.3 | |
- toxenv: build | |
container_runtime: PODMAN | |
os_version: 15.3 | |
- toxenv: base | |
container_runtime: DOCKER | |
os_version: 15.3 | |
- toxenv: base | |
container_runtime: PODMAN | |
os_version: 15.3 | |
- toxenv: metadata | |
container_runtime: DOCKER | |
os_version: 15.3 | |
- toxenv: metadata | |
container_runtime: PODMAN | |
os_version: 15.3 | |
- toxenv: all | |
container_runtime: DOCKER | |
os_version: 15.3 | |
- toxenv: all | |
container_runtime: PODMAN | |
os_version: 15.3 | |
- toxenv: build | |
container_runtime: DOCKER | |
os_version: 15.4 | |
- toxenv: build | |
container_runtime: PODMAN | |
os_version: 15.4 | |
- toxenv: base | |
container_runtime: DOCKER | |
os_version: 15.4 | |
- toxenv: base | |
container_runtime: PODMAN | |
os_version: 15.4 | |
- toxenv: metadata | |
container_runtime: DOCKER | |
os_version: 15.4 | |
- toxenv: metadata | |
container_runtime: PODMAN | |
os_version: 15.4 | |
- toxenv: all | |
container_runtime: DOCKER | |
os_version: 15.4 | |
- toxenv: all | |
container_runtime: PODMAN | |
os_version: 15.4 | |
- toxenv: base | |
container_runtime: PODMAN | |
os_version: 15.6 | |
steps: | |
- name: Clean up disk space to maximize available space | |
run: sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc /opt/hostedtoolcache/CodeQL && sudo docker image prune --all --force | |
- name: checkout source code | |
uses: actions/checkout@v4 | |
- name: Install tox | |
run: sudo apt update && sudo apt install tox | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.x' | |
- name: Install necessary dependencies | |
if: ${{ matrix.container_runtime == 'PODMAN' }} | |
run: | | |
sudo mkdir -p /etc/apt/keyrings | |
curl -fsSL https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/Release.key \ | |
| gpg --dearmor \ | |
| sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null | |
echo \ | |
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ | |
https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/ /" \ | |
| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null | |
sudo apt-get update -qq | |
sudo apt-get -qq -y install podman buildah | |
sudo mkdir -p /etc/containers/registries.d/ | |
- name: configure podman to validate sigstore signatures | |
if: ${{ matrix.container_runtime == 'PODMAN' }} | |
run: | | |
cat << EOF | sudo tee /etc/containers/registries.d/opensuse.yaml | |
docker: | |
registry.opensuse.org: | |
sigstore: https://registry.opensuse.org/sigstore | |
EOF | |
policy_json=$(cat /etc/containers/policy.json) | |
echo $policy_json | jq '.transports += { "docker": {"registry.opensuse.org": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/containers/devel_bci.key", "/etc/containers/opensuse_container-2023.key", "/etc/containers/opensuse_container.key"]}]}}' | sudo tee /etc/containers/policy.json | |
cat << EOF | sudo tee /etc/containers/devel_bci.key | |
-----BEGIN PGP PUBLIC KEY BLOCK----- | |
mQINBGQa2Y4BEAC+VBw/6hJCCd+JlrngmHvAS2dbzz0dk0dh6rK7mhuuQTmTbJex | |
eY2tmFfcg3wp78P586H7WwE+0fLf7KEuIsWK8/YCpe7Ld/WycQkkJiW7EhbW4+uu | |
6EKBw1B7ZFDaJJ71UDaXbMECepV/YEnsZgu38vGWZPUfOHbIDS5M0j9Xo7COG7/I | |
jzs0Ml+G8hAk1cJ5AxjLycyINKHnglrx855/AW1xjO04Da6/NZ5grvCQBNcpLaH5 | |
Y8eUvNVQ6SdBwo9xR8hCTsUe5TpB5Gf4CXNPMdG6f1wDbmRw6hYw4Tbvjjlg8yhO | |
XS76OURH3AiYTrP7SDVrgOy8tsVtSk1+1zvJ5VFjKbS8N3//XOkSJYSD/MxjN+bb | |
jwsqK6FEYBS1MiIX/6bYo5j/bVDzp/jZ9ocPB623E9CGwgH0NDrs+5M3la/j+vIq | |
wjwXpWuwdefVjhvIDYgSZQQRx880RLo31Zr6Vfpas1JXIzDq6uSWAyx23rKmQr9N | |
ctU1qHNB5CdKDR/zAMjuFvy1o13zTmfo1CrRn9J//Kiy2EnfsKOFssfYs9TgL22k | |
qdsCXNa0xvXbeLDehQwQvxeWTLyGMJGwPqoTXVv3EhEhrLClB5FOJurwfArd24ze | |
qvVsKJrADEWvO3a1KHkX4h82qBDGJdQDK5iMajLJeQciYVhT5pHHMdMbmQARAQAB | |
tDRkZXZlbDpCQ0kgT0JTIFByb2plY3QgPGRldmVsOkJDSUBidWlsZC5vcGVuc3Vz | |
ZS5vcmc+iQJUBBMBCAA+FiEE4t9p2tF8+S+4jG5wMG+YHbRrR8MFAmQa2Y4CGwMF | |
CQQesAAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQMG+YHbRrR8NWlRAAmPQ6 | |
0Ac1LDrAD+NJ/Z/7TzLg6dpkC5JNDkwNSoSyfKiN3ow8265mF8XM7502ZCDeOr0p | |
GDisbOTSdOWI981TQ0MRtRWsBzjHkkl4CuxoGHC0X0Q1wjbKy8BfnfAlmNF/l8PL | |
Ykm15xndHzE1oIxJ0V5KKA0v4vKJkSNsZ9Ye0IyzICpkWoUfqeg3rnSpwV/MvQTf | |
2as9mXj8TSAuR47rsWtivljhGnFpTyvvWw30bDItpB5EYlCVjPlj1t2wX/fHkNX6 | |
0Gdkrwhml67pk7v03+ngbKDAPGrcq5EKLaNfL5T5cOx5GzUrjOH7OpqdnR9Lg5Ix | |
IpcfAfkeY+E+ALMvfyhVmhMRhGMgiv0wTL/H11/K1rvXaVYznoKG0G/7cCuorDBf | |
ind5PkGJTu+3Fs7N6eQZntVwXoBxkGWb8b6voFv22u55svToTX28pkDVm5EJNZnv | |
xfFUhX6m+CFdh138aX2LFYQCsF/T8jM4j+ukHTQ+m8F+eRrhqoBjWkvHZ3EionpL | |
F+1LGdEn25qMej++OkAm6D5dV/yQaP1rjpdHwQEZ6GntVl2ngagoF8zQIJ6rXe15 | |
FvZ9AvL+gta8vxluDTPUK3DIg4jdwFb8WT2R0rOPUaItheOaCXxxcr6wPbHHLHC1 | |
LKPO+oy9938+sUaaC/DEO+vwPOkSwrBw/0htilmJAjMEEwEIAB0WIQTMNcw9NeWj | |
ZD5UWkPPC5KM3tZPOwUCZBrZkQAKCRDPC5KM3tZPO3QbD/4kEsEW2tBxus+AfT/P | |
r9B1iiHgOu9e6ixvmEcqF4bU3ykAmo7DH/E+oqW6vx97DnYgKleJJ9IVD6gTyhYJ | |
7Z+uPoJOWNND94Afiq+R1lobPs9rOpSVT34NmNzNgxdmmz6+z1GLrrVGUihdYSDc | |
1DmdIu90IFtuaSW8+UaCg41awVtVOOYnPaCoDncbuZD0MDaVDsaN0G9Xj81NFZJu | |
DG7ljqxg24LC9+iw3LRqaOkWX7SbS0s+PdLTPgnUBfivpOi0rKbB06WsCsigV24B | |
lyj11nkuOdYAUa48Q3U1yfxIiecYto0O+VPq/M0ICAzTqUg2Bh4Du98EmS+zBhbM | |
vjAcqC2TRBjyVAtsvWJ0O51d0iWUWsOBVwSoMRWq2iPxh4qRBNFQGLUWtrkNSKh/ | |
ex2LgWbLGZY8XHWUwK2GoHN/uNywqYd/4PgDewDJYWnGB33EaucKkMuBJkoYK2mG | |
fGkSHjKUHfUp+FWM8QlgxlavNob7ltvTEV8kp88w9MfSfdy6Z9MQ63Z/DvU1KLhO | |
llCkXgpMXn2dPPjcsE/OWVIVk833q0gWzf3touFhQSHMKtcdXl3bBj/vvzAkE0QV | |
9vVS3rgOtcGCbAdfdEf+/mpukHkhZGVKMlipnDM/Rd2GZYckP/5UZ/9/CKIS69B5 | |
hLNKnq/uYWnF2uUesgKloRegdg== | |
=L0Kw | |
-----END PGP PUBLIC KEY BLOCK----- | |
EOF | |
cat << EOF | sudo tee /etc/containers/opensuse_container-2023.key | |
-----BEGIN PGP PUBLIC KEY BLOCK----- | |
mQINBGQ5DP8BEADAlEiR9CAOaEjUlwrSlVmdqeqbMOXSDMq5+u/fIFdP4iAc9r5H | |
6hz/f4Yv/2rBByo6JCZC7xCxPBHNiaNd1DK0WdVbpWGB9n4vH9zzT8Dxf45WK7QN | |
9l5f+KfSRDnv7e/n32ru2AVlqa9Io7/Ch9IXVeGStjl/6o+Y/7ZinQUnQkGHWK6j | |
+sjgIxTYesIBcYSXxpdjdw0XHHyyKQiqtDy8oXALWGPJYRwCsTiEECVYzM+a5+6e | |
d/zRxOKpfF2V+Q1K2mG5LQ+rxGrL3VWNcg3jZjPMQbC4QM8cr2b3mrE2eBEhStF0 | |
iRS5quMLMGzNxocMBJlOz6snSLGvi8Xr3UzMkenufuxotHA/7lcNmo2E2HArR4iP | |
zLkZe14vLvsMXgM29PkXNgEh+L0QSFapTRUb7ZewBpN1b7P+G4gcYUymMvwaY9XH | |
AI3jhWKzlyq9uIJINdTTTBB1R6e6CQpeiya371AUCNGCZDqhL63gHVvVgZVMQpf8 | |
NjYuN2m3SOK6SSq1nnMkWE3k2RWc5qHlg38HOoWq4G+SCMSWyC4iff+Ob8rVWuUt | |
miExYtLOk/hdNH7lRtUdjwKCSIOlYeAK/e7/9GB/fKlu0ZNFBrwpyGVMgfPmCDbX | |
ZiQhkhE8Bti3btL5HBxYmNljz1nMbECgtEQv6Pgs1bxgDaNaGVslYv723wARAQAB | |
tERvcGVuU1VTRSBDb250YWluZXIgU2lnbmluZyBLZXkgPGJ1aWxkLWNvbnRhaW5l | |
ci0yMDIzMDRAb3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBPmGHzlqIRNKhVSYBPxr | |
ygbWhK/sBQJkOQz/AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ | |
EPxrygbWhK/sAwUP/A803yOTrsE5ppcEAp3yGSeXR3HQo0fIqh+QFJO76W7vF/Ar | |
eZnxPWL3AOOB+wNccdklZXhQKL4eQ29Ggekp2/RWTyx4BBM//SID+td7KZjZH/KC | |
Z6kBBy+IzSBQCCIrdDm83agob/Kcp9RJX5A06dgGyGhMxXYpld3mcCjFETHXIb5U | |
JvsSC+06eEsbwNqH0se2T/5zJ8v9xjcMDC+otLmh3+SjyC/7t8YaKxyqobf2f5nl | |
GM3ts7UDBQdqxBb0ZRxXsLCdiRrOt6l5imczczi1GA/Dce3KE/V9A2LNifns4eQI | |
GLVrZ36litKC1+b5AXblLU5ZmJN24IEQj699GCYiPGaZS64IE1eVD8WX+N6vgI+c | |
BqthN/Z4B3iJ9dBviXvK098/bXjzUVjQubvfT827tO2xnbNE5gzUA5bAZjQLVJm/ | |
b9mZJuKLOJePoqGYvmMVBtLz5xZYH68dncZAf+OQNZ5T7F+M1gfsq8W+FYvm6ILN | |
Xyh29fY+29H25A7v8WITT/SzpxYJrNRHck8Ua9M0foj2GLIf6FEROJHEZ4+xvu11 | |
XaABkqvjdNluflDP0PXP5fcY9QkMvtlW6cQNzMYZnn7MTb7dxow5ysEGcE0rrKrC | |
F9zTwOvctMqlu0dndhntKRhdNgm8lKrg1xTJg7EOWQFKeQiWQKdY0Qk9vi3/ | |
=sRjv | |
-----END PGP PUBLIC KEY BLOCK----- | |
EOF | |
cat << EOF | sudo tee /etc/containers/opensuse_container.key | |
-----BEGIN PGP PUBLIC KEY BLOCK----- | |
Version: GnuPG v2.0.15 (GNU/Linux) | |
mQENBFrjEWoBCADEJttox1LVpcP2YIsLIO5qKmwfMhyjSQ+L4ETztnFRLKFIlin4 | |
19Tic/llF9ymQr2MxlKlRgdzFZ9ScH1rg52bmWdxy+2TZ8JIsSV4XyfSTZJvM+nX | |
YGxEQBJrYlcRfC5he0tBGTEwG+hp6kXH563F+XU4uzGUmh1rBhavDsWjeMo9sjaf | |
sqn66JAJnxJrQOcqjNvazYjppEjFzye/Haqu2r5cnD/bPnMvQEZtpN1jznWkIha2 | |
DdapVZq2b/SmdTMV7zHRqQvhERU2uS4SFLNopyt/cwujj3XTWqCArvQgRTaiHAiL | |
4HY3lUpDWH9pmxT+yu5f7FINc+prRmvnQ1YpABEBAAG0PW9wZW5TVVNFIENvbnRh | |
aW5lciBTaWduaW5nIEtleSA8YnVpbGQtY29udGFpbmVyQG9wZW5zdXNlLm9yZz6J | |
AT4EEwECACgFAlrjEWoCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA | |
AAoJENdUaU+atIzpdt0H/A5j9B7feqTRK49TWIsgKTELG+6ac4WL+uvZs4HmUPgO | |
Me9fkQvmJtPMGQT3awCSejEHuvq7sMsOOAXJ3loVDNkJWOtkohRyJf6++lvzL24v | |
ApbzSLfxa1intscyoJ0g8A2V+NzG428cMAzL5Rnf1ckimDkwOgjFBTDqwq1nPFDQ | |
+01wAenDPLduLAS65+urmMEOIhoBB3Opc5fqPKWU+w8qav8YfYUjaQcAfGeswt+6 | |
m54VXYk8prmCuSfFHq9Yi8T2+VMcIEdHQYOn4nVhzNY9mTzJ4CCGYdLhap4/P8/x | |
HuiUuVrARHeCoTiQSc1FwjT1QXaU+yYk1SLFi0LaPgQ= | |
=Klfs | |
-----END PGP PUBLIC KEY BLOCK----- | |
EOF | |
- name: Login to registry.suse.com as CI user | |
run: | | |
if [ "$CONTAINER_RUNTIME" = "DOCKER" ]; then | |
echo $REGISTRY_LOGIN_PASSWORD | docker login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com | |
fi | |
if [ "$CONTAINER_RUNTIME" = "PODMAN" ]; then | |
echo $REGISTRY_LOGIN_PASSWORD | podman login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com | |
fi | |
env: | |
REGISTRY_LOGIN_USERNAME: ${{ secrets.REGISTRY_LOGIN_USERNAME }} | |
REGISTRY_LOGIN_PASSWORD: ${{ secrets.REGISTRY_LOGIN_PASSWORD }} | |
CONTAINER_RUNTIME: ${{ matrix.container_runtime }} | |
- name: Add /etc/host entries | |
run: | | |
# precache dns entries to avoid timeouts in the runs later | |
for host in index.crates.io updates.suse.com registry.suse.com registry.opensuse.org download.opensuse.org cdn.opensuse.org; do | |
echo -e "$(getent ahostsv4 $host | grep STREAM | cut -d' ' -f1 | head -n 1)\t$host" | sudo tee -a /etc/hosts | |
done | |
- name: Run tox job | |
run: sudo --preserve-env tox -e ${{ matrix.toxenv }} -- -n auto --reruns 3 | |
env: | |
CONTAINER_RUNTIME: ${{ matrix.container_runtime }} | |
OS_VERSION: ${{ matrix.os_version }} | |
TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }} |