Skip to content

Scan images using trivy #1736

Scan images using trivy

Scan images using trivy #1736

Workflow file for this run

---
name: CI
on:
schedule:
- cron: '44 4 */2 * *'
pull_request:
repository_dispatch:
concurrency:
group: integration-tests-${{ github.ref_name }}
cancel-in-progress: true
jobs:
format:
name: Ensure code is black formatted
runs-on: ubuntu-latest
steps:
- name: checkout source code
uses: actions/checkout@v4
- name: Install necessary software
run: |
set -e
sudo apt update
sudo apt -y install jo tox
- name: Test formatting with black
run: tox -e format -- --check
gentestmatrix:
name: Generate test matrix
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.setmatrix.outputs.matrix }}
steps:
- name: checkout source code
uses: actions/checkout@v4
# jo is used only to generate matrix using json easily
- name: Install necessary software
run: sudo apt update && sudo apt install jo tox
- id: setmatrix
run: |
stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d' | jo -a)
echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT
unit-tests:
name: Unit tests
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python_version: ["3.6", "3.9", "3.10", "3.11"]
container:
image: registry.suse.com/bci/python:${{ matrix.python_version }}
steps:
- name: checkout source code
uses: actions/checkout@v4
- name: Install tox
run: |
python3 --version
python3 -m ensurepip
python3 -m pip install tox
- run: 'tox -e py$(echo $PY_VER | tr -d . )-unit -- -n auto'
env:
SETUPTOOLS_SCM_PRETEND_VERSION: 1.2.3
PY_VER: ${{ matrix.python_version }}
documentation:
name: Build documentation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install tox
run: sudo apt update && sudo apt install tox
- run: tox -e doc
lint:
name: Lint source code
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install tox
run: sudo apt update && sudo apt install tox
- run: tox -e lint
test-containers:
name: tox
runs-on: ubuntu-latest
needs: gentestmatrix
strategy:
fail-fast: false
matrix:
toxenv: ${{fromJson(needs.gentestmatrix.outputs.matrix)}}
container_runtime:
- DOCKER
- PODMAN
os_version:
- 15.5
- "tumbleweed"
include:
- toxenv: repository
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.5
- toxenv: base
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.3
- toxenv: all
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.3
- toxenv: base
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.4
- toxenv: all
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.4
- toxenv: metadata
container_runtime: PODMAN
testing_target: ibs-released
os_version: 15.4
- toxenv: base
container_runtime: DOCKER
os_version: basalt
- toxenv: base
container_runtime: PODMAN
os_version: basalt
- toxenv: all
container_runtime: DOCKER
os_version: basalt
- toxenv: all
container_runtime: PODMAN
os_version: basalt
- toxenv: build
container_runtime: DOCKER
os_version: 15.3
- toxenv: build
container_runtime: PODMAN
os_version: 15.3
- toxenv: base
container_runtime: DOCKER
os_version: 15.3
- toxenv: base
container_runtime: PODMAN
os_version: 15.3
- toxenv: metadata
container_runtime: DOCKER
os_version: 15.3
- toxenv: metadata
container_runtime: PODMAN
os_version: 15.3
- toxenv: all
container_runtime: DOCKER
os_version: 15.3
- toxenv: all
container_runtime: PODMAN
os_version: 15.3
- toxenv: build
container_runtime: DOCKER
os_version: 15.4
- toxenv: build
container_runtime: PODMAN
os_version: 15.4
- toxenv: base
container_runtime: DOCKER
os_version: 15.4
- toxenv: base
container_runtime: PODMAN
os_version: 15.4
- toxenv: metadata
container_runtime: DOCKER
os_version: 15.4
- toxenv: metadata
container_runtime: PODMAN
os_version: 15.4
- toxenv: all
container_runtime: DOCKER
os_version: 15.4
- toxenv: all
container_runtime: PODMAN
os_version: 15.4
- toxenv: base
container_runtime: PODMAN
os_version: 15.6
steps:
- name: Clean up disk space to maximize available space
run: sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc /opt/hostedtoolcache/CodeQL && sudo docker image prune --all --force
- name: checkout source code
uses: actions/checkout@v4
- name: Install tox
run: sudo apt update && sudo apt install tox
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install necessary dependencies
if: ${{ matrix.container_runtime == 'PODMAN' }}
run: |
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/Release.key \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/ /" \
| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
sudo apt-get update -qq
sudo apt-get -qq -y install podman buildah
sudo mkdir -p /etc/containers/registries.d/
- name: configure podman to validate sigstore signatures
if: ${{ matrix.container_runtime == 'PODMAN' }}
run: |
cat << EOF | sudo tee /etc/containers/registries.d/opensuse.yaml
docker:
registry.opensuse.org:
sigstore: https://registry.opensuse.org/sigstore
EOF
policy_json=$(cat /etc/containers/policy.json)
echo $policy_json | jq '.transports += { "docker": {"registry.opensuse.org": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/containers/devel_bci.key", "/etc/containers/opensuse_container-2023.key", "/etc/containers/opensuse_container.key"]}]}}' | sudo tee /etc/containers/policy.json
cat << EOF | sudo tee /etc/containers/devel_bci.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQa2Y4BEAC+VBw/6hJCCd+JlrngmHvAS2dbzz0dk0dh6rK7mhuuQTmTbJex
eY2tmFfcg3wp78P586H7WwE+0fLf7KEuIsWK8/YCpe7Ld/WycQkkJiW7EhbW4+uu
6EKBw1B7ZFDaJJ71UDaXbMECepV/YEnsZgu38vGWZPUfOHbIDS5M0j9Xo7COG7/I
jzs0Ml+G8hAk1cJ5AxjLycyINKHnglrx855/AW1xjO04Da6/NZ5grvCQBNcpLaH5
Y8eUvNVQ6SdBwo9xR8hCTsUe5TpB5Gf4CXNPMdG6f1wDbmRw6hYw4Tbvjjlg8yhO
XS76OURH3AiYTrP7SDVrgOy8tsVtSk1+1zvJ5VFjKbS8N3//XOkSJYSD/MxjN+bb
jwsqK6FEYBS1MiIX/6bYo5j/bVDzp/jZ9ocPB623E9CGwgH0NDrs+5M3la/j+vIq
wjwXpWuwdefVjhvIDYgSZQQRx880RLo31Zr6Vfpas1JXIzDq6uSWAyx23rKmQr9N
ctU1qHNB5CdKDR/zAMjuFvy1o13zTmfo1CrRn9J//Kiy2EnfsKOFssfYs9TgL22k
qdsCXNa0xvXbeLDehQwQvxeWTLyGMJGwPqoTXVv3EhEhrLClB5FOJurwfArd24ze
qvVsKJrADEWvO3a1KHkX4h82qBDGJdQDK5iMajLJeQciYVhT5pHHMdMbmQARAQAB
tDRkZXZlbDpCQ0kgT0JTIFByb2plY3QgPGRldmVsOkJDSUBidWlsZC5vcGVuc3Vz
ZS5vcmc+iQJUBBMBCAA+FiEE4t9p2tF8+S+4jG5wMG+YHbRrR8MFAmQa2Y4CGwMF
CQQesAAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQMG+YHbRrR8NWlRAAmPQ6
0Ac1LDrAD+NJ/Z/7TzLg6dpkC5JNDkwNSoSyfKiN3ow8265mF8XM7502ZCDeOr0p
GDisbOTSdOWI981TQ0MRtRWsBzjHkkl4CuxoGHC0X0Q1wjbKy8BfnfAlmNF/l8PL
Ykm15xndHzE1oIxJ0V5KKA0v4vKJkSNsZ9Ye0IyzICpkWoUfqeg3rnSpwV/MvQTf
2as9mXj8TSAuR47rsWtivljhGnFpTyvvWw30bDItpB5EYlCVjPlj1t2wX/fHkNX6
0Gdkrwhml67pk7v03+ngbKDAPGrcq5EKLaNfL5T5cOx5GzUrjOH7OpqdnR9Lg5Ix
IpcfAfkeY+E+ALMvfyhVmhMRhGMgiv0wTL/H11/K1rvXaVYznoKG0G/7cCuorDBf
ind5PkGJTu+3Fs7N6eQZntVwXoBxkGWb8b6voFv22u55svToTX28pkDVm5EJNZnv
xfFUhX6m+CFdh138aX2LFYQCsF/T8jM4j+ukHTQ+m8F+eRrhqoBjWkvHZ3EionpL
F+1LGdEn25qMej++OkAm6D5dV/yQaP1rjpdHwQEZ6GntVl2ngagoF8zQIJ6rXe15
FvZ9AvL+gta8vxluDTPUK3DIg4jdwFb8WT2R0rOPUaItheOaCXxxcr6wPbHHLHC1
LKPO+oy9938+sUaaC/DEO+vwPOkSwrBw/0htilmJAjMEEwEIAB0WIQTMNcw9NeWj
ZD5UWkPPC5KM3tZPOwUCZBrZkQAKCRDPC5KM3tZPO3QbD/4kEsEW2tBxus+AfT/P
r9B1iiHgOu9e6ixvmEcqF4bU3ykAmo7DH/E+oqW6vx97DnYgKleJJ9IVD6gTyhYJ
7Z+uPoJOWNND94Afiq+R1lobPs9rOpSVT34NmNzNgxdmmz6+z1GLrrVGUihdYSDc
1DmdIu90IFtuaSW8+UaCg41awVtVOOYnPaCoDncbuZD0MDaVDsaN0G9Xj81NFZJu
DG7ljqxg24LC9+iw3LRqaOkWX7SbS0s+PdLTPgnUBfivpOi0rKbB06WsCsigV24B
lyj11nkuOdYAUa48Q3U1yfxIiecYto0O+VPq/M0ICAzTqUg2Bh4Du98EmS+zBhbM
vjAcqC2TRBjyVAtsvWJ0O51d0iWUWsOBVwSoMRWq2iPxh4qRBNFQGLUWtrkNSKh/
ex2LgWbLGZY8XHWUwK2GoHN/uNywqYd/4PgDewDJYWnGB33EaucKkMuBJkoYK2mG
fGkSHjKUHfUp+FWM8QlgxlavNob7ltvTEV8kp88w9MfSfdy6Z9MQ63Z/DvU1KLhO
llCkXgpMXn2dPPjcsE/OWVIVk833q0gWzf3touFhQSHMKtcdXl3bBj/vvzAkE0QV
9vVS3rgOtcGCbAdfdEf+/mpukHkhZGVKMlipnDM/Rd2GZYckP/5UZ/9/CKIS69B5
hLNKnq/uYWnF2uUesgKloRegdg==
=L0Kw
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat << EOF | sudo tee /etc/containers/opensuse_container-2023.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQ5DP8BEADAlEiR9CAOaEjUlwrSlVmdqeqbMOXSDMq5+u/fIFdP4iAc9r5H
6hz/f4Yv/2rBByo6JCZC7xCxPBHNiaNd1DK0WdVbpWGB9n4vH9zzT8Dxf45WK7QN
9l5f+KfSRDnv7e/n32ru2AVlqa9Io7/Ch9IXVeGStjl/6o+Y/7ZinQUnQkGHWK6j
+sjgIxTYesIBcYSXxpdjdw0XHHyyKQiqtDy8oXALWGPJYRwCsTiEECVYzM+a5+6e
d/zRxOKpfF2V+Q1K2mG5LQ+rxGrL3VWNcg3jZjPMQbC4QM8cr2b3mrE2eBEhStF0
iRS5quMLMGzNxocMBJlOz6snSLGvi8Xr3UzMkenufuxotHA/7lcNmo2E2HArR4iP
zLkZe14vLvsMXgM29PkXNgEh+L0QSFapTRUb7ZewBpN1b7P+G4gcYUymMvwaY9XH
AI3jhWKzlyq9uIJINdTTTBB1R6e6CQpeiya371AUCNGCZDqhL63gHVvVgZVMQpf8
NjYuN2m3SOK6SSq1nnMkWE3k2RWc5qHlg38HOoWq4G+SCMSWyC4iff+Ob8rVWuUt
miExYtLOk/hdNH7lRtUdjwKCSIOlYeAK/e7/9GB/fKlu0ZNFBrwpyGVMgfPmCDbX
ZiQhkhE8Bti3btL5HBxYmNljz1nMbECgtEQv6Pgs1bxgDaNaGVslYv723wARAQAB
tERvcGVuU1VTRSBDb250YWluZXIgU2lnbmluZyBLZXkgPGJ1aWxkLWNvbnRhaW5l
ci0yMDIzMDRAb3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBPmGHzlqIRNKhVSYBPxr
ygbWhK/sBQJkOQz/AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EPxrygbWhK/sAwUP/A803yOTrsE5ppcEAp3yGSeXR3HQo0fIqh+QFJO76W7vF/Ar
eZnxPWL3AOOB+wNccdklZXhQKL4eQ29Ggekp2/RWTyx4BBM//SID+td7KZjZH/KC
Z6kBBy+IzSBQCCIrdDm83agob/Kcp9RJX5A06dgGyGhMxXYpld3mcCjFETHXIb5U
JvsSC+06eEsbwNqH0se2T/5zJ8v9xjcMDC+otLmh3+SjyC/7t8YaKxyqobf2f5nl
GM3ts7UDBQdqxBb0ZRxXsLCdiRrOt6l5imczczi1GA/Dce3KE/V9A2LNifns4eQI
GLVrZ36litKC1+b5AXblLU5ZmJN24IEQj699GCYiPGaZS64IE1eVD8WX+N6vgI+c
BqthN/Z4B3iJ9dBviXvK098/bXjzUVjQubvfT827tO2xnbNE5gzUA5bAZjQLVJm/
b9mZJuKLOJePoqGYvmMVBtLz5xZYH68dncZAf+OQNZ5T7F+M1gfsq8W+FYvm6ILN
Xyh29fY+29H25A7v8WITT/SzpxYJrNRHck8Ua9M0foj2GLIf6FEROJHEZ4+xvu11
XaABkqvjdNluflDP0PXP5fcY9QkMvtlW6cQNzMYZnn7MTb7dxow5ysEGcE0rrKrC
F9zTwOvctMqlu0dndhntKRhdNgm8lKrg1xTJg7EOWQFKeQiWQKdY0Qk9vi3/
=sRjv
-----END PGP PUBLIC KEY BLOCK-----
EOF
cat << EOF | sudo tee /etc/containers/opensuse_container.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)
mQENBFrjEWoBCADEJttox1LVpcP2YIsLIO5qKmwfMhyjSQ+L4ETztnFRLKFIlin4
19Tic/llF9ymQr2MxlKlRgdzFZ9ScH1rg52bmWdxy+2TZ8JIsSV4XyfSTZJvM+nX
YGxEQBJrYlcRfC5he0tBGTEwG+hp6kXH563F+XU4uzGUmh1rBhavDsWjeMo9sjaf
sqn66JAJnxJrQOcqjNvazYjppEjFzye/Haqu2r5cnD/bPnMvQEZtpN1jznWkIha2
DdapVZq2b/SmdTMV7zHRqQvhERU2uS4SFLNopyt/cwujj3XTWqCArvQgRTaiHAiL
4HY3lUpDWH9pmxT+yu5f7FINc+prRmvnQ1YpABEBAAG0PW9wZW5TVVNFIENvbnRh
aW5lciBTaWduaW5nIEtleSA8YnVpbGQtY29udGFpbmVyQG9wZW5zdXNlLm9yZz6J
AT4EEwECACgFAlrjEWoCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
AAoJENdUaU+atIzpdt0H/A5j9B7feqTRK49TWIsgKTELG+6ac4WL+uvZs4HmUPgO
Me9fkQvmJtPMGQT3awCSejEHuvq7sMsOOAXJ3loVDNkJWOtkohRyJf6++lvzL24v
ApbzSLfxa1intscyoJ0g8A2V+NzG428cMAzL5Rnf1ckimDkwOgjFBTDqwq1nPFDQ
+01wAenDPLduLAS65+urmMEOIhoBB3Opc5fqPKWU+w8qav8YfYUjaQcAfGeswt+6
m54VXYk8prmCuSfFHq9Yi8T2+VMcIEdHQYOn4nVhzNY9mTzJ4CCGYdLhap4/P8/x
HuiUuVrARHeCoTiQSc1FwjT1QXaU+yYk1SLFi0LaPgQ=
=Klfs
-----END PGP PUBLIC KEY BLOCK-----
EOF
- name: Login to registry.suse.com as CI user
run: |
if [ "$CONTAINER_RUNTIME" = "DOCKER" ]; then
echo $REGISTRY_LOGIN_PASSWORD | docker login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
fi
if [ "$CONTAINER_RUNTIME" = "PODMAN" ]; then
echo $REGISTRY_LOGIN_PASSWORD | podman login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
fi
env:
REGISTRY_LOGIN_USERNAME: ${{ secrets.REGISTRY_LOGIN_USERNAME }}
REGISTRY_LOGIN_PASSWORD: ${{ secrets.REGISTRY_LOGIN_PASSWORD }}
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
- name: Add /etc/host entries
run: |
# precache dns entries to avoid timeouts in the runs later
for host in index.crates.io updates.suse.com registry.suse.com registry.opensuse.org download.opensuse.org cdn.opensuse.org; do
echo -e "$(getent ahostsv4 $host | grep STREAM | cut -d' ' -f1 | head -n 1)\t$host" | sudo tee -a /etc/hosts
done
- name: Run tox job
run: sudo --preserve-env tox -e ${{ matrix.toxenv }} -- -n auto --reruns 3
env:
CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
OS_VERSION: ${{ matrix.os_version }}
TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }}