Migrate CI to runs-on #11325
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Validations" | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| Static-Analysis: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Static analysis" | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=small | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| - name: Run static analysis | |
| run: make static-analysis | |
| Unit-Test: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Unit tests" | |
| # we need more storage than what's on the default runner | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=small | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| download-test-fixture-cache: true | |
| - name: Run unit tests | |
| run: make unit | |
| Integration-Test: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Integration tests" | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=small | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| download-test-fixture-cache: true | |
| - name: Validate syft output against the CycloneDX schema | |
| run: make validate-cyclonedx-schema | |
| - name: Run integration tests | |
| run: make integration | |
| Build-Snapshot-Artifacts: | |
| name: "Build snapshot artifacts" | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=build | |
| steps: | |
| # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) | |
| - uses: runs-on/action@v2 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| bootstrap-apt-packages: "" | |
| - name: Build snapshot artifacts | |
| run: make snapshot | |
| - name: Smoke test snapshot build | |
| run: make snapshot-smoke-test | |
| # upload each platform artifact individually so downstream jobs can download only what they need | |
| - run: npm install @actions/[email protected] | |
| - name: Upload individual platform artifacts | |
| uses: actions/github-script@v8 | |
| env: | |
| ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: 10 | |
| with: | |
| script: | | |
| const { readdirSync } = require('fs') | |
| const { DefaultArtifactClient } = require('@actions/artifact') | |
| const artifact = new DefaultArtifactClient() | |
| const ls = d => readdirSync(d, { withFileTypes: true }) | |
| const baseDir = "./snapshot" | |
| const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name) | |
| const uploads = [] | |
| // filter to only amd64 and arm64 architectures | |
| const supportedArchs = ['amd64', 'arm64'] | |
| const filteredDirs = dirs.filter(dir => | |
| supportedArchs.some(arch => dir.includes(arch)) | |
| ) | |
| // upload platform subdirectories | |
| for (const dir of filteredDirs) { | |
| // uploadArtifact returns Promise<{id, size}> | |
| uploads.push(artifact.uploadArtifact( | |
| // name of the archive: | |
| `${dir}`, | |
| // array of all files to include: | |
| ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`), | |
| // base directory to trim from entries: | |
| `${baseDir}/${dir}`, | |
| { retentionDays: 30 } | |
| )) | |
| } | |
| // upload RPM and DEB packages for supported architectures | |
| const packageFiles = ls(baseDir).filter(f => | |
| f.isFile() && | |
| (f.name.endsWith('.deb') || f.name.endsWith('.rpm')) && | |
| supportedArchs.some(arch => f.name.includes(`_${arch}.`)) | |
| ) | |
| for (const file of packageFiles) { | |
| uploads.push(artifact.uploadArtifact( | |
| file.name, | |
| [`${baseDir}/${file.name}`], | |
| baseDir, | |
| { retentionDays: 30 } | |
| )) | |
| } | |
| // upload checksums file (needed by install tests) | |
| const rootFiles = ls(baseDir).filter(f => f.isFile() && f.name.match(/syft_.*_checksums\.txt$/)) | |
| if (rootFiles.length > 0) { | |
| const checksumsFile = rootFiles[0].name | |
| uploads.push(artifact.uploadArtifact( | |
| 'syft_checksums.txt', | |
| [`${baseDir}/${checksumsFile}`], | |
| baseDir, | |
| { retentionDays: 30 } | |
| )) | |
| } | |
| // wait for all uploads to finish | |
| try { | |
| const results = await Promise.all(uploads) | |
| console.log(`Successfully uploaded ${results.length} artifacts`) | |
| } catch (error) { | |
| console.error('Upload failed:', error) | |
| throw error | |
| } | |
| Acceptance-Linux: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Acceptance tests (Linux)" | |
| needs: [Build-Snapshot-Artifacts] | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=small | |
| steps: | |
| # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) | |
| - uses: runs-on/action@v2 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| download-test-fixture-cache: true | |
| - name: Download checksums file | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 | |
| with: | |
| name: syft_checksums.txt | |
| path: snapshot | |
| - name: Download Linux amd64 snapshot | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 | |
| with: | |
| name: linux-build_linux_amd64_v1 | |
| path: snapshot/linux-build_linux_amd64_v1 | |
| - name: Run comparison tests (Linux) | |
| run: make compare-linux | |
| - name: Load test image cache | |
| if: steps.install-test-image-cache.outputs.cache-hit == 'true' | |
| run: make install-test-cache-load | |
| - name: Run install.sh tests (Linux) | |
| run: make install-test | |
| - name: (cache-miss) Create test image cache | |
| if: steps.install-test-image-cache.outputs.cache-hit != 'true' | |
| run: make install-test-cache-save | |
| Acceptance-Mac: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "Acceptance tests (Mac)" | |
| needs: [Build-Snapshot-Artifacts] | |
| # note: macos runners aren't supported yet for runs-on managed runners. | |
| runs-on: macos-latest | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| bootstrap-apt-packages: "" | |
| go-dependencies: false | |
| download-test-fixture-cache: true | |
| - name: Download checksums file | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 | |
| with: | |
| name: syft_checksums.txt | |
| path: snapshot | |
| - name: Download macOS Intel snapshot | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 | |
| with: | |
| name: darwin-build_darwin_amd64_v1 | |
| path: snapshot/darwin-build_darwin_amd64_v1 | |
| - name: Run comparison tests (Mac) | |
| run: make compare-mac | |
| - name: Run install.sh tests (Mac) | |
| run: make install-test-ci-mac | |
| Cli-Linux: | |
| # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline | |
| name: "CLI tests (Linux)" | |
| needs: [Build-Snapshot-Artifacts] | |
| # Runner definition: workflows/.github/runs-on.yml | |
| runs-on: runs-on=${{ github.run_id }}/runner=small | |
| steps: | |
| # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility) | |
| - uses: runs-on/action@v2 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| with: | |
| download-test-fixture-cache: true | |
| - name: Download Linux amd64 snapshot | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0 | |
| with: | |
| name: linux-build_linux_amd64_v1 | |
| path: snapshot/linux-build_linux_amd64_v1 | |
| - name: Run CLI Tests (Linux) | |
| run: make cli |