github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:09:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8a6674f1985e3b1cfec5bd3c4cfd1fee4e5a867f
zot/.github/workflows/test.yaml
T
Benoit Tigeot d97953f101 Pin actions and tighten workflow permissions (#3954) 
* ci: Reduce chance of installing corrupt packages

See: https://dev.to/hsbt/should-rubygemsbundler-have-a-cooldown-feature-40cp
Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent credential leakage from checkout steps

Add `persist-credentials: false` to all `actions/checkout` calls across
22 workflow files. Without this, the GitHub token used for checkout is
written into `.git/config` and remains accessible to all subsequent steps
and any uploaded artifacts (artipacked finding).

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent template injection from github context in run steps

`${{ github.* }}` expressions used directly inside `run:` blocks are
expanded before the shell sees them. A crafted value (e.g. a tag name
containing shell metacharacters) would execute arbitrary code.

Move the values into `env:` variables (e.g. GITHUB_EVENT_RELEASE_TAG_NAME,
GITHUB_ACTOR) and reference them as `${VAR}` in the shell, so the runtime
never interprets them as code (template-injection finding).

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: prevent injection in yq commands via release tag name

`${{ github.event.release.tag_name }}` was interpolated directly into
yq `cmd:` inputs. A crafted tag name could inject shell commands since
the expression is expanded before the action runs. Use yq's `strenv()`
with an `env:` variable instead so the value is always treated as data.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: pin all GitHub Actions to full commit SHAs

Actions pinned to mutable tags (e.g. @v6, @main) can change under us if
the upstream repo is compromised or tags are moved, enabling supply-chain
attacks. Pinning to the full 40-char commit SHA locks the exact code that
runs. Version tags are preserved as inline comments (e.g. # v6.0.2) for
readability and Dependabot compatibility.

Used `pinact` for standard tagged versions; remaining branch-based
references (mikefarah/yq, jlumbroso/free-disk-space,
project-stacker/stacker-build-push-action, aquasecurity/trivy-action)
resolved manually via the GitHub API.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: slow down GitHub Actions dependency updates to biweekly

Dependabot has no native biweekly interval. Combining weekly checks with
a 14-day cooldown achieves the same effect: Dependabot scans every Monday
but won't open a PR for a new action version until 14 days after release,
giving the ecosystem time to stabilize before we adopt it.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: group all Dependabot updates into single PRs per ecosystem

Without groups, Dependabot opens one PR per dependency. With `patterns: "*"`,
all Go module bumps land in one PR and all GitHub Actions pin updates in
another, reducing review noise.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: restore credential persistence for helm-charts push

`persist-credentials: false` was too broad — the helm-charts checkout
uses HELM_PUSH_TOKEN specifically so the subsequent `git push` can
authenticate. Only the main repo checkout should have credentials disabled.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: use --password-stdin for oras login

Passing the token via `-p` exposes it in process listings and debug
logs. Piping via stdin is the standard secure pattern for CLI auth.

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

* ci: pin actions to versioned release SHAs

jmgilman/actions-generate-checksum: v1 branch HEAD -> v1.0.1 release
mikefarah/yq: arbitrary master HEAD -> v4.52.5 release

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>

---------

Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>
2026-04-10 15:35:22 -07:00

212 lines
7.3 KiB
YAML
Raw Blame History

name: "Running tests"
on:
push:
branches:
- main
pull_request:
branches: [main]
release:
types:
- published
permissions: read-all
jobs:
test-run-minimal:
name: Running zot without extensions tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-mod-
- name: Install go dependencies
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
run: |
cd $GITHUB_WORKSPACE
go mod download
- uses: ./.github/actions/setup-localstack
- name: run zot minimal tests
run: |
cd $GITHUB_WORKSPACE
make test-minimal
env:
S3MOCK_ENDPOINT: localhost:4566
DYNAMODBMOCK_ENDPOINT: http://localhost:4566
AWS_ACCESS_KEY_ID: fake
AWS_SECRET_ACCESS_KEY: fake
- name: upload coverage
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-minimal
path: coverage-minimal.txt
- uses: ./.github/actions/teardown-localstack
test-run-extensions:
name: Run zot with extensions tests
runs-on: oracle-vm-16cpu-64gb-x86-64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-mod-
- name: Install go dependencies
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
run: |
cd $GITHUB_WORKSPACE
go mod download
- uses: ./.github/actions/setup-localstack
- name: run zot extended tests
run: |
cd $GITHUB_WORKSPACE
make test-extended
env:
S3MOCK_ENDPOINT: localhost:4566
DYNAMODBMOCK_ENDPOINT: http://localhost:4566
AWS_ACCESS_KEY_ID: fake
AWS_SECRET_ACCESS_KEY: fake
- name: upload coverage
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-extended
path: coverage-extended.txt
- uses: ./.github/actions/teardown-localstack
test-run-devmode:
name: Running development-mode tests on Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-mod-
- name: Install go dependencies
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
run: |
cd $GITHUB_WORKSPACE
go mod download
- name: run zot development-mode unit tests (possibly using failure injection)
run: make test-devmode
- name: upload coverage
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-devmode
path: coverage-dev-*.txt
test-run-privileged:
name: Running privileged tests on Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: Cache go dependencies
id: cache-go-dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-mod-
- name: Install go dependencies
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
run: |
cd $GITHUB_WORKSPACE
go mod download
- uses: ./.github/actions/setup-gcs-storage-testbench
- name: run zot privileged tests
run: >
sudo env
"PATH=$PATH"
"GCSMOCK_ENDPOINT=$GCSMOCK_ENDPOINT"
"STORAGE_EMULATOR_HOST=$STORAGE_EMULATOR_HOST"
make privileged-test
env:
GCSMOCK_ENDPOINT: http://localhost:9000/
STORAGE_EMULATOR_HOST: localhost:9000
- name: upload coverage
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: coverage-needprivileges
path: coverage-needprivileges-*.txt
- uses: ./.github/actions/teardown-gcs-storage-testbench
test-coverage:
name: Collect all test coverage
runs-on: ubuntu-latest
if: always()
needs: [test-run-minimal,test-run-extensions,test-run-devmode,test-run-privileged]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
cache: false
check-latest: true
go-version: 1.25.x
- name: download all workflow coverage files
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: merge code coverage
run: |
cd $GITHUB_WORKSPACE
cp coverage-minimal/* .
cp coverage-extended/* .
cp coverage-devmode/* .
cp coverage-needprivileges/* .
make covhtml
mkdir unified-coverage
cp coverage.txt coverage.html unified-coverage/
- name: upload unified-coverage as build artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: unified-coverage
path: unified-coverage/*
- name: upload code coverage
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink