Skip to content

Hack commit sha for testing v2 #8

Hack commit sha for testing v2

Hack commit sha for testing v2 #8

Workflow file for this run

name: Snyk Scan Tests
on:
push:
branches:
- "main"
- "release-*"
- "add-snyk-actions"
permissions:
contents: read
actions: read
security-events: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test-snyk-maven-scan:
name: Test Snyk Maven Scan
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Checkout github-actions
uses: actions/checkout@v6
with:
ref: ${{ github.sha }}
- name: Checkout strimzi/drain-cleaner
uses: actions/checkout@v6
with:
repository: strimzi/drain-cleaner
ref: main
path: drain-cleaner
- name: Copy drain-cleaner project to workspace root
run: rsync -a --exclude='.git' --exclude='.github' drain-cleaner/ ./
- name: Setup Java and Maven
uses: ./.github/actions/dependencies/setup-java
- name: Install yq
uses: ./.github/actions/dependencies/install-yq
- name: Restore Maven cache
uses: actions/cache/restore@v5
with:
path: ~/.m2/repository
key: maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
maven-
- name: Build Maven project
shell: bash
run: mvn -B -DskipTests -Dmaven.javadoc.skip=true clean install
- name: Run Snyk Maven scan
uses: ./.github/actions/security/snyk-maven-scan
with:
cvssThreshold: "99.0"
monitor: "false"
projectName: test-drain-cleaner
uploadToCodeScanning: "true"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Download SARIF artifact
uses: actions/download-artifact@v7
with:
name: snyk-maven-test-drain-cleaner.sarif
path: sarif-output
- name: Verify SARIF artifact
shell: bash
run: |
SARIF_FILE="sarif-output/snyk-maven-test-drain-cleaner.sarif"
if [ ! -f "$SARIF_FILE" ]; then
echo "SARIF file not found: $SARIF_FILE"
exit 1
fi
if [ ! -s "$SARIF_FILE" ]; then
echo "SARIF file is empty: $SARIF_FILE"
exit 1
fi
jq empty "$SARIF_FILE"
echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)"
wait-for-container-artifact:
name: Wait for Container Artifact
runs-on: ubuntu-latest
timeout-minutes: 90
outputs:
run-id: ${{ steps.find-build.outputs.run_id }}
steps:
- name: Wait for container artifact
id: find-build
uses: actions/github-script@v9
env:
INPUT_SHA: ${{ github.sha }}
ARTIFACT_NAME: "containers-drain-cleaner-amd64.tar"
MAX_WAIT_MINUTES: "80"
with:
script: |
const {owner, repo} = context.repo;
const workflowName = 'test-integrations.yml';
const sha = process.env.INPUT_SHA;
const artifactName = process.env.ARTIFACT_NAME;
const maxWaitMinutes = parseInt(process.env.MAX_WAIT_MINUTES);
const maxWaitSeconds = maxWaitMinutes * 60;
const startTime = Date.now();
core.info(`Waiting for artifact '${artifactName}' from commit ${sha}`);
async function findArtifact() {
const runs = await github.rest.actions.listWorkflowRuns({
owner,
repo,
workflow_id: workflowName,
head_sha: sha,
per_page: 1
});
const run = runs.data.workflow_runs[0];
if (!run) return null;
const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner,
repo,
run_id: run.id
});
const artifact = artifacts.data.artifacts.find(a => a.name === artifactName);
if (artifact) {
return { runId: run.id, artifactId: artifact.id };
}
if (run.status === 'completed') {
core.setFailed(`Integration tests completed (${run.conclusion}) but artifact '${artifactName}' not found`);
core.setFailed(`Run: ${context.serverUrl}/${owner}/${repo}/actions/runs/${run.id}`);
return 'failed';
}
return null;
}
while (true) {
const elapsed = Math.floor((Date.now() - startTime) / 1000);
if (elapsed >= maxWaitSeconds) {
core.setFailed(`Timeout: Artifact '${artifactName}' not found after ${maxWaitMinutes} minutes`);
return;
}
const result = await findArtifact();
if (result === 'failed') return;
if (result) {
core.setOutput('run_id', result.runId.toString());
core.info(`Artifact '${artifactName}' found in run #${result.runId}`);
return;
}
core.info(`Artifact not available yet... (${elapsed}s elapsed, max: ${maxWaitSeconds}s)`);
await new Promise(resolve => setTimeout(resolve, 30000));
}
test-snyk-container-scan:
name: Test Snyk Container Scan
needs: wait-for-container-artifact
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout github-actions
uses: actions/checkout@v6
with:
repository: strimzi/github-actions
ref: ${{ github.sha }}
path: github-actions
- name: Setup actions for testing
run: |
mkdir -p .github/actions
cp -r github-actions/.github/actions/* .github/actions/
- name: Install Docker
uses: ./.github/actions/dependencies/install-docker
- name: Run Snyk container scan
uses: ./.github/actions/security/snyk-container-scan
with:
containerArtifact: containers-drain-cleaner-amd64.tar
runId: ${{ needs.wait-for-container-artifact.outputs.run-id }}
cvssThreshold: "99.0"
monitor: "false"
projectName: test-drain-cleaner
uploadToCodeScanning: "true"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Download SARIF artifacts
uses: actions/download-artifact@v7
with:
name: snyk-container-sarif-test-drain-cleaner
path: sarif-output
- name: Verify SARIF artifacts
shell: bash
run: |
SARIF_COUNT=$(find sarif-output -name "*.sarif" -type f | wc -l)
if [ "$SARIF_COUNT" -eq 0 ]; then
echo "No SARIF files found in artifacts"
exit 1
fi
echo "Found $SARIF_COUNT SARIF file(s)"
for sarif in sarif-output/*.sarif; do
if [ ! -s "$sarif" ]; then
echo "SARIF file is empty: $sarif"
exit 1
fi
jq empty "$sarif"
echo "$(basename "$sarif"): valid JSON with $(jq '.runs | length' "$sarif") run(s)"
done