Upload with action #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk Scan Tests | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "release-*" | |
| - "add-snyk-actions" | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test-snyk-maven-scan: | |
| name: Test Snyk Maven Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Checkout github-actions | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.sha }} | |
| - name: Checkout strimzi/drain-cleaner | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: strimzi/drain-cleaner | |
| ref: main | |
| path: drain-cleaner | |
| - name: Copy drain-cleaner project to workspace root | |
| run: rsync -a --exclude='.git' --exclude='.github' drain-cleaner/ ./ | |
| - name: Setup Java and Maven | |
| uses: ./.github/actions/dependencies/setup-java | |
| - name: Install yq | |
| uses: ./.github/actions/dependencies/install-yq | |
| - name: Restore Maven cache | |
| uses: actions/cache/restore@v5 | |
| with: | |
| path: ~/.m2/repository | |
| key: maven-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: | | |
| maven- | |
| - name: Build Maven project | |
| shell: bash | |
| run: mvn -B -DskipTests -Dmaven.javadoc.skip=true clean install | |
| - name: Run Snyk Maven scan | |
| uses: ./.github/actions/security/snyk-maven-scan | |
| with: | |
| cvssThreshold: "99.0" | |
| monitor: "false" | |
| projectPrefix: test-drain-cleaner | |
| uploadToCodeScanning: "true" | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - name: Download SARIF artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: snyk-maven-test-drain-cleaner.sarif | |
| path: sarif-output | |
| - name: Verify SARIF artifact | |
| shell: bash | |
| run: | | |
| SARIF_FILE="sarif-output/snyk-maven-test-drain-cleaner.sarif" | |
| if [ ! -f "$SARIF_FILE" ]; then | |
| echo "SARIF file not found: $SARIF_FILE" | |
| exit 1 | |
| fi | |
| if [ ! -s "$SARIF_FILE" ]; then | |
| echo "SARIF file is empty: $SARIF_FILE" | |
| exit 1 | |
| fi | |
| jq empty "$SARIF_FILE" | |
| echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)" | |
| wait-for-container-artifact: | |
| name: Wait for Container Artifact | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 90 | |
| outputs: | |
| run-id: ${{ steps.find-build.outputs.run_id }} | |
| steps: | |
| - name: Wait for container artifact | |
| id: find-build | |
| uses: actions/github-script@v9 | |
| env: | |
| INPUT_SHA: ${{ github.sha }} | |
| ARTIFACT_NAME: "containers-operators-amd64.tar" | |
| MAX_WAIT_MINUTES: "80" | |
| with: | |
| script: | | |
| const {owner, repo} = context.repo; | |
| const workflowName = 'test-integrations.yml'; | |
| const sha = process.env.INPUT_SHA; | |
| const artifactName = process.env.ARTIFACT_NAME; | |
| const maxWaitMinutes = parseInt(process.env.MAX_WAIT_MINUTES); | |
| const maxWaitSeconds = maxWaitMinutes * 60; | |
| const startTime = Date.now(); | |
| core.info(`Waiting for artifact '${artifactName}' from commit ${sha}`); | |
| async function findArtifact() { | |
| const runs = await github.rest.actions.listWorkflowRuns({ | |
| owner, | |
| repo, | |
| workflow_id: workflowName, | |
| head_sha: sha, | |
| per_page: 1 | |
| }); | |
| const run = runs.data.workflow_runs[0]; | |
| if (!run) return null; | |
| const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner, | |
| repo, | |
| run_id: run.id | |
| }); | |
| const artifact = artifacts.data.artifacts.find(a => a.name === artifactName); | |
| if (artifact) { | |
| return { runId: run.id, artifactId: artifact.id }; | |
| } | |
| if (run.status === 'completed') { | |
| core.setFailed(`Integration tests completed (${run.conclusion}) but artifact '${artifactName}' not found`); | |
| core.setFailed(`Run: ${context.serverUrl}/${owner}/${repo}/actions/runs/${run.id}`); | |
| return 'failed'; | |
| } | |
| return null; | |
| } | |
| while (true) { | |
| const elapsed = Math.floor((Date.now() - startTime) / 1000); | |
| if (elapsed >= maxWaitSeconds) { | |
| core.setFailed(`Timeout: Artifact '${artifactName}' not found after ${maxWaitMinutes} minutes`); | |
| return; | |
| } | |
| const result = await findArtifact(); | |
| if (result === 'failed') return; | |
| if (result) { | |
| core.setOutput('run_id', result.runId.toString()); | |
| core.info(`Artifact '${artifactName}' found in run #${result.runId}`); | |
| return; | |
| } | |
| core.info(`Artifact not available yet... (${elapsed}s elapsed, max: ${maxWaitSeconds}s)`); | |
| await new Promise(resolve => setTimeout(resolve, 30000)); | |
| } | |
| test-snyk-container-scan: | |
| name: Test Snyk Container Scan | |
| needs: wait-for-container-artifact | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout github-actions | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: strimzi/github-actions | |
| ref: ${{ github.sha }} | |
| path: github-actions | |
| - name: Setup actions for testing | |
| run: | | |
| mkdir -p .github/actions | |
| cp -r github-actions/.github/actions/* .github/actions/ | |
| - name: Install Docker | |
| uses: ./.github/actions/dependencies/install-docker | |
| - name: Run Snyk container scan | |
| uses: ./.github/actions/security/snyk-container-scan | |
| with: | |
| containerArtifact: containers-operators-amd64.tar | |
| runId: ${{ needs.wait-for-container-artifact.outputs.run-id }} | |
| cvssThreshold: "99.0" | |
| monitor: "false" | |
| projectPrefix: test-operators | |
| uploadToCodeScanning: "true" | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - name: Download SARIF artifacts | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: snyk-container-sarif-test-operators | |
| path: sarif-output | |
| - name: Verify SARIF artifacts | |
| shell: bash | |
| run: | | |
| SARIF_COUNT=$(find sarif-output -name "*.sarif" -type f | wc -l) | |
| if [ "$SARIF_COUNT" -eq 0 ]; then | |
| echo "No SARIF files found in artifacts" | |
| exit 1 | |
| fi | |
| echo "Found $SARIF_COUNT SARIF file(s)" | |
| for sarif in sarif-output/*.sarif; do | |
| if [ ! -s "$sarif" ]; then | |
| echo "SARIF file is empty: $sarif" | |
| exit 1 | |
| fi | |
| jq empty "$sarif" | |
| echo "$(basename "$sarif"): valid JSON with $(jq '.runs | length' "$sarif") run(s)" | |
| done |