|
| 1 | +package ci |
| 2 | + |
| 3 | +import ( |
| 4 | + "os" |
| 5 | + "strings" |
| 6 | + "testing" |
| 7 | +) |
| 8 | + |
| 9 | +const sharedPublisherSHA = "a86300fb8020d0f7141bb9f833d89b5dbd7aa4d7" |
| 10 | + |
| 11 | +func TestImagePublicationWorkflowContract(t *testing.T) { |
| 12 | + workflow, err := os.ReadFile("../.github/workflows/build-push.yml") |
| 13 | + if err != nil { |
| 14 | + t.Fatal(err) |
| 15 | + } |
| 16 | + contents := string(workflow) |
| 17 | + |
| 18 | + required := []string{ |
| 19 | + "pull_request:", |
| 20 | + "if: github.event_name == 'pull_request'", |
| 21 | + "if: github.ref == 'refs/heads/main' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))", |
| 22 | + "Build native image without credentials", |
| 23 | + "libops/.github/.github/workflows/build-push.yaml@" + sharedPublisherSHA, |
| 24 | + "ref: ${{ github.sha }}", |
| 25 | + "expected-main-sha: ${{ github.ref == 'refs/heads/main' && github.sha || '' }}", |
| 26 | + "scan: true", |
| 27 | + "sign: true", |
| 28 | + "certificate-identity: https://github.com/libops/.github/.github/workflows/build-push.yaml@" + sharedPublisherSHA, |
| 29 | + "packages: write", |
| 30 | + "id-token: write", |
| 31 | + } |
| 32 | + for _, value := range required { |
| 33 | + if !strings.Contains(contents, value) { |
| 34 | + t.Errorf("image workflow must contain %q", value) |
| 35 | + } |
| 36 | + } |
| 37 | + |
| 38 | + forbidden := []string{ |
| 39 | + "build-push.yaml@main", |
| 40 | + "build-push-ghcr.yaml", |
| 41 | + "secrets: inherit", |
| 42 | + "docker-registry:", |
| 43 | + "additional-gar-registry:", |
| 44 | + } |
| 45 | + for _, value := range forbidden { |
| 46 | + if strings.Contains(contents, value) { |
| 47 | + t.Errorf("image workflow must not contain %q", value) |
| 48 | + } |
| 49 | + } |
| 50 | +} |
| 51 | + |
| 52 | +func TestTrivyExceptionIsNarrowAndExpiring(t *testing.T) { |
| 53 | + ignore, err := os.ReadFile("../.trivyignore") |
| 54 | + if err != nil { |
| 55 | + t.Fatal(err) |
| 56 | + } |
| 57 | + |
| 58 | + lines := strings.Split(strings.TrimSpace(string(ignore)), "\n") |
| 59 | + var rules []string |
| 60 | + for _, line := range lines { |
| 61 | + line = strings.TrimSpace(line) |
| 62 | + if line != "" && !strings.HasPrefix(line, "#") { |
| 63 | + rules = append(rules, line) |
| 64 | + } |
| 65 | + } |
| 66 | + if len(rules) != 1 || rules[0] != "CVE-2026-42154 exp:2026-10-01" { |
| 67 | + t.Fatalf("unexpected Trivy exception rules: %q", rules) |
| 68 | + } |
| 69 | +} |
0 commit comments