fact/.github/workflows/integration-tests.yml at main · stackrox/fact · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Run integration tests
on:
  workflow_call:
    inputs:
      version:
        description: The version of fact to be tested (commit SHA or tag)
        default: ${{ github.head_ref || github.ref_name }}
        type: string
      registry:
        description: Container registry holding the image to test
        default: quay.io/stackrox-io/fact
        type: string
      tag:
        description: The container image tag to test
        type: string
      job-tag:
        description: Additional tag to prevent collision on GCP VM naming
        type: string
        default: ''

jobs:
  integration-tests:
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        vm:
          - fedora-coreos
          - fcarm
          - rhel
          - rhel-arm64
          - rhcos
          - rhcos-arm64

    steps:
    - uses: actions/checkout@v4
      with:
        path: fact
    - uses: actions/checkout@v4
      with:
        repository: stackrox/collector
        path: collector
        ref: master
    - uses: actions/setup-python@v5
      with:
        python-version: "3.10"

    - name: Authenticate with GCP
      uses: 'google-github-actions/auth@v2'
      with:
        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_COLLECTOR_CI_VM_SVC_ACCT }}'

    - name: Setup GCP
      uses: 'google-github-actions/setup-gcloud@v2'

    - uses: ./collector/.github/actions/setup-vm-creds
      with:
        gcp-ssh-key: ${{ secrets.GCP_SSH_KEY }}
        gcp-ssh-key-pub: ${{ secrets.GCP_SSH_KEY_PUB }}
        s390x-ssh-key: ${{ secrets.IBM_CLOUD_S390X_SSH_PRIVATE_KEY }}
        ppc64le-ssh-key: ${{ secrets.IBM_CLOUD_POWER_SSH_PRIVATE_KEY }}
        ppc64le-ssh-key-pub: ${{ secrets.IBM_CLOUD_POWER_SSH_PUBLIC_KEY }}
        s390x-key: ${{ secrets.IBM_CLOUD_S390x_API_KEY }}
        ppc64le-key: ${{ secrets.IBM_CLOUD_POWER_API_KEY }}
        redhat-username: ${{ secrets.REDHAT_USERNAME }}
        redhat-password: ${{ secrets.REDHAT_PASSWORD }}
        vm-type: ${{ matrix.vm }}
        job-tag: ${{ inputs.job-tag }}
        workspace: ${{ github.workspace }}/collector

    - name: Create vars.yml
      env:
        FACT_VERSION: ${{ inputs.version }}
        FACT_REGISTRY: ${{ inputs.registry }}
        FACT_TAG: ${{ inputs.tag }}
      run: |
        FACT_IMAGE_NAME="$(make -sC "${GITHUB_WORKSPACE}/fact" image-name)"
        cat << EOF > vars.yml
        ---
        job_id: ${JOB_ID}
        fact:
          image: ${FACT_IMAGE_NAME}
          version: ${FACT_VERSION}
        quay:
          username: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
          password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
        excluded_vms:
        # RHEL 8 doesn't handle file creation properly,
        # need more investigation
        - rhel-8
        - rhcos-412-86-202402272018-0-gcp-x86-64
        - rhcos-414-92-202407091253-0-gcp-x86-64
        # BPF trampolines are only implemented starting with RHEL 10
        - rhel-9-arm64
        - rhcos-9-8-20260520-0-gcp-aarch64
        - rhcos-9-6-20260512-0-gcp-aarch64
        - rhcos-418-94-202602022246-0-gcp-aarch64
        - rhcos-416-94-202510081640-0-gcp-aarch64
        EOF

    - name: Create Test VMs
      env:
        ANSIBLE_CONFIG: "${{ github.workspace }}/collector/ansible/ansible.cfg"
      run: |
        ansible-playbook \
          -i "${GITHUB_WORKSPACE}/collector/ansible/ci" \
          -e @vars.yml \
          --tags setup,provision \
          "${GITHUB_WORKSPACE}/collector/ansible/integration-tests.yml"

    - name: Run the tests
      env:
        ANSIBLE_CONFIG: ${{ github.workspace }}/fact/ansible/ansible.cfg
      run: |
        ansible-playbook \
          -i "${GITHUB_WORKSPACE}/collector/ansible/ci" \
          -e @vars.yml \
          "${GITHUB_WORKSPACE}/fact/ansible/run-tests.yml"

    - name: Teardown VMs
      if: always()
      run: |
        make -C "./collector/ansible" destroy-vms

    - name: Unarchive logs
      if: always()
      run: |
        cd "/tmp/fact/tests"
        for file in logs/*.tar.gz; do
          tar xzf "$file"
          rm -f "$file"
        done

    - name: Test summary
      uses: test-summary/action@v2
      if: always()
      with:
        paths: /tmp/fact/tests/*-results.xml

    - name: Store artifacts
      if: always()
      # Don't fail the job on upload errors (e.g. ECONNRESET) —
      # these are debug logs, not consumed by downstream jobs.
      # Test failures still fail the job via the Run Tests step.
      continue-on-error: true
      uses: actions/upload-artifact@v4
      with:
        name: ${{ matrix.vm }}-test-logs
        path: |
          /tmp/fact/tests/logs
          /tmp/fact/tests/*-results.xml
        if-no-files-found: ignore