Try to mount qcow2, then scan the fs #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, publish and test images | |
on: | |
workflow_call: | |
jobs: | |
read_builds: | |
runs-on: ubuntu-latest | |
outputs: | |
builds: ${{ steps.builds-as-json.outputs.builds }} | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v3 | |
- name: Install script dependencies | |
run: pip install -r ./requirements.txt | |
- name: Get builds as JSON | |
id: builds-as-json | |
run: ./bin/builds-as-json | |
build_images: | |
needs: [read_builds] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: ${{ fromJson(needs.read_builds.outputs.builds) }} | |
name: ${{ matrix.name }} | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Write OpenStack credentials | |
run: echo "$OS_CLOUDS" > ./clouds.yaml | |
env: | |
OS_CLOUDS: ${{ secrets.OS_CLOUDS }} | |
- name: Set up Packer environment | |
run: ./bin/setup | |
env: | |
PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build image | |
id: build-image | |
run: ./bin/build-image | |
env: | |
OS_CLOUD: openstack | |
PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ENVIRONMENT: arcus | |
PACKER_TEMPLATE: ${{ matrix.template }} | |
ENV_VAR_FILES: ${{ matrix.var-files }} | |
- name: Publish image | |
id: publish-image | |
run: ./bin/publish-image | |
env: | |
OS_CLOUD: openstack | |
ENVIRONMENT: arcus | |
ENV_VAR_FILES: ${{ matrix.var-files }} | |
IMAGE_ID: ${{ steps.build-image.outputs.image-id }} | |
S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }} | |
S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: mount qcow2 file | |
shell: | | |
sudo apt-get -y install libguestfs-tools | |
sudo mkdir -p /mnt/${{ steps.publish-image.outputs.image-name }} | |
sudo guestmount -a ${{ steps.publish-image.outputs.image-name }}.qcow2 -i /mnt/${{ steps.publish-image.outputs.image-name }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: fs | |
scan-ref: "/mnt/${{ steps.publish-image.outputs.image-name }}" | |
format: sarif | |
output: trivy-results.sarif | |
ignore-unfixed: true | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: trivy-results.sarif | |
- name: Write matrix outputs | |
uses: cloudposse/[email protected] | |
with: | |
matrix-step-name: ${{ github.job }} | |
matrix-key: ${{ matrix.name }} | |
outputs: |- | |
name: ${{ steps.publish-image.outputs.image-name }} | |
url: ${{ steps.publish-image.outputs.image-url }} | |
checksum: ${{ steps.publish-image.outputs.image-checksum }} | |
manifest-extra: ${{ steps.build-image.outputs.manifest-extra }} | |
publish_manifest: | |
# this job should always run, but needs to run after the build matrix | |
needs: [build_images] | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
outputs: | |
manifest-url-encoded: ${{ steps.encode-manifest-url.outputs.encoded }} | |
steps: | |
- name: Check out the repository | |
uses: actions/checkout@v3 | |
- name: Read matrix outputs | |
id: matrix-outputs | |
uses: cloudposse/[email protected] | |
with: | |
matrix-step-name: build_images | |
- name: Write outputs | |
uses: DamianReeves/write-file-action@0a7fcbe1960c53fc08fe789fa4850d24885f4d84 | |
with: | |
path: build-outputs.json | |
write-mode: overwrite | |
contents: ${{ steps.matrix-outputs.outputs.result }} | |
- name: Generate manifest | |
run: ./bin/generate-manifest | |
env: | |
BUILD_OUTPUTS_FILE: ./build-outputs.json | |
MANIFEST_FILE: ./manifest.json | |
- name: Install s3cmd | |
run: | | |
sudo apt-get update -y | |
sudo apt-get install -y s3cmd | |
- name: Publish manifest to S3 | |
id: publish-manifest | |
run: ./bin/publish-manifest | |
env: | |
MANIFEST_FILE: ./manifest.json | |
ENVIRONMENT: arcus | |
ENV_VAR_FILES: common | |
S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }} | |
S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }} | |
# The manifest URL that publish-manifest outputs is a signed URL | |
# This means that it contains the S3 access key which, although it does not necessarily need | |
# to be kept secret, is provided using a GitHub secret | |
# GitHub does not allow outputs that include secrets to be transferred between jobs | |
# To get around this, we encrypt the manifest URL using GPG and use that as the output of this workflow | |
- name: Encode manifest URL using GPG | |
id: encode-manifest-url | |
run: | | |
result=$(gpg --symmetric --batch --passphrase "${PASSPHRASE}" --output - <(echo "${INPUT}") | base64 -w0) | |
echo "encoded=${result}" >> $GITHUB_OUTPUT | |
env: | |
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
INPUT: ${{ steps.publish-manifest.outputs.manifest-url }} | |
run_azimuth_tests: | |
needs: [publish_manifest] | |
runs-on: ubuntu-latest | |
steps: | |
# The manifest URL that publish-manifest outputs is a signed URL | |
# This means that it contains the S3 access key which, although it does not necessarily need | |
# to be kept secret, is provided using a GitHub secret | |
# GitHub does not allow outputs that include secrets to be transferred between jobs | |
# To get around this, the manifest URL is encrypted using GPG that we must now decrypt to use | |
- name: Decode manifest URL using GPG | |
id: decode-manifest-url | |
run: | | |
result=$(gpg --decrypt --quiet --batch --passphrase "${PASSPHRASE}" --output - <(echo "${INPUT}" | base64 -d)) | |
echo "decoded=${result}" >> $GITHUB_OUTPUT | |
env: | |
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
INPUT: ${{ needs.publish_manifest.outputs.manifest-url-encoded }} | |
# Check out the configuration repository | |
- name: Set up Azimuth environment | |
uses: stackhpc/azimuth-config/.github/actions/setup@devel | |
with: | |
os-clouds: ${{ secrets.OS_CLOUDS }} | |
environment-prefix: images-ci | |
# Use the manifest that we just built | |
# We want to run all the CaaS tests except Slurm | |
# We want to run the Kubernetes tests _for all Kubernetes versions_ | |
# We don't need to run the apps tests | |
extra-vars: | | |
community_images_azimuth_images_manifest_url: ${{ steps.decode-manifest-url.outputs.decoded }} | |
generate_tests_caas_test_case_slurm_enabled: false | |
generate_tests_kubernetes_test_cases_latest_only: false | |
generate_tests_kubernetes_apps_suite_enabled: false | |
- name: Provision Azimuth | |
uses: stackhpc/azimuth-config/.github/actions/provision@devel | |
- name: Run Azimuth tests | |
uses: stackhpc/azimuth-config/.github/actions/test@devel | |
- name: Destroy Azimuth | |
uses: stackhpc/azimuth-config/.github/actions/destroy@devel | |
if: ${{ always() }} | |
# Purge the images that we just tested from OpenStack | |
purge_images: | |
needs: [run_azimuth_tests] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install s3cmd | |
run: | | |
sudo apt-get update -y | |
sudo apt-get install -y s3cmd | |
- name: Install script dependencies | |
run: pip install -r ./requirements.txt | |
- name: Write OpenStack credentials | |
run: echo "$OS_CLOUDS" > ./clouds.yaml | |
env: | |
OS_CLOUDS: ${{ secrets.OS_CLOUDS }} | |
- name: Purge images for manifest | |
run: | | |
source ./bin/env-vars | |
./bin/purge-images "${GITHUB_SHA}.manifest" | |
env: | |
REPO_ROOT: ${{ github.workspace }} | |
OS_CLOUD: openstack | |
ENVIRONMENT: arcus | |
ENV_VAR_FILES: common | |
S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }} | |
S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }} |