chore: run tests as if externally executed #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | ||
| name: ci | ||
| concurrency: | ||
| cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }} | ||
| group: ci-${{ github.ref_name }}-${{ github.event_name }} | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| tags: | ||
| - v* | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| env: | ||
| ANSIBLE_FORCE_COLOR: "1" | ||
| PY_COLORS: "1" | ||
| TIMEOUT: 10m | ||
| jobs: | ||
| trivy: | ||
| if: github.event_name == 'push' || github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| scan-type: | ||
| - fs | ||
| - config | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Cache trivy db | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: | | ||
| ~/.cache/trivy | ||
| ~/work/temp | ||
| key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }} | ||
| - name: Run Trivy vulnerability scanner in fs mode | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| format: sarif | ||
| ignore-unfixed: true | ||
| output: trivy-results.sarif | ||
| scan-ref: . | ||
| scan-type: ${{ matrix.scan-type }} | ||
| severity: CRITICAL,HIGH | ||
| trivy-config: trivy.yaml | ||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: trivy-results.sarif | ||
| test: | ||
| if: github.event_name == 'push' || github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| K3S_VERSION: v1.31.1-k3s1 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - kustomization: oathkeeper/test/vm | ||
| namespace: auth | ||
| extras: >- | ||
| kubectl apply --server-side --timeout=${{ env.TIMEOUT }} -f \ | ||
| https://github.com/VictoriaMetrics/operator/raw/refs/tags/v0.48.3/config/crd/overlay/crd.yaml | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| - name: Setup k3s cluster | ||
| uses: debianmaster/actions-k3s@master | ||
| with: | ||
| version: ${{ env.K3S_VERSION }} | ||
| - name: Verify k8s cluster | ||
| run: kubectl get nodes | ||
| - name: Ensure namespace exists ${{ matrix.namespace }} | ||
| run: kubectl create namespace ${{ matrix.namespace }} --dry-run=client -o yaml | kubectl apply -f - | ||
| - name: Create extras | ||
| if: matrix.extras | ||
| run: ${{ matrix.extras }} | ||
| - name: Verify kustomization ${{ matrix.kustomization }} | ||
| run: kubectl apply -k ${{ matrix.kustomization }} --wait --timeout=${{ env.TIMEOUT }} | ||
| - name: Wait for pods to get into ready state | ||
| run: | | ||
| kubectl get pod -n ${{ matrix.namespace }} | ||
| kubectl wait --for=condition=ready --timeout=${{ env.TIMEOUT }} pod --all -n ${{ matrix.namespace }} | ||
| kubectl get pod -n ${{ matrix.namespace }} | ||
| ansible-lint: | ||
| if: github.event_name == 'push' || github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Run ansible-lint | ||
| uses: ansible/ansible-lint@main | ||
| release-please: | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| steps: | ||
| - name: Release please | ||
| uses: googleapis/release-please-action@v4 | ||
| with: | ||
| release-type: simple | ||
