Skip to content

Commit

Permalink
[8.14] Fix 8.14 ci - separate lints/unit tests from integration tests (
Browse files Browse the repository at this point in the history 
…#2623)

* fix ci

* Skip Azure PostgreSQL tests (#2600)

---------

Co-authored-by: Dmitry Gurevich <99176494+gurevichdmitry@users.noreply.github.com>
  • Loading branch information
@moukoublen @gurevichdmitry
moukoublen and gurevichdmitry authored Oct 17, 2024
1 parent 6e7b852 commit 2ccf284
Show file tree
Hide file tree
Showing 5 changed files with 187 additions and 165 deletions.
3 changes: 2 additions & 1 deletion .github/actions/docker-images/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,8 @@ runs:
- if: ${{ inputs.build-docker-images == 'true' }}
name: Upload docker images
uses: actions/upload-artifact@v4
# Pin action version to 4.3.4 See https://github.com/actions/upload-artifact/issues/589
uses: actions/upload-artifact@v4.3.4
with:
name: docker-images
path: ${{ inputs.docker-images-folder }}
Expand Down
105 changes: 105 additions & 0 deletions .github/workflows/ci-pull_request.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Unit Tests and Lints

on:
pull_request:
branches:
- main
- "[0-9]+.[0-9]+"
types: [opened, synchronize, reopened]
push:
branches:
- main
- "[0-9]+.[0-9]+"
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:

lint:
name: Lint
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Initialize hermit
shell: bash
run: |
./bin/hermit env --raw >> "$GITHUB_ENV"
- name: Initialize poetry
shell: bash
run: |
pip3 install poetry
(cd security-policies && poetry install --no-root)
- name: Pre-commit Hooks
env:
# Skipping golangci-lint as it's tested by golangci-lint
SKIP: golangci-lint
shell: bash
run: |
pre-commit run --all-files
- name: golangci-lint
shell: bash
run: golangci-lint run --out-format github-actions

- name: Mage Check
shell: bash
run: mage check

- name: Mage checkLicenseHeaders
shell: bash
run: mage checkLicenseHeaders

- name: Validate mocks
shell: bash
run: just validate-mocks

- name: Terraform fmt
shell: bash
run: terraform fmt -check -recursive

unit-test:
name: Unit Test
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Initialize hermit
shell: bash
run: |
./bin/hermit env --raw >> "$GITHUB_ENV"
- name: Build opa bundle
shell: bash
run: mage buildOpaBundle

- name: Unit-Test
shell: bash
run: |
go install gotest.tools/gotestsum
GOOS=linux TEST_DIRECTORY=./... gotestsum --format pkgname -- -race -coverpkg=./... -coverprofile=cover.out.tmp
cat cover.out.tmp | grep -v "mock_.*.go" > cover.out # remove mock files from coverage report
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage-file
path: cover.out
overwrite: true

- name: Send coverage
env:
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
go install github.com/mattn/goveralls@latest
goveralls -coverprofile=cover.out -service=github
110 changes: 8 additions & 102 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
name: Tests

on:
pull_request_target:
branches:
- main
- "[0-9]+.[0-9]+"
types: [opened, synchronize, reopened]
# pull_request_target:
# branches:
# - main
# - "[0-9]+.[0-9]+"
# types: [opened, synchronize, reopened]
push:
branches:
- main
Expand All @@ -29,100 +29,6 @@ jobs:
with:
init-tools: 'true'

lint:
name: Lint
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }}
# If the event is push to branch use the default ref.
# If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run lint over the PR's code.

- name: Initialize hermit
shell: bash
run: |
./bin/hermit env --raw >> "$GITHUB_ENV"
- name: Initialize poetry
shell: bash
run: |
pip3 install poetry
(cd security-policies && poetry install --no-root)
- name: Pre-commit Hooks
env:
# Skipping golangci-lint as it's tested by golangci-lint
SKIP: golangci-lint
shell: bash
run: |
pre-commit run --all-files
- name: golangci-lint
shell: bash
run: golangci-lint run --out-format github-actions

- name: Mage Check
shell: bash
run: mage check

- name: Mage checkLicenseHeaders
shell: bash
run: mage checkLicenseHeaders

- name: Validate mocks
shell: bash
run: just validate-mocks

- name: Terraform fmt
shell: bash
run: terraform fmt -check -recursive

unit-test:
name: Unit Test
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'push' && github.ref || format('refs/pull/{0}/merge', github.event.number) }}
# If the event is push to branch use the default ref.
# If the event is pull request (`pull_request_target` in our case) use merge commit as ref to run unit tests over the PR's code.

- name: Initialize hermit
shell: bash
run: |
./bin/hermit env --raw >> "$GITHUB_ENV"
- name: Build opa bundle
shell: bash
run: mage buildOpaBundle

- name: Unit-Test
shell: bash
run: |
go install gotest.tools/gotestsum
GOOS=linux TEST_DIRECTORY=./... gotestsum --format pkgname -- -race -coverpkg=./... -coverprofile=cover.out.tmp
cat cover.out.tmp | grep -v "mock_.*.go" > cover.out # remove mock files from coverage report
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage-file
path: cover.out
overwrite: true

- name: Send coverage
env:
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
go install github.com/mattn/goveralls@latest
goveralls -coverprofile=cover.out -service=github
ci-azure:
needs: [ init-hermit ]
name: CIS Azure CI
Expand Down Expand Up @@ -262,9 +168,9 @@ jobs:
- test-target: k8s_file_system_rules
kind-config: kind-test-files
values-file: tests/test_environments/values/ci-test-k8s-files.yml
- test-target: k8s_object_psp_rules
kind-config: kind-multi
values-file: tests/test_environments/values/ci-test-k8s-objects.yml
# - test-target: k8s_object_psp_rules
# kind-config: kind-multi
# values-file: tests/test_environments/values/ci-test-k8s-objects.yml
- test-target: k8s_process_rules
kind-config: kind-test-proc-conf1
values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml
Expand Down
12 changes: 6 additions & 6 deletions security-policies/RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@

#### Manual rules: 0/74 (0%)

#### Integration Tests Coverage: 100/302 (33%)
#### Integration Tests Coverage: 94/302 (31%)

<details><summary><h3>Full Table 📋</h3></summary>

Expand Down Expand Up @@ -495,12 +495,12 @@
| 4.2.5 | SQL Server - Microsoft Defender for SQL | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | :x: | Passed :x: / Failed :x: | Automated |
| [4.3.1](bundle/compliance/cis_azure/rules/cis_4_3_1) | PostgreSQL Database Server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated |
| [4.3.2](bundle/compliance/cis_azure/rules/cis_4_3_2) | PostgreSQL Database Server | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.3](bundle/compliance/cis_azure/rules/cis_4_3_3) | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.4](bundle/compliance/cis_azure/rules/cis_4_3_4) | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.3](bundle/compliance/cis_azure/rules/cis_4_3_3) | PostgreSQL Database Server | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated |
| [4.3.4](bundle/compliance/cis_azure/rules/cis_4_3_4) | PostgreSQL Database Server | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated |
| [4.3.5](bundle/compliance/cis_azure/rules/cis_4_3_5) | PostgreSQL Database Server | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.6](bundle/compliance/cis_azure/rules/cis_4_3_6) | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.7](bundle/compliance/cis_azure/rules/cis_4_3_7) | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated |
| [4.3.8](bundle/compliance/cis_azure/rules/cis_4_3_8) | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated |
| [4.3.6](bundle/compliance/cis_azure/rules/cis_4_3_6) | PostgreSQL Database Server | Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated |
| [4.3.7](bundle/compliance/cis_azure/rules/cis_4_3_7) | PostgreSQL Database Server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated |
| [4.3.8](bundle/compliance/cis_azure/rules/cis_4_3_8) | PostgreSQL Database Server | Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | :white_check_mark: | Passed :x: / Failed :x: | Automated |
| [4.4.1](bundle/compliance/cis_azure/rules/cis_4_4_1) | MySQL Database | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | :white_check_mark: | Passed :x: / Failed :x: | Automated |
| [4.4.2](bundle/compliance/cis_azure/rules/cis_4_4_2) | MySQL Database | Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated |
| 4.4.3 | MySQL Database | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | :x: | Passed :x: / Failed :x: | Manual |
Expand Down
Loading

0 comments on commit 2ccf284

Please sign in to comment.