remove secrets: inherit #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pr-tests | |
| on: | |
| push: | |
| branches: [ master, main ] | |
| pull_request: | |
| # run for every chnage in the PR | |
| types: [ opened, synchronize, reopened, ready_for_review ] | |
| # Do not run the pipeline if only Markdown files changed | |
| paths-ignore: ['**.md'] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGO_ARTIFACT_KEY_NAME: rego_artifact | |
| REGO_ARTIFACT_PATH: releaseDev | |
| jobs: | |
| # testing link checks | |
| markdown-link-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
| - name: Check links | |
| uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 | |
| with: | |
| use-verbose-mode: 'yes' | |
| # main job of testing and building the env. | |
| test_pr_checks: | |
| needs: [markdown-link-check] | |
| permissions: | |
| pull-requests: write | |
| uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main | |
| with: | |
| GO_VERSION: 1.19 | |
| BUILD_PATH: github.com/kubescape/regolibrary/gitregostore/... | |
| secrets: inherit | |
| build-and-rego-test: | |
| name: Build and test rego artifacts | |
| runs-on: ubuntu-latest | |
| needs: [test_pr_checks] | |
| outputs: | |
| REGO_ARTIFACT_KEY_NAME: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_KEY_NAME }} | |
| REGO_ARTIFACT_PATH: ${{ steps.set_outputs.outputs.REGO_ARTIFACT_PATH }} | |
| steps: | |
| - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f | |
| name: checkout repo content | |
| with: | |
| submodules: recursive | |
| token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
| # Test using Golang OPA hot rule compilation | |
| - name: Set up Go | |
| uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 | |
| with: | |
| go-version: 1.19 | |
| # testing rego library | |
| - name: Test Regoes | |
| working-directory: testrunner | |
| run: | | |
| apt update && apt install -y cmake | |
| GOPATH=$(go env GOPATH) make | |
| - name: setup python | |
| uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa | |
| with: | |
| python-version: 3.10.6 | |
| # validate control-ID duplications | |
| - run: python ./scripts/validations.py | |
| # generating subsections ids | |
| - name: Update frameworks subsections | |
| run: bash ./scripts/generate_subsections_ids.sh | |
| # run export script to generate regolibrary artifacts | |
| - name: Run export script | |
| run: | | |
| OUTPUT=pre-release python ./scripts/export.py | |
| rm -r releaseDev | |
| cp -R pre-release releaseDev | |
| - name: Set outputs | |
| id: set_outputs | |
| run: | | |
| echo "REGO_ARTIFACT_KEY_NAME=${{ env.REGO_ARTIFACT_KEY_NAME }}" >> $GITHUB_OUTPUT | |
| echo "REGO_ARTIFACT_PATH=${{ env.REGO_ARTIFACT_PATH }}" >> $GITHUB_OUTPUT | |
| - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 | |
| name: Upload artifact | |
| with: | |
| name: ${{ env.REGO_ARTIFACT_KEY_NAME }} | |
| path: ${{ env.REGO_ARTIFACT_PATH }}/ | |
| if-no-files-found: error | |
| # test kubescape with regolibrary artifacts | |
| ks-and-rego-test: | |
| name: test rego artifatcs with kubescape | |
| runs-on: ubuntu-latest | |
| needs: [build-and-rego-test] | |
| # secrets: inherit | |
| steps: | |
| - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f | |
| name: checkout repo content | |
| with: | |
| submodules: recursive | |
| token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
| - uses: ./workflows/.github/workflows/kubescape-cli-e2e-tests.yaml | |
| with: | |
| DOWNLOAD_ARTIFACT_KEY_NAME: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_KEY_NAME }} | |
| BINARY_TESTS: '[ "scan_nsa", | |
| "scan_mitre", | |
| "scan_with_exceptions", | |
| "scan_repository", | |
| "scan_local_file", | |
| "scan_local_glob_files", | |
| "scan_nsa_and_submit_to_backend", | |
| "scan_mitre_and_submit_to_backend", | |
| "scan_local_repository_and_submit_to_backend", | |
| "scan_repository_from_url_and_submit_to_backend", | |
| "host_scanner", | |
| "scan_local_list_of_files" | |
| ]' | |
| DOWNLOAD_ARTIFACT_PATH: ${{ needs.build-and-rego-test.outputs.REGO_ARTIFACT_PATH }} |