Skip to content

feat: Add config for inferring fixes from NVD #1037

feat: Add config for inferring fixes from NVD

feat: Add config for inferring fixes from NVD #1037

Workflow file for this run

name: "Validations"
on:
workflow_dispatch:
pull_request:
# needed for running release pre-checks on merges to the main branch
push:
branches:
- main
env:
CGO_ENABLED: "0"
jobs:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Static-Analysis:
name: "Static analysis"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Run static analysis
run: make static-analysis
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Unit-Test-Go:
name: "Unit tests (Go)"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
python: false
- name: Run go unit tests
run: make unit
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Unit-Test-Python:
name: "Unit tests (Python)"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
go: false
- name: Run python unit tests
run: make unit-python
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Build-Snapshot-Artifacts:
name: "Build snapshot artifacts"
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
# why have another build cache key? We don't want unit/integration/etc test build caches to replace
# the snapshot build cache, which includes builds for all OSs and architectures. As long as this key is
# unique from the build-cache-key-prefix in other CI jobs, we should be fine.
#
# note: ideally this value should match what is used in release (just to help with build times).
build-cache-key-prefix: "snapshot"
bootstrap-apt-packages: ""
python: false
- name: Build snapshot artifacts
run: make snapshot
# why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
# see https://github.com/actions/upload-artifact/issues/199 for more info
- name: Upload snapshot artifacts
uses: actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
Discover-Schema-Versions:
name: "Discover supported schema versions"
runs-on: ubuntu-20.04
outputs:
schema-versions: ${{ steps.read-schema-versions.outputs.schema-versions }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Read supported schema versions
id: read-schema-versions
run: |
content=`cat manager/src/grype_db_manager/data/schema-info.json | jq -c '[.available[] | select(.supported == true) | .schema]'`
echo "schema-versions=$content" >> $GITHUB_OUTPUT
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Acceptance-Test:
name: "Acceptance tests"
needs: Discover-Schema-Versions
runs-on: ubuntu-22.04-4core-16gb
strategy:
matrix:
schema-version: ${{fromJson(needs.Discover-Schema-Versions.outputs.schema-versions)}}
# set the permissions granted to the github token to read the pull cache from ghcr.io
permissions:
contents: read
packages: read
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
with:
submodules: true
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Login to ghcr.io
run: |
echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin
- name: Pull vulnerability data
run: make download-all-provider-cache
- name: Build and validate the DB
run: make db-acceptance schema=${{ matrix.schema-version }}
env:
FORCE_COLOR: true
Cli-Go-Linux:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Go-Linux)"
needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
python: false
- name: Restore CLI test-fixture cache
uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- name: Download snapshot build
uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1
with:
path: snapshot
key: snapshot-build-${{ github.run_id }}
- name: Run Go CLI Tests (Linux)
run: make cli-go
Cli-Python:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Python)"
runs-on: ubuntu-22.04-4core-16gb
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
with:
submodules: true
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Run Python CLI Tests
run: make cli-python