forked from anchore/sbom-action
-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (112 loc) · 3.21 KB
/
test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: "build-test"
on: # rebuild any PRs and main branch changes
pull_request:
branches: [main]
push:
branches:
- main
release:
types:
- created
- edited
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build: # make sure build/ci work properly and there is no faked build ncc built scripts
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: npm ci
- run: npm audit --production
- run: npm run package
- run: git status --porcelain
- run: git diff
- run: git diff --exit-code
test-on-fixture-dirs:
strategy:
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: Vampire/setup-wsl@v2
if: ${{ matrix.os == 'windows-latest' }}
with:
distribution: Alpine
- uses: actions/checkout@v3
with:
path: ./
- uses: ./
with:
path: ./tests/fixtures/npm-project
- uses: ./
with:
path: ./tests/fixtures/yarn-project
- uses: ./
id: yarn-scan
with:
path: ./tests/fixtures/yarn-project
- uses: ./
with:
path: ./tests/fixtures/yarn-project
artifact-name: SBOM.txt
test:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- uses: actions/checkout@v3
- name: Build images
run: |
for distro in alpine centos debian; do
docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage
docker push localhost:5000/match-coverage/${distro}:latest
done
- run: npm ci
- run: npm test
test-as-action: # make sure the action works on a clean machine without building
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
path: ./
- uses: ./download-syft # anchore/sbom-action/download-syft
id: syft
- run: |
echo "${{ steps.syft.outputs.cmd }}"
"${{ steps.syft.outputs.cmd }}" dir:.
- uses: ./ # anchore/sbom-action
id: dirscan
with:
artifact-name: sbom.spdx
output-file: dirscan-sbom.spdx
format: spdx
- run: |
echo DIR SCAN SBOM:
cat dirscan-sbom.spdx
- uses: ./ # anchore/sbom-action
id: imagescan
with:
image: alpine:latest
artifact-name: sbom.spdx
output-file: my.sbom
- run: |
echo IMAGE SCAN SBOM:
cat my.sbom
- uses: ./publish-sbom # anchore/sbom-action/publish-sbom
with:
sbom-artifact-match: sbom.spdx
- uses: ./publish-sbom # anchore/sbom-action/publish-sbom
with:
sbom-artifact-match: "^dont-match-anything$"
- uses: ./ # anchore/sbom-action with artifact retention
name: "One day artifact retention test"
id: one-day
with:
image: alpine:latest
upload-artifact-retention: 1
artifact-name: one-day.sbom.spdx
output-file: one-day-sbom.spdx
format: spdx