Skip to content
Build and test MicroK8s snap

wip1 #5090

Sign in to view logs

wip1

wip1 #5090

Workflow file for this run

.github/workflows/build-snap.yml at 8f588d0
name: Build and test MicroK8s snap
on:
pull_request:
branches:
- master
jobs:
# build:
# name: Create snap package
# runs-on: ubuntu-20.04
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Install lxd
# run: |
# sudo lxd init --auto
# sudo usermod --append --groups lxd $USER
# sg lxd -c 'lxc version'
# - name: Install snapcraft
# run: |
# sudo snap install snapcraft --classic
# - name: Install snapd from candidate
# run: |
# # TODO(neoaggelos): revert this after latest/beta is working again
# sudo snap refresh snapd --channel=latest/stable
# - name: Build snap
# run: |
# sg lxd -c 'snapcraft --use-lxd'
# sudo mv microk8s*.snap microk8s.snap
# - name: Uploading snap
# uses: actions/upload-artifact@v3
# with:
# name: microk8s.snap
# path: microk8s.snap
# test-upgrade:
# name: Upgrade path test
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Install test dependencies
# run: |
# set -x
# sudo apt-get install python3-setuptools
# sudo pip3 install --upgrade pip
# sudo pip3 install -U pytest sh
# sudo apt-get -y install open-iscsi
# sudo systemctl enable iscsid
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# - name: Running upgrade path test
# run: |
# sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py
# test-addons-core:
# name: Test core addons
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Install test dependencies
# run: |
# set -x
# sudo apt-get install python3-setuptools
# sudo pip3 install --upgrade pip
# sudo pip3 install -U pytest sh
# sudo apt-get -y install open-iscsi
# sudo systemctl enable iscsid
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# - name: Running addons tests
# run: |
# set -x
# sudo snap install build/microk8s.snap --classic --dangerous
# ./tests/smoke-test.sh
# export UNDER_TIME_PRESSURE="True"
# export SKIP_PROMETHEUS="False"
# sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py"
# test-addons-community:
# name: Test community addons
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Install test dependencies
# run: |
# set -x
# sudo apt-get install python3-setuptools
# sudo pip3 install --upgrade pip
# sudo pip3 install -U pytest sh
# sudo apt-get -y install open-iscsi
# sudo systemctl enable iscsid
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# # - name: Setup tmate session
# # uses: mxschmitt/action-tmate@v3
# - name: Running addons tests
# run: |
# set -x
# sudo snap install build/microk8s.snap --classic --dangerous
# sudo microk8s enable community
# export UNDER_TIME_PRESSURE="True"
# sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/"
# test-addons-core-upgrade:
# name: Test core addons upgrade
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# # - name: Setup tmate session
# # uses: mxschmitt/action-tmate@v3
# - name: Install test dependencies
# run: |
# set -x
# sudo apt-get install python3-setuptools
# sudo pip3 install --upgrade pip
# sudo pip3 install -U pytest sh
# sudo apt-get -y install open-iscsi
# sudo systemctl enable iscsid
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# - name: Running upgrade tests
# run: |
# set -x
# export UNDER_TIME_PRESSURE="True"
## sudo -E bash -c "UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"
#
# test-cluster-agent:
# name: Cluster agent health check
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Install test dependencies
# run: |
# set -x
# sudo apt-get install python3-setuptools
# sudo pip3 install --upgrade pip
# sudo pip3 install -U pytest sh requests
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# - name: Running cluster agent health check
# run: |
# set -x
# sudo snap install build/microk8s.snap --classic --dangerous
# sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py"
# test-airgap:
# name: Test airgap installation
# runs-on: ubuntu-20.04
# needs: build
#
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
# - name: Initialize LXD
# run: |
# sudo lxd init --auto
# sudo lxc network set lxdbr0 ipv6.address=none
# sudo usermod --append --groups lxd $USER
# sg lxd -c 'lxc version'
# - name: Run airgap tests
# run: |
# sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:20.04 --channel $PWD/build/microk8s.snap"
security-scan:
name: Security scan
runs-on: ubuntu-20.04
# needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
# - name: Fetch snap
# uses: actions/[email protected]
# with:
# name: microk8s.snap
# path: build
- name: create sarifs directory
run: |
mkdir -p sarifs
mkdir build
snap download microk8s --basename microk8s
mv microk8s.snap ./build
- name: Install Trivy
uses: aquasecurity/[email protected]
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-microk8s-repo-scan--results.sarif"
severity: "CRITICAL"
skip-setup-trivy: true
- name: cat trivy-microk8s-repo-scan--results.sarif
run: |
jq empty trivy-microk8s-repo-scan--results.sarif
- name: Gather Trivy repo scan results
run: |
cp trivy-microk8s-repo-scan--results.sarif ./sarifs/
- name: Run Trivy vulnerability scanner on images
run: |
RETRY_TIMES=5
for i in $(cat ./build-scripts/images.txt) ; do
name=$(echo $i | awk -F ':|/' '{print $(NF-1)}')
for (( j=1; j<=${RETRY_TIMES}; j+=1 )); do
trivy image $i --format sarif > sarifs/$name.sarif
if [ -s sarifs/$name.sarif ]; then
#The file is not-empty.
break
else
echo The sarifs/$name.sarif is empty. retrying for $j times
fi
echo failed to create non-empty report of sarifs/$name.sarif after $RETRY_TIMES times
done
done
cat ./build-scripts/images.txt
ls -la sarifs
- name: Run Trivy vulnerability scanner on the snap
run: |
RETRY_TIMES=5
cp build/microk8s.snap .
unsquashfs microk8s.snap
for (( j=1; j<=${RETRY_TIMES}; j+=1 )); do
trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
if [ -s sarifs/snap.sarif ]; then
#The file is not-empty.
break
else
echo The sarifs/snap.sarif is empty. retrying for $j times
fi
echo failed to create non-empty report of sarifs/snap.sarif after $RETRY_TIMES times
done
- uses: actions/upload-artifact@v4
with:
name: "sarifs"
path: "sarifs"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "sarifs"