fix(actions): testing separate job for evaluation

.github/workflows/compliance.yaml

@@ -0,0 +1,52 @@
+name: Compliance Evaluation
+
+on:
+  # Manual trigger
+  workflow_dispatch:
+    inputs:
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+    # Triggered by pull-request-conditionals.yaml
+  workflow_call:
+    inputs:
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  evaluate:
+    runs-on: ubuntu-latest
+    name: Evaluate
+    # env:
+    #   UDS_PKG: ${{ inputs.package }}
+    steps:
+      # Used to execute the uds run command
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Download assessment
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.flavor }}-assessment-results
+
+      - name: Evaluate Compliance
+        id: compliance-evaluation
+        if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
+        run: uds run test-compliance-evaluate --no-progress
+
+      # steps in this action only run when there has been a previous failure - will indicate success thereafter
+      # need to think about how much noise this could create - noise currently = good
+      - name: Notify Lula Team of Compliance Assessment Results
+        if: ${{ always() }}
+        uses: ./.github/actions/notify-lula
+        with:
+          state: ${{ steps.compliance-evaluation.outcome }}
+          flavor: ${{ inputs.flavor }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull-request-conditionals.yaml

@@ -81,3 +81,16 @@ jobs:
       flavor: ${{ matrix.flavor }}
       test_type: ${{ matrix.test_type }}
     secrets: inherit # Inherits all secrets from the parent workflow.
+
+  evaluate-package-compliance:
+    needs: run-package-test
+    name: Compliance Evaluation
+    # Allow this job to fail
+    continue-on-error: true
+    strategy:
+      matrix:
+        flavor: [upstream, registry1]
+    uses: ./.github/workflows/compliance.yaml
+    with:
+      flavor: ${{ matrix.flavor }}
+    secrets: inherit # Inherits all secrets from the parent workflow.

.github/workflows/test.yaml

@@ -34,7 +34,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   test:
@@ -66,26 +65,13 @@ jobs:
       - name: Validate UDS Core Compliance
         if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
         run: uds run test-compliance-validate --no-progress
-
-      - name: Evaluate UDS Core Compliance
-        id: compliance-evaluation
-        if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
-        run: uds run test-compliance-evaluate --no-progress
-        continue-on-error: true
-
-      # steps in this action only run when there has been a previous failure - will indicate success thereafter
-      # need to think about how much noise this could create - noise currently = good
-      - name: Notify Lula Team of Compliance Assessment Results
-        if: ${{ always() }}
-        uses: ./.github/actions/notify-lula
+
+      - name: Upload Assessment
+        if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
-          state: ${{ steps.compliance-evaluation.outcome }}
-          flavor: ${{ inputs.flavor }}
-          ghToken: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Store UDS Core Compliance Assessment Results
-        if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
-        run: cp ./compliance/oscal-assessment-results.yaml /tmp/oscal-assessment-results.yaml
+          name: ${{ inputs.flavor }}-assessment-results
+          path: ./compliance/oscal-assessment-results.yaml
 
       - name: Test UDS Core Upgrade
         if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }}