.github/workflows/ci.yaml

---
name: CI

on:
  schedule:
    - cron: '44 4 */2 * *'
  pull_request:

concurrency:
  group: integration-tests-${{ github.ref_name }}
  cancel-in-progress: true

jobs:
  format:
    name: Ensure code is formatted
    runs-on: ubuntu-latest
    steps:
      - name: checkout source code
        uses: actions/checkout@v4
      - name: Install necessary software
        run: |
          set -e
          sudo apt update
          sudo apt -y install jo tox
      - name: Test formatting with ruff
        run: tox -e format -- --check

  gentestmatrix:
    name: Generate test matrix
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.setmatrix.outputs.matrix }}
    steps:
      - name: checkout source code
        uses: actions/checkout@v4
      - name: get the current PR
        uses: 8BitJonny/gh-get-current-pr@3.0.0
        id: pr
        with:
          github-token: ${{ github.token }}
          # Verbose setting SHA when using Pull_Request event trigger to fix #16
          sha: ${{ github.event.pull_request.head.sha }}
          filterOutClosed: true

      # jo is used only to generate matrix using json easily
      - name: Install necessary software
        run: sudo apt update && sudo apt install jo tox fish

      - id: setmatrix
        run: |
          set stringified_matrix (tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d'  | jo -a)

          set users_envs (echo $PR_BODY | awk -F' ' '/^\[CI:TOXENVS\]/ { print $2 }')
          if [ -n "$users_envs" ]
              set stringified_matrix (echo "$users_envs,build,all,repository,metadata,multistage" | tr ',' '\n' | sort | uniq | jo -a)
          end
          echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT
        shell: fish {0}
        env:
          PR_BODY: ${{ steps.pr.outputs.pr_body || '' }}

  unit-tests:
    name: Unit tests
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        python_version: ["3.6", "3.9", "3.10", "3.11"]
    container:
      image: registry.suse.com/bci/python:${{ matrix.python_version }}
    steps:
      - name: checkout source code
        uses: actions/checkout@v4
      - name: Install tox
        run: |
          python3 --version
          python3 -m ensurepip
          python3 -m pip install tox
      - run: 'tox -e py$(echo $PY_VER | tr -d . )-unit -- -n auto --durations=25 --durations-min=600.0'
        env:
          SETUPTOOLS_SCM_PRETEND_VERSION: 1.2.3
          PY_VER: ${{ matrix.python_version }}

  documentation:
    name: Build documentation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install tox
        run: sudo apt update && sudo apt install tox
      - run: tox -e doc

  lint:
    name: Lint source code
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install tox
        run: sudo apt update && sudo apt install tox
      - run: tox -e lint

  test-containers:
    name: tox
    runs-on: ubuntu-latest
    needs: gentestmatrix
    strategy:
      fail-fast: false
      matrix:
        toxenv: ${{fromJson(needs.gentestmatrix.outputs.matrix)}}
        os_version:
          - 15.5
          - 15.6
          - "tumbleweed"
        include:
          - toxenv: fips
            testing_target: ibs-released
            os_version: 15.3
          - toxenv: repository
            testing_target: ibs-released
            os_version: 15.5
          - toxenv: all
            testing_target: ibs-released
            os_version: 15.3
          - toxenv: base
            testing_target: ibs-released
            os_version: 15.3
          - toxenv: all
            testing_target: ibs-released
            os_version: 15.4
          - toxenv: base
            testing_target: ibs-released
            os_version: 15.4
          - toxenv: metadata
            testing_target: ibs-released
            os_version: 15.4
          - toxenv: all
            os_version: 15.3
          - toxenv: base
            os_version: 15.3
          - toxenv: build
            os_version: 15.3
          - toxenv: metadata
            os_version: 15.3
          - toxenv: all
            os_version: 15.4
          - toxenv: base
            os_version: 15.4
          - toxenv: build
            os_version: 15.4
          - toxenv: metadata
            os_version: 15.4

    steps:
      - name: Clean up disk space to maximize available space
        run: sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc /opt/hostedtoolcache/CodeQL && sudo docker image prune --all --force
      - name: checkout source code
        uses: actions/checkout@v4
      - name: Install tox
        run: sudo apt update && sudo apt install tox
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'

      - name: Install ldap-utils to have ldapwhoami for the 389ds tests
        run: |
          sudo apt-get update
          sudo apt-get install ldap-utils
          command -v ldapwhoami
        if: ${{ matrix.toxenv == '389ds' }}

      - name: Install new podman from OBS
        if: false
        run: |
          sudo mkdir -p /etc/apt/keyrings
          curl -fsSL https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/Release.key \
            | gpg --dearmor \
            | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
          echo \
            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
              https://download-repositories.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/ /" \
            | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
          sudo apt-get update -qq
          sudo apt-get -qq -y install podman buildah
          sudo mkdir -p /etc/containers/registries.d/

      - name: configure podman to use sigstore attachments
        run: |
          sudo install -d -m 755 /etc/containers/registries.d/
          cat << EOF | sudo tee /etc/containers/registries.d/opensuse.yaml
          docker:
            registry.suse.de:
              use-sigstore-attachments: true
            registry.suse.com:
              use-sigstore-attachments: true
            registry.opensuse.org:
              sigstore: https://registry.opensuse.org/sigstore
          EOF

      - name: configure podman to enforce signature checks
        if: false
        run: |
          policy_json=$(cat /etc/containers/policy.json)
          echo $policy_json | jq '.transports += { "docker": {"registry.opensuse.org": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPaths": ["/etc/containers/devel_bci.key", "/etc/containers/opensuse_container-2023.key", "/etc/containers/opensuse_container.key"]}]}}' | sudo tee /etc/containers/policy.json

          cat << EOF | sudo tee /etc/containers/devel_bci.key
          -----BEGIN PGP PUBLIC KEY BLOCK-----

          mQINBGQa2Y4BEAC+VBw/6hJCCd+JlrngmHvAS2dbzz0dk0dh6rK7mhuuQTmTbJex
          eY2tmFfcg3wp78P586H7WwE+0fLf7KEuIsWK8/YCpe7Ld/WycQkkJiW7EhbW4+uu
          6EKBw1B7ZFDaJJ71UDaXbMECepV/YEnsZgu38vGWZPUfOHbIDS5M0j9Xo7COG7/I
          jzs0Ml+G8hAk1cJ5AxjLycyINKHnglrx855/AW1xjO04Da6/NZ5grvCQBNcpLaH5
          Y8eUvNVQ6SdBwo9xR8hCTsUe5TpB5Gf4CXNPMdG6f1wDbmRw6hYw4Tbvjjlg8yhO
          XS76OURH3AiYTrP7SDVrgOy8tsVtSk1+1zvJ5VFjKbS8N3//XOkSJYSD/MxjN+bb
          jwsqK6FEYBS1MiIX/6bYo5j/bVDzp/jZ9ocPB623E9CGwgH0NDrs+5M3la/j+vIq
          wjwXpWuwdefVjhvIDYgSZQQRx880RLo31Zr6Vfpas1JXIzDq6uSWAyx23rKmQr9N
          ctU1qHNB5CdKDR/zAMjuFvy1o13zTmfo1CrRn9J//Kiy2EnfsKOFssfYs9TgL22k
          qdsCXNa0xvXbeLDehQwQvxeWTLyGMJGwPqoTXVv3EhEhrLClB5FOJurwfArd24ze
          qvVsKJrADEWvO3a1KHkX4h82qBDGJdQDK5iMajLJeQciYVhT5pHHMdMbmQARAQAB
          tDRkZXZlbDpCQ0kgT0JTIFByb2plY3QgPGRldmVsOkJDSUBidWlsZC5vcGVuc3Vz
          ZS5vcmc+iQJUBBMBCAA+FiEE4t9p2tF8+S+4jG5wMG+YHbRrR8MFAmQa2Y4CGwMF
          CQQesAAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQMG+YHbRrR8NWlRAAmPQ6
          0Ac1LDrAD+NJ/Z/7TzLg6dpkC5JNDkwNSoSyfKiN3ow8265mF8XM7502ZCDeOr0p
          GDisbOTSdOWI981TQ0MRtRWsBzjHkkl4CuxoGHC0X0Q1wjbKy8BfnfAlmNF/l8PL
          Ykm15xndHzE1oIxJ0V5KKA0v4vKJkSNsZ9Ye0IyzICpkWoUfqeg3rnSpwV/MvQTf
          2as9mXj8TSAuR47rsWtivljhGnFpTyvvWw30bDItpB5EYlCVjPlj1t2wX/fHkNX6
          0Gdkrwhml67pk7v03+ngbKDAPGrcq5EKLaNfL5T5cOx5GzUrjOH7OpqdnR9Lg5Ix
          IpcfAfkeY+E+ALMvfyhVmhMRhGMgiv0wTL/H11/K1rvXaVYznoKG0G/7cCuorDBf
          ind5PkGJTu+3Fs7N6eQZntVwXoBxkGWb8b6voFv22u55svToTX28pkDVm5EJNZnv
          xfFUhX6m+CFdh138aX2LFYQCsF/T8jM4j+ukHTQ+m8F+eRrhqoBjWkvHZ3EionpL
          F+1LGdEn25qMej++OkAm6D5dV/yQaP1rjpdHwQEZ6GntVl2ngagoF8zQIJ6rXe15
          FvZ9AvL+gta8vxluDTPUK3DIg4jdwFb8WT2R0rOPUaItheOaCXxxcr6wPbHHLHC1
          LKPO+oy9938+sUaaC/DEO+vwPOkSwrBw/0htilmJAjMEEwEIAB0WIQTMNcw9NeWj
          ZD5UWkPPC5KM3tZPOwUCZBrZkQAKCRDPC5KM3tZPO3QbD/4kEsEW2tBxus+AfT/P
          r9B1iiHgOu9e6ixvmEcqF4bU3ykAmo7DH/E+oqW6vx97DnYgKleJJ9IVD6gTyhYJ
          7Z+uPoJOWNND94Afiq+R1lobPs9rOpSVT34NmNzNgxdmmz6+z1GLrrVGUihdYSDc
          1DmdIu90IFtuaSW8+UaCg41awVtVOOYnPaCoDncbuZD0MDaVDsaN0G9Xj81NFZJu
          DG7ljqxg24LC9+iw3LRqaOkWX7SbS0s+PdLTPgnUBfivpOi0rKbB06WsCsigV24B
          lyj11nkuOdYAUa48Q3U1yfxIiecYto0O+VPq/M0ICAzTqUg2Bh4Du98EmS+zBhbM
          vjAcqC2TRBjyVAtsvWJ0O51d0iWUWsOBVwSoMRWq2iPxh4qRBNFQGLUWtrkNSKh/
          ex2LgWbLGZY8XHWUwK2GoHN/uNywqYd/4PgDewDJYWnGB33EaucKkMuBJkoYK2mG
          fGkSHjKUHfUp+FWM8QlgxlavNob7ltvTEV8kp88w9MfSfdy6Z9MQ63Z/DvU1KLhO
          llCkXgpMXn2dPPjcsE/OWVIVk833q0gWzf3touFhQSHMKtcdXl3bBj/vvzAkE0QV
          9vVS3rgOtcGCbAdfdEf+/mpukHkhZGVKMlipnDM/Rd2GZYckP/5UZ/9/CKIS69B5
          hLNKnq/uYWnF2uUesgKloRegdg==
          =L0Kw
          -----END PGP PUBLIC KEY BLOCK-----
          EOF

          cat << EOF | sudo tee /etc/containers/opensuse_container-2023.key
          -----BEGIN PGP PUBLIC KEY BLOCK-----

          mQINBGQ5DP8BEADAlEiR9CAOaEjUlwrSlVmdqeqbMOXSDMq5+u/fIFdP4iAc9r5H
          6hz/f4Yv/2rBByo6JCZC7xCxPBHNiaNd1DK0WdVbpWGB9n4vH9zzT8Dxf45WK7QN
          9l5f+KfSRDnv7e/n32ru2AVlqa9Io7/Ch9IXVeGStjl/6o+Y/7ZinQUnQkGHWK6j
          +sjgIxTYesIBcYSXxpdjdw0XHHyyKQiqtDy8oXALWGPJYRwCsTiEECVYzM+a5+6e
          d/zRxOKpfF2V+Q1K2mG5LQ+rxGrL3VWNcg3jZjPMQbC4QM8cr2b3mrE2eBEhStF0
          iRS5quMLMGzNxocMBJlOz6snSLGvi8Xr3UzMkenufuxotHA/7lcNmo2E2HArR4iP
          zLkZe14vLvsMXgM29PkXNgEh+L0QSFapTRUb7ZewBpN1b7P+G4gcYUymMvwaY9XH
          AI3jhWKzlyq9uIJINdTTTBB1R6e6CQpeiya371AUCNGCZDqhL63gHVvVgZVMQpf8
          NjYuN2m3SOK6SSq1nnMkWE3k2RWc5qHlg38HOoWq4G+SCMSWyC4iff+Ob8rVWuUt
          miExYtLOk/hdNH7lRtUdjwKCSIOlYeAK/e7/9GB/fKlu0ZNFBrwpyGVMgfPmCDbX
          ZiQhkhE8Bti3btL5HBxYmNljz1nMbECgtEQv6Pgs1bxgDaNaGVslYv723wARAQAB
          tERvcGVuU1VTRSBDb250YWluZXIgU2lnbmluZyBLZXkgPGJ1aWxkLWNvbnRhaW5l
          ci0yMDIzMDRAb3BlbnN1c2Uub3JnPokCVAQTAQgAPhYhBPmGHzlqIRNKhVSYBPxr
          ygbWhK/sBQJkOQz/AhsDBQkSzAMABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
          EPxrygbWhK/sAwUP/A803yOTrsE5ppcEAp3yGSeXR3HQo0fIqh+QFJO76W7vF/Ar
          eZnxPWL3AOOB+wNccdklZXhQKL4eQ29Ggekp2/RWTyx4BBM//SID+td7KZjZH/KC
          Z6kBBy+IzSBQCCIrdDm83agob/Kcp9RJX5A06dgGyGhMxXYpld3mcCjFETHXIb5U
          JvsSC+06eEsbwNqH0se2T/5zJ8v9xjcMDC+otLmh3+SjyC/7t8YaKxyqobf2f5nl
          GM3ts7UDBQdqxBb0ZRxXsLCdiRrOt6l5imczczi1GA/Dce3KE/V9A2LNifns4eQI
          GLVrZ36litKC1+b5AXblLU5ZmJN24IEQj699GCYiPGaZS64IE1eVD8WX+N6vgI+c
          BqthN/Z4B3iJ9dBviXvK098/bXjzUVjQubvfT827tO2xnbNE5gzUA5bAZjQLVJm/
          b9mZJuKLOJePoqGYvmMVBtLz5xZYH68dncZAf+OQNZ5T7F+M1gfsq8W+FYvm6ILN
          Xyh29fY+29H25A7v8WITT/SzpxYJrNRHck8Ua9M0foj2GLIf6FEROJHEZ4+xvu11
          XaABkqvjdNluflDP0PXP5fcY9QkMvtlW6cQNzMYZnn7MTb7dxow5ysEGcE0rrKrC
          F9zTwOvctMqlu0dndhntKRhdNgm8lKrg1xTJg7EOWQFKeQiWQKdY0Qk9vi3/
          =sRjv
          -----END PGP PUBLIC KEY BLOCK-----
          EOF

          cat << EOF | sudo tee /etc/containers/opensuse_container.key
          -----BEGIN PGP PUBLIC KEY BLOCK-----
          Version: GnuPG v2.0.15 (GNU/Linux)

          mQENBFrjEWoBCADEJttox1LVpcP2YIsLIO5qKmwfMhyjSQ+L4ETztnFRLKFIlin4
          19Tic/llF9ymQr2MxlKlRgdzFZ9ScH1rg52bmWdxy+2TZ8JIsSV4XyfSTZJvM+nX
          YGxEQBJrYlcRfC5he0tBGTEwG+hp6kXH563F+XU4uzGUmh1rBhavDsWjeMo9sjaf
          sqn66JAJnxJrQOcqjNvazYjppEjFzye/Haqu2r5cnD/bPnMvQEZtpN1jznWkIha2
          DdapVZq2b/SmdTMV7zHRqQvhERU2uS4SFLNopyt/cwujj3XTWqCArvQgRTaiHAiL
          4HY3lUpDWH9pmxT+yu5f7FINc+prRmvnQ1YpABEBAAG0PW9wZW5TVVNFIENvbnRh
          aW5lciBTaWduaW5nIEtleSA8YnVpbGQtY29udGFpbmVyQG9wZW5zdXNlLm9yZz6J
          AT4EEwECACgFAlrjEWoCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
          AAoJENdUaU+atIzpdt0H/A5j9B7feqTRK49TWIsgKTELG+6ac4WL+uvZs4HmUPgO
          Me9fkQvmJtPMGQT3awCSejEHuvq7sMsOOAXJ3loVDNkJWOtkohRyJf6++lvzL24v
          ApbzSLfxa1intscyoJ0g8A2V+NzG428cMAzL5Rnf1ckimDkwOgjFBTDqwq1nPFDQ
          +01wAenDPLduLAS65+urmMEOIhoBB3Opc5fqPKWU+w8qav8YfYUjaQcAfGeswt+6
          m54VXYk8prmCuSfFHq9Yi8T2+VMcIEdHQYOn4nVhzNY9mTzJ4CCGYdLhap4/P8/x
          HuiUuVrARHeCoTiQSc1FwjT1QXaU+yYk1SLFi0LaPgQ=
          =Klfs
          -----END PGP PUBLIC KEY BLOCK-----
          EOF

          policy_json=$(cat /etc/containers/policy.json)
          echo $policy_json | jq '.transports.docker += {"registry.suse.com": [{ "type": "sigstoreSigned", "signedIdentity": {"type": "matchRepository"}, "keyPath": "/etc/containers/suse_container.pem"}]}' | sudo tee /etc/containers/policy.json

          cat << EOF | sudo tee /etc/containers/suse_container.pem
          -----BEGIN PUBLIC KEY-----
          MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxfZssLE2jeY1swPb5WGe
          8C/FWKmIxlGLm9amCNdgheAn8RzuM8slA+TJefAQnrUnC4Qn9ykjQZjH6o2e2ueA
          KFdgOdHnlS2d6lETB8dd4O8HYDJx0CEk2SCbAKVuzLbcbP4ug/QDc+Bm8ldxfc+D
          GnLVRAt85brSTnfgOHY1PbQ1JAV+ByibbjCZuFmw4gIkMzeiy3M4wJZwblFM4a3s
          X2bW/6GWaGz6AMOjCyAPI6shyG5wHZM7OvJJ8lfhXRTZo4Cc5qC0Nyq9Xu3O6DmV
          opIajhHc36kdcetmd7TB5OSbQZCLyReAF75LV74y8960+44NptR62hdw1ovCJMfV
          mU6m+k/MsN8AIyRFR6dNF9wTOKi67OpPtybiRufCfMvD4VEeoINzEJytToq2XGSc
          +hIxtmPOhqDKHH0As113sjTqqo20Ik233x9FFeTFD8Or7ahpqjiv5YCufk9AoQbC
          xMIjrK9RkQYgW4RycgvXGASobwN8EE+OsMcyMUER/pdCtQhTQCc1jYLt85VhfEkC
          4k9szMB8eZrdV9re/Ku6vnCeXRR5yn2NWKO88U4HfxEpJv5s2uFJi37+x/v9w7Uh
          +864W/9NexXg/JFNsvh0Kmxsbi3ZegaouLyrMCHwSA3ByBZ2yCf2VuFPyUCNEZOH
          Owi0oc9TgY1yopjsTneyGaMCAwEAAQ==
          -----END PUBLIC KEY-----
          EOF

      - name: Login to registry.suse.com as CI user
        run: |
          if [ -n "${REGISTRY_LOGIN_PASSWORD}" ]; then
            echo $REGISTRY_LOGIN_PASSWORD | docker login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
            echo $REGISTRY_LOGIN_PASSWORD | podman login -u $REGISTRY_LOGIN_USERNAME --password-stdin registry.suse.com
          fi
        env:
          REGISTRY_LOGIN_USERNAME: ${{ secrets.REGISTRY_LOGIN_USERNAME }}
          REGISTRY_LOGIN_PASSWORD: ${{ secrets.REGISTRY_LOGIN_PASSWORD }}

      - name: Add /etc/host entries
        run: |
          # precache dns entries to avoid timeouts in the runs later
          for host in index.crates.io proxy.golang.org updates.suse.com registry.suse.com registry.opensuse.org download.opensuse.org cdn.opensuse.org packages.microsoft.com; do
            echo -e "$(getent ahostsv4 $host | grep STREAM | cut -d' ' -f1 | head -n 1)\t$host"  | sudo tee -a /etc/hosts
          done

      - name: Run the tests for docker
        run: tox -e ${{ matrix.toxenv }} -- -n 3 --reruns 3 --durations=25 --durations-min=600.0 --pytest-container-log-level=debug
        env:
          CONTAINER_RUNTIME: docker
          OS_VERSION: ${{ matrix.os_version }}
          TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }}
          PULL_ALWAYS: 0

      - name: Run tests as root for podman
        run: sudo --preserve-env=CONTAINER_RUNTIME,OS_VERSION,TARGET,PULL_ALWAYS -H tox -e ${{ matrix.toxenv }} -- -n 3 --reruns 3 --durations=25 --durations-min=600.0 --pytest-container-log-level=debug
        env:
          CONTAINER_RUNTIME: podman
          OS_VERSION: ${{ matrix.os_version }}
          TARGET: ${{ matrix.testing_target != '' && matrix.testing_target || 'obs' }}
          PULL_ALWAYS: 0