changes so far

Signed-off-by: ashnamehrotra <[email protected]>
project-copacetic · Feb 14, 2024 · 74dbb7d · 74dbb7d
1 parent eae67bb
commit 74dbb7d
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 56 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,6 +9,9 @@ jobs:
   build:
     name: build
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test-type: ["custom-socket"]
     steps:
       - name: Setup BATS
         uses: mig4/setup-bats@af9a00deb21b5d795cabfeaa8d9060410377686d # v1.2.0
@@ -18,34 +21,15 @@ jobs:
       - name: Check out code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Set up Docker
-        uses: crazy-max/ghaction-setup-docker@v3
-        with:
-          daemon-config: |
-              {
-              "debug": true,
-              "experimental": true,
-                  "features": {
-                  "containerd-snapshotter": true
-                  }
-              }
-
-      - name: Get socket path
-        run: |
-            url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
-            socket_path=$(echo "$url" | awk -F// '{print $2}')
-            echo "$socket_path"
-            echo "SOCKET=$socket_path" >> $GITHUB_ENV
-
       - name: Install Trivy
         run: |
-            curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-            tar -zxvf trivy.tar.gz
-            cp trivy /usr/local/bin/
+          curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar -zxvf trivy.tar.gz
+          cp trivy /usr/local/bin/
 
-      - name: Generate trivy vuln report for nginx image
+      - name: Generate trivy vuln report for opa image
         run: |
-          trivy image --vuln-type os --ignore-unfixed -f json -o /tmp/nginx.1.21.6.json docker.io/library/nginx:1.21.6
+          trivy image --vuln-type os --ignore-unfixed -f json -o /tmp/opa.0.46.0.json docker.io/openpolicyagent/opa:0.46.0
 
       - name: Get latest copa version
         run: |
@@ -56,41 +40,46 @@ jobs:
 
       - name: Install Copa
         run: |
-            curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${COPA_VERSION}/copa_${COPA_VERSION}_linux_amd64.tar.gz
-            tar -zxvf copa.tar.gz
-            cp copa /usr/local/bin/
+          curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${COPA_VERSION}/copa_${COPA_VERSION}_linux_amd64.tar.gz
+          tar -zxvf copa.tar.gz
+          cp copa /usr/local/bin/
 
-      - name: Build Copa Action Image
-        run: |
-          docker build --build-arg copa_version=${COPA_VERSION} -t copa-action .
+      - name: Run Buildkit container
+        if: matrix.test-type == 'buildkit-container'
+        run : |
+          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888
 
-      - name: Bats Test - Buildx
-        run: |
-          docker run --net=host \
-            --mount=type=bind,source=/tmp,target=/data \
-            --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
-            --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \
-            --name=copa-action-buildx \
-            copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildx' 'openvex' 'output.json' 
-          bats --print-output-on-failure ./test/test.bats
+      - name: Set up Docker
+        if: matrix.test-type == 'custom-socket'
+        uses: crazy-max/ghaction-setup-docker@v3
+        with:
+          daemon-config: |
+            {
+            "debug": true,
+            "experimental": true,
+                "features": {
+                "containerd-snapshotter": true
+                }
+            }
 
-      - name: Bats Test - Buildkit Container
+      - name: Bats Test
         run: |
-          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888
-          docker run --net=host \
-            --mount=type=bind,source=/tmp,target=/data \
-            --mount=type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
-            --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \
-            --name=copa-action-buildkit \
-            copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'buildkit-container' 'openvex' 'output.json' 
-          bats --print-output-on-failure ./test/test.bats
+          set -ex
+          export SOCKET="/var/run/docker.sock"
 
-      - name: Bats Test - Custom Socket
-        run: |
+          if [ "${{ matrix.test-type }}" = "custom-socket" ]; then
+            url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
+            SOCKET=$(echo "$url" | awk -F// '{print $2}')
+          fi
+
+          docker build --build-arg copa_version=${COPA_VERSION} -t copa-action .
           docker run --net=host \
             --mount=type=bind,source=/tmp,target=/data \
             --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \
             --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \
-            --name=copa-action-custom-socket \
-            copa-action 'docker.io/library/nginx:1.21.6' 'nginx.1.21.6.json' '1.21.6-patched' '10m' 'custom-socket' 'openvex' 'output.json' 
+            --name=copa-action \
+            copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json'
+          
+          docker images
+
           bats --print-output-on-failure ./test/test.bats
diff --git a/test/test.bats b/test/test.bats
@@ -4,7 +4,8 @@ load helpers
 
 @test "Check patched image exists" {
     docker images
-    id=$(docker images --quiet 'nginx:1.21.6-patched')
+    id=$(docker images --quiet 'openpolicyagent/opa:0.46.0-patched')
+    docker pull openpolicyagent/opa:0.46.0-patched
     assert_not_equal "$id" ""
 }
 
@@ -14,8 +15,9 @@ load helpers
 }
 
 @test "Run trivy on patched image" {
-    run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o nginx.1.21.6-patched.json 'docker.io/library/nginx:1.21.6-patched'
+    docker context use "setup-docker-action"
+    run trivy image --exit-code 1 --vuln-type os --ignore-unfixed -f json -o opa.0.46.0-patched.json 'docker.io/openpolicyagent/opa:0.46.0-patched'
     [ "$status" -eq 0 ]
-    vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' nginx.1.21.6-patched.json)
+    vulns=$(jq 'if .Results then [.Results[] | select(.Class=="os-pkgs" and .Vulnerabilities!=null) | .Vulnerabilities[]] | length else 0 end' opa.0.46.0-patched.json)
     assert_equal "$vulns" "0"
-}
+}