trigger_workflow #155
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Clair in CI DB - test | |
# This workflow tests latest database version of clair-in-ci and | |
# pushes it to app-studio registry in case all tests passed | |
on: | |
repository_dispatch: | |
types: trigger_workflow | |
env: | |
REGISTRY: quay.io/redhat-appstudio | |
IMAGE_NAME: clair-in-ci | |
LATEST_TAG: latest | |
MAJOR_VERSION_TAG: v1 | |
TO_TEST: ${{ github.event.client_payload.image_tag }} # required, fail if not specified | |
PR_EVENT: ${{ github.event.client_payload.pr_event }} # required, fail if not specified | |
jobs: | |
test-and-push: | |
name: Test and push image | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Check required parameters | |
run: | | |
if [ -z "${{ env.TO_TEST }}" ] || [ -z "${{ env.PR_EVENT }}" ]; then | |
echo "Recieved: image-tag: ${{ env.TO_TEST }}, event: ${{ env.PR_EVENT }}. Did not recieve required parameters, cancelling the workflow." | |
exit 1 | |
fi | |
- name: Log into registry ${{ env.REGISTRY }} | |
uses: redhat-actions/podman-login@v1 | |
if: ${{ github.event.client_payload.pr_event != 'pull_request' }} # don't login from PR; secrets are not passed to PRs from fork | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ secrets.HACBS_TEST_QUAY_USER }} | |
password: ${{ secrets.HACBS_TEST_QUAY_TOKEN }} | |
- name: Get Clair version | |
run: | | |
podman run --rm -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TO_TEST }} clair-action --version | |
- name: Check Clair output format | |
run: | | |
# test real life usage of clair | |
mkdir results | |
podman run --rm -v $(pwd)/results:/results:rw -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TO_TEST }} bash -c 'clair-action report --image-ref=registry.access.redhat.com/ubi9-minimal --db-path=/tmp/matcher.db --format=quay > /results/clairdata.json' | |
# check if required metadata and path to values are the same as expected | |
jq -e '.data[].Features[0] | select(has("Name") and has("Vulnerabilities")) or error("Required keys do not exist")' results/clairdata.json | |
- name: Retag-and-push-to-${{ env.REGISTRY }} | |
if: ${{ github.event.client_payload.pr_event != 'pull_request' }} # don't push image from PR | |
id: push-image | |
run: | | |
skopeo copy --all docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TO_TEST }} docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.LATEST_TAG }} | |
skopeo copy --all docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TO_TEST }} docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.MAJOR_VERSION_TAG }} |