security requirements of the container-native operators #1368
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: QE Testing (Ubuntu-hosted) | |
on: | |
pull_request: | |
branches: [ main ] | |
workflow_dispatch: | |
# Schedule a daily cron at midnight UTC | |
schedule: | |
- cron: '0 0 * * *' | |
permissions: | |
contents: read | |
env: | |
QE_REPO: test-network-function/cnfcert-tests-verification | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
# Build the image used for testing first, then pass the reference to the QE tests. | |
# This saves time and resources by not building the image in each QE suite. | |
build-image-for-qe: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ github.sha }} | |
- name: Setup docker buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
- name: Build temporary image tag for this PR | |
uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 | |
with: | |
context: . | |
file: ./Dockerfile | |
tags: quay.io/testnetworkfunction/cnf-certification-test:localtest | |
outputs: type=docker,dest=/tmp/testimage.tar | |
- name: Store image as artifact | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: testimage | |
path: /tmp/testimage.tar | |
qe-testing: | |
runs-on: ubuntu-22.04 | |
needs: build-image-for-qe | |
if: needs.build-image-for-qe.result == 'success' | |
strategy: | |
fail-fast: false | |
matrix: | |
suite: [accesscontrol, affiliatedcertification, manageability, networking, lifecycle, performance, platformalteration, observability, operator] | |
env: | |
SHELL: /bin/bash | |
KUBECONFIG: '/home/runner/.kube/config' | |
PFLT_DOCKERCONFIG: '/home/runner/.docker/config' | |
TEST_TNF_IMAGE_NAME: quay.io/testnetworkfunction/cnf-certification-test | |
TEST_TNF_IMAGE_TAG: localtest | |
DOCKER_CONFIG_DIR: '/home/runner/.docker/' | |
SKIP_PRELOAD_IMAGES: true | |
steps: | |
- name: Check out code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: ${{ github.sha }} | |
- name: Run initial setup | |
uses: ./.github/actions/setup | |
# Download the image from the artifact and load it into the docker daemon. | |
- name: Setup docker buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
- name: Setup partner cluster | |
uses: ./.github/actions/setup-partner-cluster | |
with: | |
make-command: 'install-for-qe' | |
- name: Download image from artifact | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: testimage | |
path: /tmp | |
- name: Load image into docker | |
run: docker load --input /tmp/testimage.tar | |
- name: Wait for all pods to be ready | |
run: ./scripts/wait-for-all-pods-running.sh | |
working-directory: cnf-certification-test-partner | |
timeout-minutes: 10 | |
- name: Clone the QE repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: ${{ env.QE_REPO }} | |
path: cnfcert-tests-verification | |
ref: main | |
- name: Extract dependent Pull Requests | |
uses: depends-on/depends-on-action@9e8a61fce18b15281e831f1bba0e14c71d1e1f46 # main | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run the tests (against image) | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 | |
with: | |
timeout_minutes: 60 | |
max_attempts: 3 | |
command: cd ${GITHUB_WORKSPACE}/cnfcert-tests-verification; FEATURES=${{matrix.suite}} TNF_REPO_PATH=${GITHUB_WORKSPACE} TNF_IMAGE=${{env.TEST_TNF_IMAGE_NAME}} TNF_IMAGE_TAG=${{env.TEST_TNF_IMAGE_TAG}} JOB_ID=${{github.run_id}} DISABLE_INTRUSIVE_TESTS=true ENABLE_PARALLEL=true ENABLE_FLAKY_RETRY=true make test-features | |
# Only run against the binary during a scheduled run | |
- name: Build the binary | |
if: github.event_name == 'schedule' | |
run: make build-certsuite-tool | |
- name: Run the tests (against binary) | |
if: github.event_name == 'schedule' | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 | |
with: | |
timeout_minutes: 60 | |
max_attempts: 3 | |
command: cd ${GITHUB_WORKSPACE}/cnfcert-tests-verification; FEATURES=${{matrix.suite}} TNF_REPO_PATH=${GITHUB_WORKSPACE} USE_BINARY=true JOB_ID=${{github.run_id}} DISABLE_INTRUSIVE_TESTS=true ENABLE_PARALLEL=true ENABLE_FLAKY_RETRY=true make test-features | |
- name: (if on main and upstream) Send chat msg to dev team if failed to run QE tests | |
if: ${{ failure() && github.ref == 'refs/heads/main' && github.repository_owner == 'test-network-function' }} | |
env: | |
COMMIT_SHA: ${{ github.sha }} | |
JOB_RUN_ID: ${{ github.run_id }} | |
JOB_RUN_ATTEMPT: ${{ github.run_attempt }} | |
GITHUB_REPO: https://github.com/test-network-function/cnf-certification-test | |
run: | | |
curl -X POST --data "{ | |
\"text\": \"🚨⚠️ Failed to run Github hosted QE tests from commit \<$GITHUB_REPO/commit/$COMMIT_SHA|$COMMIT_SHA\>, job ID \<$GITHUB_REPO/actions/runs/$JOB_RUN_ID/attempts/$JOB_RUN_ATTEMPT|$JOB_RUN_ID\> \" | |
}" -H 'Content-type: application/json; charset=UTF-8' '${{ secrets.QE_NIGHTLY_WEBHOOK }}' |