Skip to content

[duplicate] Add ATEX testing to the upstream CI workflows #14209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[duplicate] Add ATEX testing to the upstream CI workflows #14209

wants to merge 2 commits into from
+524 −0

Conversation

@ggbecker
Copy link
Member

@ggbecker ggbecker commented Dec 3, 2025

Description:

  • Atex workflow PR coming from a ComplianceAsCode branch, which should be able to use the secrets accordingly as we are not leaking them.

Related to: #14203

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 3, 2025
View reviewed changes
.github/workflows/atex.yaml
Comment on lines +16 to +74
name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
runs-on: ubuntu-latest
strategy:
matrix:
centos_stream_major: [8, 9, 10]
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install system dependencies
run: |
dnf install -y \
cmake make openscap-utils python3-pyyaml \
bats ansible python3-pip ShellCheck git \
gcc gcc-c++ python3-devel libxml2-devel \
libxslt-devel python3-setuptools gawk

- name: Install Python dependencies
run: pip install pcre2==0.4.0 -r requirements.txt -r test-requirements.txt

- name: Build content
env:
CENTOS_STREAM_MAJOR: ${{ matrix.centos_stream_major }}
run: |
rm -rf build
mkdir build
cd build

# Build configuration matching Contest and scap-security-guide.spec defaults
# Includes options required by tests to avoid rebuilds
cmake ../ \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
-DSSG_PRODUCT_DEFAULT:BOOL=OFF \
"-DSSG_PRODUCT_RHEL${CENTOS_STREAM_MAJOR}:BOOL=ON" \
-DSSG_SCE_ENABLED:BOOL=ON \
-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF \
-DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF \
-DSSG_SEPARATE_SCAP_FILES_ENABLED:BOOL=OFF \
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON

# Build using all available cores
cores=$(nproc) || cores=4
make "-j$cores"

# Clean up temporary metadata
rm -rf jinja2_cache

- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: content-centos-stream${{ matrix.centos_stream_major }}
path: .
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}

test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 18 hours ago

To fix the issue, we should explicitly set a permissions block at the workflow root level (before jobs:), so all jobs inherit restrictive permissions unless they require more privileges. Since the workflow only needs to read the repository contents and upload/download artifacts (which do not require write access to the repository, but use privileged workflow access), the minimal required permission is usually contents: read. Adding permissions: contents: read to the root of the workflow file (.github/workflows/atex.yaml), above the jobs: block (e.g., on line 13), will correctly limit the permissions of the GITHUB_TOKEN as recommended.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -11,6 +11,9 @@
   ARTIFACT_RETENTION_DAYS: 1
   TEST_TIMEOUT: 1440 # 24 hours
 
+permissions:
+  contents: read
+
 jobs:
   build_content:
     name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
EOF
@@ -11,6 +11,9 @@
ARTIFACT_RETENTION_DAYS: 1
TEST_TIMEOUT: 1440 # 24 hours

permissions:
contents: read

jobs:
build_content:
name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/atex.yaml
Comment on lines +75 to +133
name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
runs-on: ubuntu-latest
needs: build_content
strategy:
matrix:
centos_stream_major: [8, 9, 10]
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: content-centos-stream${{ matrix.centos_stream_major }}
path: content-centos-stream${{ matrix.centos_stream_major }}/

- name: Checkout Contest framework
uses: actions/checkout@v4
with:
repository: ${{ env.CONTEST_REPO }}
ref: main
path: contest
fetch-depth: 1

- name: Install test dependencies
run: |
dnf -y install python3-pip git rsync
pip install fmf git+https://github.com/RHSecurityCompliance/atex.git

- name: Run tests on Testing Farm
env:
TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
CS_MAJOR: ${{ matrix.centos_stream_major }}
run: |
python3 tests/run_tests_testingfarm.py \
--contest-dir contest \
--content-dir content-centos-stream${CS_MAJOR} \
--plan "/plans/daily" \
--tests "/hardening/host-os/oscap/stig" \
--compose "CentOS-Stream-${CS_MAJOR}" \
--arch x86_64 \
--os-major-version "${CS_MAJOR}" \
--timeout ${{ env.TEST_TIMEOUT }}

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results-centos-stream${{ matrix.centos_stream_major }}
path: |
results-centos-stream-${{ matrix.centos_stream_major }}-x86_64.json.gz
files-centos-stream-${{ matrix.centos_stream_major }}-x86_64/
atex_debug.log.gz
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}

upload:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 18 hours ago

The best way to fix the problem is to explicitly set the lowest necessary permissions for the GITHUB_TOKEN in the affected workflow. Since CodeQL highlights the absence of a permissions block, and the "test" job appears only to check out code, download artifacts, and run tests, the minimal required permission is likely contents: read. This block should be added directly under the test job definition (line 75) as a sibling of name, alongside the other job configuration keys. This ensures the "test" job's GITHUB_TOKEN is limited to only read permissions, without impacting other jobs in the workflow unless similarly configured. No new methods, imports, or definitions are needed; just a YAML declarative change as shown.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -73,6 +73,8 @@
 
   test:
     name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: build_content
     strategy:
EOF
@@ -73,6 +73,8 @@

test:
name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
permissions:
contents: read
runs-on: ubuntu-latest
needs: build_content
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/atex.yaml
Comment on lines +134 to +308
name: Upload and publish test results
runs-on: ubuntu-latest
needs: test
if: always() # Run even if tests fail
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install dependencies
if: always()
run: |
dnf -y install python3-pip git rsync
pip install fmf git+https://github.com/RHSecurityCompliance/atex.git

- name: Checkout ATEX results repository
if: always()
uses: actions/checkout@v4
with:
repository: ${{ env.ATEX_REPO }}
ref: main
path: atex-results-testing-farm
token: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}

- name: Initialize FMF metadata
if: always()
working-directory: atex-results-testing-farm
run: fmf init

- name: Create TMT dummy plan for artifact transport
if: always()
working-directory: atex-results-testing-farm
run: |
cat > main.fmf <<'EOF'
/dummy_plan:
discover:
how: shell
tests:
- name: /dummy_test
test: mv * "$TMT_TEST_DATA/."
execute:
how: tmt
EOF

# Download test results for all CentOS Stream versions
- name: Download test results - CentOS Stream 8
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream8
path: test-results/cs8/
continue-on-error: true

- name: Download test results - CentOS Stream 9
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream9
path: test-results/cs9/
continue-on-error: true

- name: Download test results - CentOS Stream 10
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream10
path: test-results/cs10/
continue-on-error: true

- name: Checkout ATEX HTML viewer
if: always()
uses: actions/checkout@v4
with:
repository: ${{ env.ATEX_HTML_REPO }}
ref: main
path: atex-html

- name: Update HTML title with PR number
if: always()
run: |
sed "/<title>/s/>.*</>Test outputs from PR #${{ github.event.pull_request.number }} HTML</" \
-i atex-html/index.html

- name: Merge test results from all versions
if: always()
run: |
mkdir -p atex-results-testing-farm/files_dir/

# Process and merge results for all CentOS Stream versions
for version in 8 9 10; do
results_file="test-results/cs${version}/results-centos-stream-${version}-x86_64.json.gz"
files_dir="test-results/cs${version}/files-centos-stream-${version}-x86_64"

if [ -f "${results_file}" ]; then
cat "${results_file}"
rm -f "${results_file}"
[ -d "${files_dir}" ] && cp -r "${files_dir}"/* atex-results-testing-farm/files_dir/
fi
done > results.json.gz

- name: Convert results to SQLite database
if: always()
run: |
python atex-html/json2db.py results.json.gz atex-results-testing-farm/results.sqlite.gz

- name: Prepare HTML results viewer
if: always()
run: |
cp -rf atex-html/index.html atex-html/sqljs/ atex-results-testing-farm/

- name: Commit and tag results in ATEX repository
if: always()
working-directory: atex-results-testing-farm
env:
GH_TOKEN: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
git config user.name "openscap-ci[bot]"
git config user.email "[email protected]"

git add .
git commit -m "Test outputs from PR #${PR_NUMBER}"
git tag PR${PR_NUMBER}
git push origin PR${PR_NUMBER}

- name: Submit results to Testing Farm
if: always()
id: testing_farm_request
env:
TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
python3 tests/submit_results_to_testing_farm.py \
--repo-url "https://github.com/${{ env.ATEX_REPO }}" \
--pr-number "${PR_NUMBER}" 2>&1 | tee tf_output.log

# Extract HTML link from output
html_link=$(grep -oP 'HTML: \K.*' tf_output.log || echo 'No HTML link found')
echo "HTML_LINK=${html_link}" >> "$GITHUB_OUTPUT"

- name: Find existing PR comment
if: always()
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Testing Farm Results

- name: Create or update PR comment with results
if: always()
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
### Testing Farm Results

Test artifacts have been submitted to Testing Farm.

**Results:** [View Test Results](${{ steps.testing_farm_request.outputs.HTML_LINK }})

_This comment was automatically generated by the ATEX workflow._
edit-mode: replace

- name: Cleanup temporary tag
if: always()
working-directory: atex-results-testing-farm
env:
GH_TOKEN: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
git push --delete origin PR${PR_NUMBER}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 18 hours ago

To fix this issue, we should add a permissions block to the upload job to restrict the GITHUB_TOKEN permissions to the minimum required. As a starting point, the minimal necessary is usually contents: read, but this job also posts or updates pull request comments (steps use peter-evans/create-or-update-comment), which requires the pull-requests: write and possibly issues: write permissions (to handle comments on PRs). Thus, the recommended permissions block is:

permissions:
  contents: read
  pull-requests: write
  issues: write

We should insert this block directly under the name: field of the upload job (after line 134, before runs-on). No other files or imports are impacted.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -132,6 +132,10 @@
 
   upload:
     name: Upload and publish test results
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     runs-on: ubuntu-latest
     needs: test
     if: always() # Run even if tests fail
EOF
@@ -132,6 +132,10 @@

upload:
name: Upload and publish test results
permissions:
contents: read
pull-requests: write
issues: write
runs-on: ubuntu-latest
needs: test
if: always() # Run even if tests fail
Copilot is powered by AI and may make mistakes. Always verify output.
@openshift-ci
Copy link

openshift-ci bot commented Dec 3, 2025

@ggbecker: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 301dab3 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Dec 3, 2025
@github-actions
Copy link

github-actions bot commented Dec 3, 2025

Testing Farm Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results

This comment was automatically generated by the ATEX workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Mab879 Mab879

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ggbecker @Mab879