Skip to content

[duplicate] Add ATEX testing to the upstream CI workflows #14209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[duplicate] Add ATEX testing to the upstream CI workflows #14209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a2466a0
Add new atex test workflow.
ggbecker Nov 17, 2025
301dab3
Refactor ATEX workflow code.
ggbecker Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
308 changes: 308 additions & 0 deletions .github/workflows/atex.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,308 @@
name: ATEX Testing Farm Integration

on:
pull_request:
types: [opened, synchronize, reopened]

env:
ATEX_REPO: RHSecurityCompliance/atex-results-testing-farm
ATEX_HTML_REPO: RHSecurityCompliance/atex-html
CONTEST_REPO: RHSecurityCompliance/contest
ARTIFACT_RETENTION_DAYS: 1
TEST_TIMEOUT: 1440 # 24 hours

jobs:
build_content:
name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
runs-on: ubuntu-latest
strategy:
matrix:
centos_stream_major: [8, 9, 10]
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install system dependencies
run: |
dnf install -y \
cmake make openscap-utils python3-pyyaml \
bats ansible python3-pip ShellCheck git \
gcc gcc-c++ python3-devel libxml2-devel \
libxslt-devel python3-setuptools gawk

- name: Install Python dependencies
run: pip install pcre2==0.4.0 -r requirements.txt -r test-requirements.txt

- name: Build content
env:
CENTOS_STREAM_MAJOR: ${{ matrix.centos_stream_major }}
run: |
rm -rf build
mkdir build
cd build

# Build configuration matching Contest and scap-security-guide.spec defaults
# Includes options required by tests to avoid rebuilds
cmake ../ \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
-DSSG_PRODUCT_DEFAULT:BOOL=OFF \
"-DSSG_PRODUCT_RHEL${CENTOS_STREAM_MAJOR}:BOOL=ON" \
-DSSG_SCE_ENABLED:BOOL=ON \
-DSSG_BASH_SCRIPTS_ENABLED:BOOL=OFF \
-DSSG_BUILD_DISA_DELTA_FILES:BOOL=OFF \
-DSSG_SEPARATE_SCAP_FILES_ENABLED:BOOL=OFF \
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON

# Build using all available cores
cores=$(nproc) || cores=4
make "-j$cores"

# Clean up temporary metadata
rm -rf jinja2_cache

- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: content-centos-stream${{ matrix.centos_stream_major }}
path: .
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}

test:
Comment on lines +16 to +74

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 22 hours ago

To fix the issue, we should explicitly set a permissions block at the workflow root level (before jobs:), so all jobs inherit restrictive permissions unless they require more privileges. Since the workflow only needs to read the repository contents and upload/download artifacts (which do not require write access to the repository, but use privileged workflow access), the minimal required permission is usually contents: read. Adding permissions: contents: read to the root of the workflow file (.github/workflows/atex.yaml), above the jobs: block (e.g., on line 13), will correctly limit the permissions of the GITHUB_TOKEN as recommended.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -11,6 +11,9 @@
   ARTIFACT_RETENTION_DAYS: 1
   TEST_TIMEOUT: 1440 # 24 hours
 
+permissions:
+  contents: read
+
 jobs:
   build_content:
     name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
EOF
@@ -11,6 +11,9 @@
ARTIFACT_RETENTION_DAYS: 1
TEST_TIMEOUT: 1440 # 24 hours

permissions:
contents: read

jobs:
build_content:
name: Build content for CentOS Stream ${{ matrix.centos_stream_major }}
Copilot is powered by AI and may make mistakes. Always verify output.
name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
runs-on: ubuntu-latest
needs: build_content
strategy:
matrix:
centos_stream_major: [8, 9, 10]
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: content-centos-stream${{ matrix.centos_stream_major }}
path: content-centos-stream${{ matrix.centos_stream_major }}/

- name: Checkout Contest framework
uses: actions/checkout@v4
with:
repository: ${{ env.CONTEST_REPO }}
ref: main
path: contest
fetch-depth: 1

- name: Install test dependencies
run: |
dnf -y install python3-pip git rsync
pip install fmf git+https://github.com/RHSecurityCompliance/atex.git

- name: Run tests on Testing Farm
env:
TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
CS_MAJOR: ${{ matrix.centos_stream_major }}
run: |
python3 tests/run_tests_testingfarm.py \
--contest-dir contest \
--content-dir content-centos-stream${CS_MAJOR} \
--plan "/plans/daily" \
--tests "/hardening/host-os/oscap/stig" \
--compose "CentOS-Stream-${CS_MAJOR}" \
--arch x86_64 \
--os-major-version "${CS_MAJOR}" \
--timeout ${{ env.TEST_TIMEOUT }}

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results-centos-stream${{ matrix.centos_stream_major }}
path: |
results-centos-stream-${{ matrix.centos_stream_major }}-x86_64.json.gz
files-centos-stream-${{ matrix.centos_stream_major }}-x86_64/
atex_debug.log.gz
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}

upload:
Comment on lines +75 to +133

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 22 hours ago

The best way to fix the problem is to explicitly set the lowest necessary permissions for the GITHUB_TOKEN in the affected workflow. Since CodeQL highlights the absence of a permissions block, and the "test" job appears only to check out code, download artifacts, and run tests, the minimal required permission is likely contents: read. This block should be added directly under the test job definition (line 75) as a sibling of name, alongside the other job configuration keys. This ensures the "test" job's GITHUB_TOKEN is limited to only read permissions, without impacting other jobs in the workflow unless similarly configured. No new methods, imports, or definitions are needed; just a YAML declarative change as shown.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -73,6 +73,8 @@
 
   test:
     name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: build_content
     strategy:
EOF
@@ -73,6 +73,8 @@

test:
name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
permissions:
contents: read
runs-on: ubuntu-latest
needs: build_content
strategy:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Upload and publish test results
runs-on: ubuntu-latest
needs: test
if: always() # Run even if tests fail
container:
image: fedora:latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install dependencies
if: always()
run: |
dnf -y install python3-pip git rsync
pip install fmf git+https://github.com/RHSecurityCompliance/atex.git

- name: Checkout ATEX results repository
if: always()
uses: actions/checkout@v4
with:
repository: ${{ env.ATEX_REPO }}
ref: main
path: atex-results-testing-farm
token: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}

- name: Initialize FMF metadata
if: always()
working-directory: atex-results-testing-farm
run: fmf init

- name: Create TMT dummy plan for artifact transport
if: always()
working-directory: atex-results-testing-farm
run: |
cat > main.fmf <<'EOF'
/dummy_plan:
discover:
how: shell
tests:
- name: /dummy_test
test: mv * "$TMT_TEST_DATA/."
execute:
how: tmt
EOF

# Download test results for all CentOS Stream versions
- name: Download test results - CentOS Stream 8
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream8
path: test-results/cs8/
continue-on-error: true

- name: Download test results - CentOS Stream 9
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream9
path: test-results/cs9/
continue-on-error: true

- name: Download test results - CentOS Stream 10
if: always()
uses: actions/download-artifact@v4
with:
name: test-results-centos-stream10
path: test-results/cs10/
continue-on-error: true

- name: Checkout ATEX HTML viewer
if: always()
uses: actions/checkout@v4
with:
repository: ${{ env.ATEX_HTML_REPO }}
ref: main
path: atex-html

- name: Update HTML title with PR number
if: always()
run: |
sed "/<title>/s/>.*</>Test outputs from PR #${{ github.event.pull_request.number }} HTML</" \
-i atex-html/index.html

- name: Merge test results from all versions
if: always()
run: |
mkdir -p atex-results-testing-farm/files_dir/

# Process and merge results for all CentOS Stream versions
for version in 8 9 10; do
results_file="test-results/cs${version}/results-centos-stream-${version}-x86_64.json.gz"
files_dir="test-results/cs${version}/files-centos-stream-${version}-x86_64"

if [ -f "${results_file}" ]; then
cat "${results_file}"
rm -f "${results_file}"
[ -d "${files_dir}" ] && cp -r "${files_dir}"/* atex-results-testing-farm/files_dir/
fi
done > results.json.gz

- name: Convert results to SQLite database
if: always()
run: |
python atex-html/json2db.py results.json.gz atex-results-testing-farm/results.sqlite.gz

- name: Prepare HTML results viewer
if: always()
run: |
cp -rf atex-html/index.html atex-html/sqljs/ atex-results-testing-farm/

- name: Commit and tag results in ATEX repository
if: always()
working-directory: atex-results-testing-farm
env:
GH_TOKEN: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
git config user.name "openscap-ci[bot]"
git config user.email "[email protected]"

git add .
git commit -m "Test outputs from PR #${PR_NUMBER}"
git tag PR${PR_NUMBER}
git push origin PR${PR_NUMBER}

- name: Submit results to Testing Farm
if: always()
id: testing_farm_request
env:
TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
python3 tests/submit_results_to_testing_farm.py \
--repo-url "https://github.com/${{ env.ATEX_REPO }}" \
--pr-number "${PR_NUMBER}" 2>&1 | tee tf_output.log

# Extract HTML link from output
html_link=$(grep -oP 'HTML: \K.*' tf_output.log || echo 'No HTML link found')
echo "HTML_LINK=${html_link}" >> "$GITHUB_OUTPUT"

- name: Find existing PR comment
if: always()
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Testing Farm Results

- name: Create or update PR comment with results
if: always()
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
### Testing Farm Results

Test artifacts have been submitted to Testing Farm.

**Results:** [View Test Results](${{ steps.testing_farm_request.outputs.HTML_LINK }})

_This comment was automatically generated by the ATEX workflow._
edit-mode: replace

- name: Cleanup temporary tag
if: always()
working-directory: atex-results-testing-farm
env:
GH_TOKEN: ${{ secrets.ATEX_RESULTS_TF_REPO_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
git push --delete origin PR${PR_NUMBER}
Comment on lines +134 to +308

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 22 hours ago

To fix this issue, we should add a permissions block to the upload job to restrict the GITHUB_TOKEN permissions to the minimum required. As a starting point, the minimal necessary is usually contents: read, but this job also posts or updates pull request comments (steps use peter-evans/create-or-update-comment), which requires the pull-requests: write and possibly issues: write permissions (to handle comments on PRs). Thus, the recommended permissions block is:

permissions:
  contents: read
  pull-requests: write
  issues: write

We should insert this block directly under the name: field of the upload job (after line 134, before runs-on). No other files or imports are impacted.

Suggested changeset 1
.github/workflows/atex.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/atex.yaml b/.github/workflows/atex.yaml
--- a/.github/workflows/atex.yaml
+++ b/.github/workflows/atex.yaml
@@ -132,6 +132,10 @@
 
   upload:
     name: Upload and publish test results
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     runs-on: ubuntu-latest
     needs: test
     if: always() # Run even if tests fail
EOF
@@ -132,6 +132,10 @@

upload:
name: Upload and publish test results
permissions:
contents: read
pull-requests: write
issues: write
runs-on: ubuntu-latest
needs: test
if: always() # Run even if tests fail
Copilot is powered by AI and may make mistakes. Always verify output.
Loading
Loading