Setup github ci for pytest tests including static analysis

jakub-vavra-cz · jakub-vavra-cz · commit e57c6127dffe · 2025-11-10T11:45:32.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,293 @@
+name: CI
+on:
+  push:
+    #branches: [master]
+  pull_request:
+    #branches: [master]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  tox:
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.x"]
+        upstream: ["pypi"]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - name: Detect skipped environments
+      id: skipenv
+      env:
+        UPSTREAM: ${{ matrix.upstream }}
+      run: |
+        set -ex
+        case $UPSTREAM in
+          upstream)
+            echo 'skipenv=.*(?<!upstream)$' >> $GITHUB_OUTPUT
+            ;;
+          *)
+            echo 'skipenv=.*-upstream$' >> $GITHUB_OUTPUT
+            ;;
+        esac
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+
+        # Install dependencies for python-ldap
+        sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev libssh-dev
+
+        python -m pip install --upgrade pip
+        pip install tox tox-gh
+    - name: Prepare tox environment and install packages
+      run: |
+        tox --skip-env '${{ steps.skipenv.outputs.skipenv }}' --colored=yes --notest
+    - name: Run tests
+      run: |
+        tox --skip-env '${{ steps.skipenv.outputs.skipenv }}' --colored=yes --skip-pkg-install
+
+  system:
+    strategy:
+      fail-fast: false
+      matrix:
+        tag:
+        - fedora-latest
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: 3.x
+
+    - name: Checkout sssd-test-framework repository
+      uses: actions/checkout@v5
+      with:
+        # Fetch the entire history of the repository and tags to determine
+        # correct framework version, as it is constructed from git describe
+        repository: sssd/sssd-test-framework
+        fetch-depth: 0
+        fetch-tags: true
+        path: sssd-test-framework
+
+    - name: Checkout sudo-tests repository
+      uses: actions/checkout@v5
+      with:
+        repository: RedHat-SP-Security/sudo-tests
+        path: sudo-tests
+
+    - name: Setup containers
+      uses: SSSD/sssd-ci-containers/actions/setup@master
+      with:
+        path: sssd-ci-containers
+        tag: ${{ matrix.tag }}
+        override: |
+          services:
+            dns:
+              restart: always
+              image: ${REGISTRY}/ci-dns:latest
+              container_name: dns
+              env_file: ./env.containers
+              volumes:
+              - ./data/configs/dnsmasq.conf:/etc/dnsmasq.conf
+              cap_add:
+              - NET_RAW
+              - NET_ADMIN
+              - SYS_CHROOT
+              security_opt:
+              - apparmor=unconfined
+              - label=disable
+              - seccomp=unconfined
+              networks:
+                sssd:
+                  ipv4_address: 172.16.100.2
+            ipa:
+              image: ${REGISTRY}/ci-ipa:${TAG}
+              container_name: ipa
+              hostname: master.ipa.test
+              dns: 172.16.100.2
+              env_file: ./env.containers
+              volumes:
+              - ./shared:/shared:rw
+              cap_add:
+              - SYS_ADMIN
+              - SYS_PTRACE
+              - AUDIT_WRITE
+              - AUDIT_CONTROL
+              - SYS_CHROOT
+              - NET_ADMIN
+              - CAP_CHOWN
+              - CAP_DAC_OVERRIDE
+              - CAP_SETGID
+              - CAP_SETUID
+              - CAP_DAC_READ_SEARCH
+              security_opt:
+              - apparmor=unconfined
+              - label=disable
+              - seccomp=unconfined
+              networks:
+                sssd:
+                  ipv4_address: 172.16.100.10
+            ldap:
+              image: ${REGISTRY}/ci-ldap:${TAG}
+              container_name: ldap
+              hostname: master.ldap.test
+              dns: 172.16.100.2
+              env_file: ./env.containers
+              volumes:
+              - ./shared:/shared:rw
+              cap_add:
+              - SYS_ADMIN
+              - SYS_PTRACE
+              - AUDIT_WRITE
+              - AUDIT_CONTROL
+              - SYS_CHROOT
+              - NET_ADMIN
+              security_opt:
+              - apparmor=unconfined
+              - label=disable
+              - seccomp=unconfined
+              networks:
+                sssd:
+                  ipv4_address: 172.16.100.20
+            client:
+              image: ${REGISTRY}/ci-client:${TAG}
+              container_name: client
+              hostname: client.test
+              dns: 172.16.100.2
+              env_file: ./env.containers
+              volumes:
+              - ./shared:/shared:rw
+              cap_add:
+              - SYS_ADMIN
+              - SYS_PTRACE
+              - NET_RAW
+              - NET_ADMIN
+              - AUDIT_WRITE
+              - AUDIT_CONTROL
+              - SYS_CHROOT
+              - CAP_CHOWN
+              - CAP_DAC_OVERRIDE
+              - CAP_SETGID
+              - CAP_SETUID
+              - CAP_DAC_READ_SEARCH
+              security_opt:
+              - apparmor=unconfined
+              - label=disable
+              - seccomp=unconfined
+              networks:
+                sssd:
+                  ipv4_address: 172.16.100.40
+          networks:
+            sssd:
+              name: sssd-ci
+              driver: bridge
+              ipam:
+              config:
+                - subnet: 172.16.100.0/24
+                  gateway: 172.16.100.1
+              options:
+                  driver: host-local
+
+    - name: Patch the SSH configuration
+      uses: SSSD/sssd-ci-containers/actions/exec@master
+      with:
+        user: root
+        script: |
+          #!/bin/bash
+          test -x /usr/bin/sss_ssh_knownhosts && \
+              sed -e 's/GlobalKnownHostsFile/#GlobalKnownHostsFile/' \
+                  -e 's/ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p %p %h/KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts %H/' \
+                  -i /etc/ssh/ssh_config.d/04-ipa.conf
+
+    - name: Install system tests dependencies
+      shell: bash
+      working-directory: ./sudo-tests/pytest
+      run: |
+        set -ex
+
+        sudo apt-get update
+
+        # Install dependencies for python-ldap
+        sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev libssh-dev
+
+        # Virtualenv
+        pip3 install virtualenv
+        python3 -m venv .venv
+        source .venv/bin/activate
+
+        # Install system tests requirements
+        pip3 install -r ./requirements.txt
+
+        # Install yq to parse yaml files
+        sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+        sudo chmod a+x /usr/local/bin/yq
+
+    - name: Install test framework
+      shell: bash
+      run: |
+        set -ex
+
+        source ./sudo-tests/pytest/.venv/bin/activate
+        pip3 install ./sssd-test-framework
+
+    - name: Remove ad from mhc.yaml
+      shell: bash
+      working-directory: ./sudo-tests/pytest
+      run: |
+        yq -i 'del(.domains[0].hosts.[] | select(.role == "ad"))' mhc.yaml
+
+    - name: Check polarion metadata
+      shell: bash
+      working-directory: ./sudo-tests/pytest
+      run: |
+        # Run pytest in collect only mode to quickly catch issues in Polarion metadata.
+        set -ex -o pipefail
+
+        mkdir -p $GITHUB_WORKSPACE/artifacts
+        source .venv/bin/activate
+        pytest \
+          --color=yes \
+          --mh-config=./mhc.yaml \
+          --mh-artifacts-dir=$GITHUB_WORKSPACE/artifacts \
+          --polarion-config=../polarion.yaml \
+          --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
+          --collect-only . |& tee $GITHUB_WORKSPACE/pytest-collect.log
+
+    - name: Run tests
+      shell: bash
+      working-directory: ./sudo-tests/pytest/
+      run: |
+        set -ex -o pipefail
+
+        mkdir -p $GITHUB_WORKSPACE/artifacts
+        source .venv/bin/activate
+        pytest \
+          --durations=0 \
+          --color=yes \
+          --show-capture=no \
+          --mh-config=./mhc.yaml \
+          --mh-artifacts-dir=$GITHUB_WORKSPACE/artifacts \
+          --polarion-config=../polarion.yaml \
+          --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
+          --output-polarion-testrun=$GITHUB_WORKSPACE/artifacts/testrun.xml \
+          -vvv . |& tee $GITHUB_WORKSPACE/pytest.log
+
+    - name: Upload artifacts
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: ignore
+        name: ${{ matrix.tag }}-system
+        path: |
+          artifacts
+          build.log
+          install.log
+          pytest.log
+          pytest-collect.log
diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
@@ -0,0 +1,77 @@
+name: "Static code analysis"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  schedule:
+    # Everyday at midnight
+    - cron: '0 0 * * *'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  static-code-analysis-tests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - uses: actions/setup-python@v6
+      with:
+        python-version: '3.x'
+
+    - name: Checkout repository
+      uses: actions/checkout@v5
+      with:
+        repository: RedHat-SP-Security/sudo-tests
+        path: sudo-tests
+
+    - name: Setup virtual environment
+      working-directory: ./sudo-tests/pytest
+      run: |
+        sudo apt-get update
+
+        # Install dependencies for python-ldap
+        sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev libssh-dev
+
+        pip3 install virtualenv
+        python3 -m venv .venv
+        source .venv/bin/activate
+        pip3 install -r ./requirements.txt
+        pip3 install flake8 pycodestyle isort mypy black
+
+    - name: flake8
+      if: always()
+      working-directory: ./sudo-tests/pytest
+      run: source .venv/bin/activate && flake8 .
+
+    - name: pycodestyle
+      if: always()
+      working-directory: ./sudo-tests/pytest
+      run: source .venv/bin/activate && pycodestyle .
+
+    - name: isort
+      if: always()
+      working-directory: ./sudo-tests/pytest
+      run: source .venv/bin/activate && isort --check-only .
+
+    - name: black
+      if: always()
+      working-directory: ./sudo-tests/pytest
+      run: source .venv/bin/activate && black --check --diff .
+
+    - name: mypy
+      if: always()
+      working-directory: ./sudo-tests/pytest
+      run: source .venv/bin/activate && mypy --install-types --non-interactive tests
+
+  result:
+    name: All tests are successful
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    needs: [pytest-tests]
+    steps:
+      - name: Fail on failure
+        if: |
+          needs.static-code-analysis-tests.result != 'success'
+        run: exit 1
