build and scan e2e-test-runner image

Author: xinredhat

.github/workflows/build-push-images.yaml

@@ -34,13 +34,6 @@ jobs:
               - '.github/workflows/build-push-images.yaml'
               - 'operator/images/cluster-setup/**'
               - 'shared/**'
-            quay-upload:
-              - '.github/workflows/build-push-images.yaml'
-              - 'ci/images/quay-upload/**'
-            update-pipeline-service:
-              - '.github/workflows/build-push-images.yaml'
-              - 'operator/images/update-pipeline-service/**'
-              - 'shared/**'
             dependencies-update:
               - '.github/workflows/build-push-images.yaml'
               - 'developer/images/dependencies/**'
@@ -49,10 +42,21 @@ jobs:
               - '.github/workflows/build-push-images.yaml'
               - 'developer/images/devenv/**'
               - 'shared/**'
+            e2e-test-runner:
+              - '.github/workflows/build-push-images.yaml'
+              - 'ci/images/e2e-test-runner/**'
+              - 'shared/**'
+            quay-upload:
+              - '.github/workflows/build-push-images.yaml'
+              - 'ci/images/quay-upload/**'
             static-checks:
               - '.github/workflows/build-push-images.yaml'
               - 'ci/images/static-checks/**'
               - 'shared/**'
+            update-pipeline-service:
+              - '.github/workflows/build-push-images.yaml'
+              - 'operator/images/update-pipeline-service/**'
+              - 'shared/**'
             vulnerability:
               - '.github/workflows/build-push-images.yaml'
               - 'ci/images/vulnerability-scan/**'
@@ -309,6 +313,42 @@ jobs:
         run: |
           ./ci/images/quay-upload/image-upload.sh --debug
 
+      # Build and push e2e-test-runner image, tagged with latest and the commit SHA.
+      - name: Build e2e-test-runner Image
+        id: build-image-e2e-test-runner
+        if: steps.filter.outputs.e2e-test-runner == 'true'
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: e2e-test-runner
+          context: .
+          tags: latest ${{ steps.vars.outputs.sha_short }} ${{ github.ref_name }}
+          containerfiles: |
+            ./ci/images/e2e-test-runner/Dockerfile
+      - name: Push to quay.io
+        id: push-to-quay-e2e-test-runner
+        if: steps.filter.outputs.e2e-test-runner == 'true'
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image-e2e-test-runner.outputs.image }}
+          tags: ${{ steps.build-image-e2e-test-runner.outputs.tags }} ${{ github.ref_name }}
+          registry: quay.io/redhat-pipeline-service
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Print image url
+        if: steps.filter.outputs.e2e-test-runner == 'true'
+        run: |
+          echo "Image pushed to ${{ steps.push-to-quay-e2e-test-runner.outputs.registry-paths }}"
+      - name: Tag latest commit ID to quay.io
+        id: tag-commit-quay-e2e-test-runner
+        if: steps.filter.outputs.e2e-test-runner != 'true'
+        env:
+          image: e2e-test-runner
+          registry: quay.io/redhat-pipeline-service
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+        run: |
+          ./ci/images/quay-upload/image-upload.sh --debug
+
       # Build and push static-checks image, tagged with latest and the commit SHA.
       - name: Build static-checks Image
         id: build-image-static-checks

.github/workflows/individual-image-scanner-quay.yaml

@@ -26,6 +26,7 @@ jobs:
       ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }}
       cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }}
       dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }}
+      e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }}
       devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }}
       quay-upload-output: ${{ steps.quay-upload-scan.outputs.VULNERABILITIES_EXIST }}
       static-checks-output: ${{ steps.static-checks-scan.outputs.VULNERABILITIES_EXIST }}
@@ -54,6 +55,9 @@ jobs:
             devenv:
               - 'developer/images/devenv/**'
               - 'shared/**'
+            e2e-test-runner:
+              - 'ci/images/e2e-test-runner/**'
+              - 'shared/**'
             quay-upload:
               - 'ci/quay-upload/**'
             static-checks:
@@ -153,6 +157,16 @@ jobs:
         env:
           IMAGE_NAME: vulnerability-scan
 
+      - name: e2e-test-runner scan
+        continue-on-error: true
+        id: e2e-test-runner-scan
+        if: steps.filter.outputs.e2e-test-runner == 'true'
+        run: |
+          ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log
+          echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT
+        env:
+          IMAGE_NAME: e2e-test-runner
+
   check-results:
     runs-on: ubuntu-latest
     needs: scans
@@ -274,3 +288,16 @@ jobs:
           else
             echo "No vulnerabilities found"
           fi
+
+      - name: Check e2e-test-runner results
+        id: check-e2e-test-runner-results
+        if: always()
+        run: |
+          res=${{ needs.scans.outputs.e2e-test-runner-output }}
+          res=${res:=0}
+          if [[ $res != 0 ]]; then
+            echo "Vulnerabilities found with e2e-test-runner image. Please check scans job for more details."
+            exit 1
+          else
+            echo "No vulnerabilities found"
+          fi

.github/workflows/periodic-scanner-quay.yaml

@@ -28,6 +28,7 @@ jobs:
             "cluster-setup"
             "dependencies-update"
             "devenv"
+            "e2e-test-runner"
             "quay-upload"
             "static-checks"
             "update-pipeline-service"