chore: start with fixing integration tests

Author: rjaegers

.github/workflows/continuous-integration.yml

@@ -28,3 +28,11 @@ jobs:
       id-token: write
       packages: write
       pull-requests: write
+
+  dependency-review:
+    uses: ./.github/workflows/wc-dependency-review.yml
+    with:
+      runner-labels: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write

.github/workflows/wc-build-push-test.yml

@@ -34,26 +34,6 @@ jobs:
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
       image-name: ${{ github.repository }}-${{ matrix.flavor }}
 
-  dependency-review:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    needs: build-push
-    if: github.event_name == 'pull_request'
-    steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
-        with:
-          disable-sudo-and-containers: true
-          egress-policy: audit
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-      - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
-        with:
-          comment-summary-in-pr: on-failure
-          fail-on-severity: critical
-
   integration-test:
     strategy:
       matrix:
@@ -62,8 +42,10 @@ jobs:
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
     with:
-      flavor: ${{ matrix.flavor }}
-      runner: ${{ matrix.runner }}
+      fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
+      image-basename: ${{ needs.build-push.outputs.image-basename }}
+      test-file: test/${{ matrix.flavor }}/integration.bats
+      runner-labels: ${{ matrix.runner }}
 
   acceptance-test:
     strategy:

.github/workflows/wc-build-push.yml

@@ -34,6 +34,16 @@ on:
         required: false
         type: string
         default: ubuntu-latest
+    outputs:
+      image-basename:
+        description: "The sanitized base name of the image (without registry or tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.image-basename }}
+      image-name:
+        description: "The sanitized name of the image (without registry or tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.image-name }}
+      fully-qualified-image-name:
+        description: "The fully qualified name of the image including registry (but without tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.fully-qualified-image-name }}
     secrets:
       DOCKER_USERNAME:
         description: "User name for Docker login, if not provided the GitHub actor will be used"
@@ -48,9 +58,9 @@ jobs:
   sanitize-inputs:
     runs-on: ${{ inputs.default-runner }}
     outputs:
+      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
       image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
       fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
-      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
     steps:
       - name: Sanitize image name
         id: sanitize-image-name

.github/workflows/wc-dependency-review.yml

@@ -0,0 +1,32 @@
+---
+name: Dependency Review
+
+on:
+  workflow_call:
+    inputs:
+      runner-labels:
+        description: "Runner to use for the job, will be passed to `runs-on`"
+        required: false
+        type: string
+        default: ubuntu-latest
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    runs-on: ${{ inputs.runner-labels }}
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          disable-sudo-and-containers: true
+          egress-policy: audit
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
+        with:
+          comment-summary-in-pr: on-failure
+          fail-on-severity: critical

.github/workflows/wc-integration-test.yml

@@ -4,25 +4,28 @@ name: Integration Test
 on:
   workflow_call:
     inputs:
-      flavor:
+      fully-qualified-image-name:
+        required: false
+        type: string
+      image-basename:
         required: true
         type: string
-      runner:
+      test-file:
+        required: true
+        type: string
+      runner-labels:
+        description: "Runner to use for the job, will be passed to `runs-on`"
         required: true
         type: string
 
-permissions:
-  contents: read
-
-env:
-  CONTAINER_FLAVOR: ${{ inputs.flavor }}
-  RUNNER: ${{ inputs.runner }}
+permissions: {}
 
 jobs:
   determine-container:
-    runs-on: ${{ inputs.runner }}
+    runs-on: ${{ inputs.runner-labels }}
     outputs:
       container: ${{ steps.set-container.outputs.container }}
+      runner-arch: ${{ steps.runner-arch.outputs.arch }}
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -32,17 +35,21 @@ jobs:
         id: runner-arch
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          path: ${{ runner.temp }}/digests-${{ inputs.flavor }}-${{ steps.runner-arch.outputs.arch }}
-          pattern: digests-${{ inputs.flavor }}-${{ steps.runner-arch.outputs.arch }}
-      - run: echo "container=$(printf "ghcr.io/${GH_REPO}-${CONTAINER_FLAVOR}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
-        working-directory: ${{ runner.temp }}/digests-${{ inputs.flavor }}-${{ steps.runner-arch.outputs.arch }}
+          path: ${{ runner.temp }}/digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+          pattern: digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+      - run: echo "container=$(printf "${FULLY_QUALIFIED_IMAGE_NAME}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
+        working-directory: ${{ runner.temp }}/digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
         env:
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ inputs.fully-qualified-image-name }}
           GH_REPO: ${{ github.repository }}
         id: set-container
+
   run-test:
     needs: determine-container
-    runs-on: ${{ inputs.runner }}
+    runs-on: ${{ inputs.runner-labels }}
     container: ${{ needs.determine-container.outputs.container }}
+    permissions:
+      contents: read
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
@@ -52,15 +59,18 @@ jobs:
         with:
           persist-credentials: false
       - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        if: inputs.flavor == 'cpp'
         with:
           path: test/cpp/.xwin-cache
-          key: xwin-cache-${{ inputs.runner }}
+          key: xwin-cache-${{ needs.determine-container.outputs.runner-arch }}
           restore-keys: |
-            xwin-cache
-      - run: bats --formatter junit "test/${CONTAINER_FLAVOR}/integration-tests.bats" | tee "test-report-${CONTAINER_FLAVOR}-${RUNNER}.xml"
+            xwin-cache-${{ needs.determine-container.outputs.runner-arch }}
+      - run: bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-${RUNNER_ARCH}.xml"
+        env:
+          IMAGE_BASENAME: ${{ inputs.image-basename }}
+          TEST_FILE: ${{ inputs.test-file }}
+          RUNNER_ARCH: ${{ needs.determine-container.outputs.runner-arch }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
-          name: test-results-integration-${{ inputs.flavor }}-${{ inputs.runner }}
+          name: test-results-integration-${{ inputs.image-basename }}-${{ needs.determine-container.outputs.runner-arch }}
           path: test-report-*.xml