-
Notifications
You must be signed in to change notification settings - Fork 7
Add Podman integration tests for OCI runtime compatibility #1143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| --- | ||
| name: Integration Test (Podman) | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| build-test-runner-labels: | ||
| required: true | ||
| type: string | ||
| fully-qualified-image-name: | ||
| required: true | ||
| type: string | ||
| image-basename: | ||
| required: true | ||
| type: string | ||
| image-digest: | ||
| required: true | ||
| type: string | ||
| registry: | ||
| required: true | ||
| type: string | ||
| test-file: | ||
| required: true | ||
| type: string | ||
| secrets: | ||
| DOCKER_REGISTRY_PASSWORD: | ||
| required: true | ||
| DOCKER_REGISTRY_USERNAME: | ||
| required: true | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| run-test: | ||
| name: Integration Test Podman (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) | ||
| strategy: | ||
| matrix: | ||
| runner: ${{ fromJson(inputs.build-test-runner-labels) }} | ||
| runs-on: ${{ matrix.runner }} | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | ||
| with: | ||
| disable-sudo: false | ||
| egress-policy: audit | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Install Podman | ||
| run: | | ||
| # Install Podman on Ubuntu (Ubuntu 20.10+ has Podman in default repositories) | ||
| # This workflow is designed for Ubuntu runners (ubuntu-latest, ubuntu-24.04-arm) | ||
| sudo apt-get update | ||
| sudo apt-get install -y podman | ||
| podman --version | ||
| - name: Login to container registry | ||
| run: | | ||
| echo "${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}" | \ | ||
| podman login ${{ inputs.registry }} \ | ||
Check failureCode scanning / SonarCloud GitHub Actions should not be vulnerable to script injections High
Change this workflow to not use user-controlled data directly in a run block. See more on SonarQube Cloud
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| --username "${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}" \ | ||
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| --password-stdin | ||
| - name: Pull container image | ||
| run: | | ||
| podman pull ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} | ||
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| - run: echo "arch=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" | ||
| id: runner-arch | ||
| - name: Run integration tests using Podman | ||
| run: | | ||
| podman run --rm \ | ||
| -v "${{ github.workspace }}:${{ github.workspace }}" \ | ||
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| -w "${{ github.workspace }}" \ | ||
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| -e IMAGE_BASENAME="${IMAGE_BASENAME}" \ | ||
| -e TEST_FILE="${TEST_FILE}" \ | ||
| -e RUNNER_ARCH="${RUNNER_ARCH}" \ | ||
| ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} \ | ||
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check failureCode scanning / zizmor code injection via template expansion Error
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
Check warningCode scanning / zizmor code injection via template expansion Warning
code injection via template expansion
|
||
| bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-podman-${RUNNER_ARCH}.xml" | ||
| env: | ||
| IMAGE_BASENAME: ${{ inputs.image-basename }} | ||
| TEST_FILE: ${{ inputs.test-file }} | ||
| RUNNER_ARCH: ${{ steps.runner-arch.outputs.arch }} | ||
| - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | ||
| if: ${{ !cancelled() }} | ||
| with: | ||
| name: test-results-integration-podman-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }} | ||
| path: test-report-*.xml | ||
Check warning
Code scanning / zizmor
code injection via template expansion Warning