From 302ea1cb6da716ff4be7c209bf43eff39629ce48 Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Sat, 15 Mar 2025 13:56:27 -0400 Subject: [PATCH 1/7] add ec-cli-sealights workflow Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 193 ++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 .github/workflows/ec-cli-sealights.yaml diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml new file mode 100644 index 000000000..bd5b0ac01 --- /dev/null +++ b/.github/workflows/ec-cli-sealights.yaml @@ -0,0 +1,193 @@ +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +--- +name: Sealights + +"on": + pull_request: + branches: + - main + - release-* + push: + branches: + - main + - release-* + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.pull_request.number) || github.ref }} + cancel-in-progress: true + +jobs: + + Initialize: + runs-on: ubuntu-latest + outputs: + bsid: ${{ steps.set-bsid.outputs.bsid }} + steps: + - name: Determine workflow run event context + run: echo "on-event=${{ github.event_name }}" >> $GITHUB_ENV + + - name: Handle invalid context for pull requests + if: ${{ env.on-event == 'pull_request' && (!github.event.pull_request.head.sha || !github.event.pull_request.number) }} + run: | + echo "Invalid context for this workflow run. Exiting." + exit 1 + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + # Needed in hack/derive-version.sh + fetch-depth: 0 + + - name: Restore Cache + uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + with: + key: main + path: '**' + + - name: Setup Go environment + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: go.mod + cache: false + + - name: Check go versions + uses: enterprise-contract/github-workflows/golang-version-check@main + + - name: Download SeaLights Go agent and CLI tool + run: | + echo "[Sealights] Downloading Sealights Golang & CLI Agents..." + case $(lscpu | awk '/Architecture:/{print $2}') in + x86_64) SL_ARCH="linux-amd64";; + arm) SL_ARCH="linux-arm64";; + esac + wget -nv -O sealights-go-agent.tar.gz https://agents.sealights.co/slgoagent/latest/slgoagent-$SL_ARCH.tar.gz + wget -nv -O sealights-slcli.tar.gz https://agents.sealights.co/slcli/latest/slcli-$SL_ARCH.tar.gz + tar -xzf ./sealights-go-agent.tar.gz && tar -xzf ./sealights-slcli.tar.gz + rm -f ./sealights-go-agent.tar.gz ./sealights-slcli.tar.gz + ./slgoagent -v 2> /dev/null | grep version && ./slcli -v 2> /dev/null | grep version + + - name: Write SeaLights token into file + run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt + env: + SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}' + + - name: Initiating the SeaLights agent + run: | + echo "[Sealights] Initiating the SeaLights agent to Golang and handing it the token" + ./slcli config init --lang go --token ./sltoken.txt + + - name: Configuring SeaLights - on pull_request event + if: env.on-event == 'pull_request' + run: | + echo "[Sealights] Configuring SeaLights to scan the pull request branch" + echo "Latest commit sha: ${LATEST_COMMIT_SHA}" + echo "PR Number: ${PULL_REQUEST_NUMBER}" + ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git + env: + PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} + LATEST_COMMIT_SHA: ${{github.event.pull_request.head.sha}} + + - name: Configuring SeaLights - on push event + if: env.on-event == 'push' + run: | + echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed" + ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA}" + + - name: Run the SeaLights scan + run: | + echo "[Sealights] Running the SeaLights scan" + ./slcli scan --bsid buildSessionId.txt --path-to-scanner ./slgoagent --workspacepath ./ --scm git --scmBaseUrl https://github.com/ascerra/ec-cli.git --scmVersion “0” --scmProvider github + + - name: clean all SeaLights secret stuff + run: | + echo "[Sealights] Cleaning up after SeaLights run" + rm sltoken.txt + + - name: Save workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + Test: + runs-on: ubuntu-latest + needs: Initialize + env: + BSID: ${{ needs.Initialize.outputs.bsid }} + steps: + - name: Restore workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + - name: Harden Runner + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + disable-telemetry: true + + # - name: Write SeaLights token into file + # run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt + # env: + # SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}' + + - name: Generate + run: make generate + + - name: Test + run: make test + + # - name: clean all SeaLights secret stuff + # run: | + # echo "[Sealights] Cleaning up after SeaLights run" + # rm sltoken.txt buildSessionId.txt + + # Acceptance: + # runs-on: ubuntu-latest + # needs: Initialize + # env: + # BSID: ${{ needs.Initialize.outputs.bsid }} + # steps: + # - name: Restore workspace + # uses: actions/cache@v4 + # with: + # path: ${{ github.workspace }} + # key: workspace-${{ github.run_id }} + + # - name: Update podman + # run: | + # "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh" + + # - name: Acceptance test + # run: make acceptance + + # - name: clean all SeaLights secret stuff + # run: | + # echo "[Sealights] Cleaning up after SeaLights run" + # rm sltoken.txt buildSessionId.txt + + # - name: Upload coverage report + # uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 + # with: + # files: ./coverage-acceptance.out + # flags: acceptance From c333b2c41595f51959a170f3b00b74137530d244 Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Tue, 18 Mar 2025 18:02:01 -0400 Subject: [PATCH 2/7] fix "" issue Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml index bd5b0ac01..087205429 100644 --- a/.github/workflows/ec-cli-sealights.yaml +++ b/.github/workflows/ec-cli-sealights.yaml @@ -99,8 +99,8 @@ jobs: if: env.on-event == 'pull_request' run: | echo "[Sealights] Configuring SeaLights to scan the pull request branch" - echo "Latest commit sha: ${LATEST_COMMIT_SHA}" - echo "PR Number: ${PULL_REQUEST_NUMBER}" + echo "Latest commit sha: \"${LATEST_COMMIT_SHA}\"" + echo "PR Number: \"${PULL_REQUEST_NUMBER}\"" ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git env: PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} From e4617bd23b648840d19dfa83b3fdb8fe9a1c4cec Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Tue, 18 Mar 2025 18:14:21 -0400 Subject: [PATCH 3/7] simplify comments Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml index 087205429..985e7ed47 100644 --- a/.github/workflows/ec-cli-sealights.yaml +++ b/.github/workflows/ec-cli-sealights.yaml @@ -99,8 +99,6 @@ jobs: if: env.on-event == 'pull_request' run: | echo "[Sealights] Configuring SeaLights to scan the pull request branch" - echo "Latest commit sha: \"${LATEST_COMMIT_SHA}\"" - echo "PR Number: \"${PULL_REQUEST_NUMBER}\"" ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git env: PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} From b7e935b98190f38efc991b2bb263a7850c41444d Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Tue, 18 Mar 2025 18:20:28 -0400 Subject: [PATCH 4/7] fix Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml index 985e7ed47..609ac034c 100644 --- a/.github/workflows/ec-cli-sealights.yaml +++ b/.github/workflows/ec-cli-sealights.yaml @@ -99,6 +99,8 @@ jobs: if: env.on-event == 'pull_request' run: | echo "[Sealights] Configuring SeaLights to scan the pull request branch" + echo "Latest commit sha: ${LATEST_COMMIT_SHA}" + echo "PR Number: ${PULL_REQUEST_NUMBER}" ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git env: PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} @@ -108,7 +110,7 @@ jobs: if: env.on-event == 'push' run: | echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed" - ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA}" + ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA} - name: Run the SeaLights scan run: | From 5e06df45d760422487f716d3bad2213c609d7ea1 Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Tue, 18 Mar 2025 20:51:48 -0400 Subject: [PATCH 5/7] update build name Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml index 609ac034c..61b52d4a9 100644 --- a/.github/workflows/ec-cli-sealights.yaml +++ b/.github/workflows/ec-cli-sealights.yaml @@ -111,6 +111,8 @@ jobs: run: | echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed" ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA} + env: + LATEST_COMMIT_SHA: ${{ github.sha }} - name: Run the SeaLights scan run: | From 32e753554c2ad86da0fe5f9b3610a567863dd336 Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Tue, 18 Mar 2025 21:09:51 -0400 Subject: [PATCH 6/7] test code change Signed-off-by: Adam Scerra --- internal/rego/oci/oci.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/rego/oci/oci.go b/internal/rego/oci/oci.go index b11af5a82..23b118eee 100644 --- a/internal/rego/oci/oci.go +++ b/internal/rego/oci/oci.go @@ -265,7 +265,7 @@ func ociBlob(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) { logger.WithFields(log.Fields{ "action": "fetch layer", "error": err, - }).Error("failed to fetch OCI layer") + }).Error("change to test") return nil, nil } From df4de0f8d91551e6c7e79f309567f5530689c3cf Mon Sep 17 00:00:00 2001 From: Adam Scerra Date: Mon, 24 Mar 2025 12:04:54 -0400 Subject: [PATCH 7/7] cceptance tests Signed-off-by: Adam Scerra --- .github/workflows/ec-cli-sealights.yaml | 62 +++++++++---------------- Makefile | 5 +- internal/rego/oci/oci.go | 2 +- 3 files changed, 27 insertions(+), 42 deletions(-) diff --git a/.github/workflows/ec-cli-sealights.yaml b/.github/workflows/ec-cli-sealights.yaml index 61b52d4a9..a20a4ff62 100644 --- a/.github/workflows/ec-cli-sealights.yaml +++ b/.github/workflows/ec-cli-sealights.yaml @@ -39,6 +39,8 @@ jobs: Initialize: runs-on: ubuntu-latest + env: + SEALIGHTS_LOG_LEVEL: none outputs: bsid: ${{ steps.set-bsid.outputs.bsid }} steps: @@ -148,48 +150,30 @@ jobs: egress-policy: audit disable-telemetry: true - # - name: Write SeaLights token into file - # run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt - # env: - # SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}' - - name: Generate run: make generate - name: Test run: make test - # - name: clean all SeaLights secret stuff - # run: | - # echo "[Sealights] Cleaning up after SeaLights run" - # rm sltoken.txt buildSessionId.txt - - # Acceptance: - # runs-on: ubuntu-latest - # needs: Initialize - # env: - # BSID: ${{ needs.Initialize.outputs.bsid }} - # steps: - # - name: Restore workspace - # uses: actions/cache@v4 - # with: - # path: ${{ github.workspace }} - # key: workspace-${{ github.run_id }} - - # - name: Update podman - # run: | - # "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh" - - # - name: Acceptance test - # run: make acceptance - - # - name: clean all SeaLights secret stuff - # run: | - # echo "[Sealights] Cleaning up after SeaLights run" - # rm sltoken.txt buildSessionId.txt - - # - name: Upload coverage report - # uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 - # with: - # files: ./coverage-acceptance.out - # flags: acceptance + Acceptance: + runs-on: ubuntu-latest + needs: Initialize + env: + BSID: ${{ needs.Initialize.outputs.bsid }} + SEALIGHTS_LOG_LEVEL: none + steps: + - name: Restore workspace + uses: actions/cache@v4 + with: + path: ${{ github.workspace }} + key: workspace-${{ github.run_id }} + + - name: Update podman + run: | + "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh" + + - name: Acceptance test + run: make acceptance + + \ No newline at end of file diff --git a/Makefile b/Makefile index 2451e139f..311d233e1 100644 --- a/Makefile +++ b/Makefile @@ -113,11 +113,12 @@ acceptance: ## Run all acceptance tests trap cleanup EXIT; \ cp -R . "$$ACCEPTANCE_WORKDIR"; \ cd "$$ACCEPTANCE_WORKDIR" && \ - go run acceptance/coverage/coverage.go && \ $(MAKE) build && \ export COVERAGE_FILEPATH="$$ACCEPTANCE_WORKDIR"; \ export COVERAGE_FILENAME="-acceptance"; \ - cd acceptance && go test -coverprofile "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" -timeout $(ACCEPTANCE_TIMEOUT) ./... && \ + export SEALIGHTS_LOG_LEVEL="none"; \ + echo "[Debug] SEALIGHTS_LOG_LEVEL=$${SEALIGHTS_LOG_LEVEL}"; \ + cd acceptance && SEALIGHTS_LOG_LEVEL=none go test -coverprofile "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" -timeout $(ACCEPTANCE_TIMEOUT) ./... && \ go run -modfile "$$ACCEPTANCE_WORKDIR/tools/go.mod" github.com/wadey/gocovmerge "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" > "$(ROOT_DIR)/coverage-acceptance.out" # Add @focus above the feature you're hacking on to use this diff --git a/internal/rego/oci/oci.go b/internal/rego/oci/oci.go index 23b118eee..b11af5a82 100644 --- a/internal/rego/oci/oci.go +++ b/internal/rego/oci/oci.go @@ -265,7 +265,7 @@ func ociBlob(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) { logger.WithFields(log.Fields{ "action": "fetch layer", "error": err, - }).Error("change to test") + }).Error("failed to fetch OCI layer") return nil, nil }