Clean run

.github/workflows/ec-cli-sealights.yaml

@@ -0,0 +1,308 @@
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: Sealights
+
+"on":
+  pull_request:
+    branches:
+      - main
+      - release-*
+  push:
+    branches:
+      - main
+      - release-*
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.event.pull_request.number) || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  Initialize:
+    runs-on: ubuntu-latest
+    env:
+      SEALIGHTS_LOG_LEVEL: none
+      ACTIONS_STEP_DEBUG: true
+    outputs:
+      bsid: ${{ steps.set-bsid.outputs.bsid }}
+    steps:
+      - name: Determine workflow run event context
+        run: echo "on-event=${{ github.event_name }}" >> $GITHUB_ENV
+
+      - name: Handle invalid context for pull requests
+        if: ${{ env.on-event == 'pull_request' && (!github.event.pull_request.head.sha || !github.event.pull_request.number) }}
+        run: |
+          echo "Invalid context for this workflow run. Exiting."
+          exit 1
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # Needed in hack/derive-version.sh
+          fetch-depth: 0
+
+      - name: Restore Cache
+        uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        with:
+          key: main
+          path: '**'
+
+      - name: Setup Go environment
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Check go versions
+        uses: enterprise-contract/github-workflows/golang-version-check@main
+
+      - name: Download SeaLights Go agent and CLI tool
+        run: |
+          echo "[Sealights] Downloading Sealights Golang & CLI Agents..."
+          case $(lscpu | awk '/Architecture:/{print $2}') in
+            x86_64) SL_ARCH="linux-amd64";;
+            arm) SL_ARCH="linux-arm64";;
+          esac
+          wget -nv -O sealights-go-agent.tar.gz https://agents.sealights.co/slgoagent/latest/slgoagent-$SL_ARCH.tar.gz
+          wget -nv -O sealights-slcli.tar.gz https://agents.sealights.co/slcli/latest/slcli-$SL_ARCH.tar.gz
+          tar -xzf ./sealights-go-agent.tar.gz && tar -xzf ./sealights-slcli.tar.gz
+          rm -f ./sealights-go-agent.tar.gz ./sealights-slcli.tar.gz
+          ./slgoagent -v 2> /dev/null | grep version && ./slcli -v 2> /dev/null | grep version
+
+      - name: Write SeaLights token into file
+        run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt
+        env:
+          SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}'
+
+      - name: Initiating the SeaLights agent
+        run: |
+          echo "[Sealights] Initiating the SeaLights agent to Golang and handing it the token"
+          ./slcli config init --lang go --token ./sltoken.txt
+
+      - name: Configuring SeaLights - on pull_request event
+        if: env.on-event == 'pull_request'
+        run: |
+          echo "[Sealights] Configuring SeaLights to scan the pull request branch"
+          echo "Latest commit sha: ${LATEST_COMMIT_SHA}"
+          echo "PR Number: ${PULL_REQUEST_NUMBER}"
+          ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git
+        env:
+          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+          LATEST_COMMIT_SHA: ${{github.event.pull_request.head.sha}}
+
+      - name: Configuring SeaLights - on push event
+        if: env.on-event == 'push'
+        run: |
+          echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed"
+          ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA}
+        env:
+          LATEST_COMMIT_SHA: ${{ github.sha }}
+
+      - name: Run the SeaLights scan
+        run: |
+          echo "[Sealights] Running the SeaLights scan"
+          ./slcli scan --bsid buildSessionId.txt  --path-to-scanner ./slgoagent --workspacepath ./ --scm git --scmBaseUrl https://github.com/ascerra/ec-cli.git --scmVersion “0” --scmProvider github
+
+      - name: Update podman
+        run: |
+          "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh"
+
+      - name: Acceptance test
+        run: make acceptance
+
+      # - name: Upload Sealights acceptance test data
+      #   run: ./slcli test upload-reports --bsid buildSessionId.txt
+
+      - name: clean all SeaLights secret stuff
+        run: |
+          echo "[Sealights] Cleaning up after SeaLights run"
+          rm sltoken.txt
+
+      # - name: Save workspace
+      #   uses: actions/cache@v4
+      #   with:
+      #     path: ${{ github.workspace }}
+      #     key: workspace-${{ github.run_id }}
+
+  # Test:
+  #   runs-on: ubuntu-latest
+  #   needs: Initialize
+  #   env:
+  #     BSID: ${{ needs.Initialize.outputs.bsid }}
+  #   steps:          
+  #     - name: Restore workspace
+  #       uses: actions/cache@v4
+  #       with:
+  #         path: ${{ github.workspace }}
+  #         key: workspace-${{ github.run_id }}
+
+  #     - name: Harden Runner
+  #       uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+  #       with:
+  #         egress-policy: audit
+  #         disable-telemetry: true
+
+  #     # - name: Write SeaLights token into file
+  #     #   run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt
+  #     #   env:
+  #     #     SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}'
+
+  #     - name: Generate
+  #       run: make generate
+
+  #     - name: Test
+  #       run: make test
+
+      # - name: clean all SeaLights secret stuff
+      #   run: |
+      #     echo "[Sealights] Cleaning up after SeaLights run"
+      #     rm sltoken.txt buildSessionId.txt
+
+  # Acceptance:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     # Disabled until we figure out the "Could not resolve host: github.com" in
+  #     # acceptance tests
+  #     # - name: Harden Runner
+  #     #   uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+  #     #   with:
+  #     #     egress-policy: audit
+  #     #     disable-telemetry: true
+  #     - name: Determine workflow run event context
+  #       run: echo "on-event=${{ github.event_name }}" >> $GITHUB_ENV
+
+  #     - name: Handle invalid context for pull requests
+  #       if: ${{ env.on-event == 'pull_request' && (!github.event.pull_request.head.sha || !github.event.pull_request.number) }}
+  #       run: |
+  #         echo "Invalid context for this workflow run. Exiting."
+  #         exit 1
+
+  #     - name: Checkout repository
+  #       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+  #     - name: Restore Cache
+  #       uses: actions/cache/restore@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+  #       with:
+  #         key: main
+  #         path: '**'
+
+  #     - name: Setup Go environment
+  #       uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+  #       with:
+  #         go-version-file: go.mod
+  #         cache: false
+
+  #     - name: Update podman
+  #       run: |
+  #         "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh"
+
+  #     - name: Download SeaLights Go agent and CLI tool
+  #       run: |
+  #         echo "[Sealights] Downloading Sealights Golang & CLI Agents..."
+  #         case $(lscpu | awk '/Architecture:/{print $2}') in
+  #           x86_64) SL_ARCH="linux-amd64";;
+  #           arm) SL_ARCH="linux-arm64";;
+  #         esac
+  #         wget -nv -O sealights-go-agent.tar.gz https://agents.sealights.co/slgoagent/latest/slgoagent-$SL_ARCH.tar.gz
+  #         wget -nv -O sealights-slcli.tar.gz https://agents.sealights.co/slcli/latest/slcli-$SL_ARCH.tar.gz
+  #         tar -xzf ./sealights-go-agent.tar.gz && tar -xzf ./sealights-slcli.tar.gz
+  #         rm -f ./sealights-go-agent.tar.gz ./sealights-slcli.tar.gz
+  #         ./slgoagent -v 2> /dev/null | grep version && ./slcli -v 2> /dev/null | grep version
+
+  #     - name: Write SeaLights token into file
+  #       run: echo "${SEALIGHTS_AGENT_TOKEN}" > sltoken.txt
+  #       env:
+  #         SEALIGHTS_AGENT_TOKEN: '${{secrets.SEALIGHTS_AGENT_TOKEN}}'
+
+  #     - name: Initiating the SeaLights agent
+  #       run: |
+  #         echo "[Sealights] Initiating the SeaLights agent to Golang and handing it the token"
+  #         ./slcli config init --lang go --token ./sltoken.txt
+
+  #     - name: Configuring SeaLights - on pull_request event
+  #       if: env.on-event == 'pull_request'
+  #       run: |
+  #         echo "[Sealights] Configuring SeaLights to scan the pull request branch"
+  #         echo "Latest commit sha: ${LATEST_COMMIT_SHA}"
+  #         echo "PR Number: ${PULL_REQUEST_NUMBER}"
+  #         ./slcli config create-pr-bsid --app ec-cli --target-branch "main" --pull-request-number ${PULL_REQUEST_NUMBER} --latest-commit ${LATEST_COMMIT_SHA} --repository-url https://github.com/ascerra/ec-cli.git
+  #       env:
+  #         PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+  #         LATEST_COMMIT_SHA: ${{github.event.pull_request.head.sha}}
+
+  #     - name: Configuring SeaLights - on push event
+  #       if: env.on-event == 'push'
+  #       run: |
+  #         echo "[Sealights] Configuring SeaLights to scan the main branch after pull request was closed"
+  #         ./slcli config create-bsid --app ec-cli --branch main --build ${LATEST_COMMIT_SHA}
+  #       env:
+  #         LATEST_COMMIT_SHA: ${{ github.sha }}
+
+  #     - name: Run the SeaLights scan
+  #       run: |
+  #         echo "[Sealights] Running the SeaLights scan"
+  #         ./slcli scan --bsid buildSessionId.txt  --path-to-scanner ./slgoagent --workspacepath ./ --scm git --scmBaseUrl https://github.com/ascerra/ec-cli.git --scmVersion “0” --scmProvider github
+
+  #     - name: Acceptance test
+  #       run: make acceptance
+
+  #     - name: Upload coverage report
+  #       uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+  #       with:
+  #         files: ./coverage-acceptance.out
+  #         flags: acceptance
+
+  #     - name: clean all SeaLights secret stuff
+  #       run: |
+  #         echo "[Sealights] Cleaning up after SeaLights run"
+  #         rm sltoken.txt
+
+
+
+  # Acceptance:
+  #   runs-on: ubuntu-latest
+  #   needs: Initialize
+  #   env:
+  #     BSID: ${{ needs.Initialize.outputs.bsid }}
+  #     SEALIGHTS_LOG_LEVEL: none
+  #   steps:
+  #     - name: Restore workspace
+  #       uses: actions/cache@v4
+  #       with:
+  #         path: ${{ github.workspace }}
+  #         key: workspace-${{ github.run_id }}
+
+  #     - name: Update podman
+  #       run: |
+  #         "${GITHUB_WORKSPACE}/hack/ubuntu-podman-update.sh"
+
+  #     - name: Print SEALIGHTS_LOG_LEVEL
+  #       run: |
+  #         echo "SEALIGHTS_LOG_LEVEL=$SEALIGHTS_LOG_LEVEL"
+
+  #     - name: Acceptance test
+  #       run: make acceptance
+
+  #     - name: clean all SeaLights secret stuff
+  #       run: |
+  #         echo "[Sealights] Cleaning up after SeaLights run"
+  #         rm sltoken.txt buildSessionId.txt

Makefile

@@ -46,7 +46,8 @@ generate: ## Code-generate files
 
 .PHONY: $(ALL_SUPPORTED_OS_ARCH)
 $(ALL_SUPPORTED_OS_ARCH): generate ## Build binaries for specific platform/architecture, e.g. make dist/ec_linux_amd64
-	@GOOS=$(word 2,$(subst _, ,$(notdir $@))); \
+	@echo "🔨 Building ec binary for $(notdir $@)..."; \
+	GOOS=$(word 2,$(subst _, ,$(notdir $@))); \
 	GOARCH=$(word 3,$(subst _, ,$(notdir $@))); \
 	GOOS=$${GOOS} GOARCH=$${GOARCH} CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X github.com/enterprise-contract/ec-cli/internal/version.Version=$(VERSION)" -o dist/ec_$${GOOS}_$${GOARCH}; \
 	sha256sum -b dist/ec_$${GOOS}_$${GOARCH} > dist/ec_$${GOOS}_$${GOARCH}.sha256
@@ -113,13 +114,17 @@ acceptance: ## Run all acceptance tests
 	trap cleanup EXIT; \
 	cp -R . "$$ACCEPTANCE_WORKDIR"; \
 	cd "$$ACCEPTANCE_WORKDIR" && \
-	go run acceptance/coverage/coverage.go && \
 	$(MAKE) build && \
 	export COVERAGE_FILEPATH="$$ACCEPTANCE_WORKDIR"; \
 	export COVERAGE_FILENAME="-acceptance"; \
-	cd acceptance && go test -coverprofile "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" -timeout $(ACCEPTANCE_TIMEOUT) ./... && \
+	export SEALIGHTS_LOG_LEVEL="none"; \
+	echo "[Debug] SEALIGHTS_LOG_LEVEL=$${SEALIGHTS_LOG_LEVEL}"; \
+	cd acceptance && SEALIGHTS_LOG_LEVEL=none go test -coverprofile "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" -timeout $(ACCEPTANCE_TIMEOUT) ./... && \
 	go run -modfile "$$ACCEPTANCE_WORKDIR/tools/go.mod" github.com/wadey/gocovmerge "$$ACCEPTANCE_WORKDIR/coverage-acceptance.out" > "$(ROOT_DIR)/coverage-acceptance.out"
 
+
+
+
 # Add @focus above the feature you're hacking on to use this
 # (Mainly for use with the feature-% target below)
 .PHONY: focus-acceptance