CASMINST-6279: redesign build-sign-scan action

Author: mtupitsyn

.github/workflows/build-sign-scan.yaml

@@ -0,0 +1,149 @@
+#
+# MIT License
+#
+# (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+name: Test build-sign-scan reusable workflow
+
+on:
+  push:
+    paths:
+      - .github/workflows/test-build-sign-scan.yaml
+      - build-sign-scan/**
+  workflow_dispatch:
+
+jobs:
+  test-docker-build-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-2
+      docker_push: false
+      snyk: false
+      sign: false
+
+  test-docker-build-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-2
+      snyk: false
+      sign: false
+    secrets: inherit
+
+  test-docker-build-multi-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-2
+      snyk: false
+      sign: false
+    secrets: inherit
+
+  test-docker-build-secrets:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/sles
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-secrets-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-secrets-2
+      snyk: false
+      sign: false
+    secrets:
+      docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+      docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+      docker_secrets: |
+        SLES_REPO_USERNAME=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_USERNAME }}
+        SLES_REPO_PASSWORD=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_TOKEN }}
+      gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+      gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+      gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+
+  test-docker-build-google:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_login: false
+      docker_oidc: true
+      docker_tag: us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-2
+      snyk: false
+      sign: false
+    secrets: inherit
+
+  test-makefile-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: local
+      docker_login: false
+      env: |
+        VERSION=test-makefile-local-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-local-2
+      snyk: false
+      sign: false
+
+  test-makefile-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: unstable
+      env: |
+        VERSION=test-makefile-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-single-platform-2
+      snyk: false
+      sign: false
+    secrets: inherit
+
+  review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    needs:
+    - test-docker-build-local
+    - test-docker-build-single-platform
+    - test-docker-build-multi-platform
+    - test-docker-build-google
+    - test-makefile-local
+    - test-makefile-single-platform
+
+    steps:
+      - name: Dump needs context
+        env:
+          NEEDS_CONTEXT: ${{ toJSON(needs) }}
+        run: |
+          echo "$NEEDS_CONTEXT" > outputs.json