CASMINST-6279: redesign build-sign-scan action

Author: mtupitsyn

.github/workflows/build-sign-scan.yaml

@@ -0,0 +1,231 @@
+#
+# MIT License
+#
+# (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+name: Test build-sign-scan reusable workflow
+
+on:
+  push:
+    paths:
+      - .github/workflows/test-build-sign-scan.yaml
+      - build-sign-scan/**
+  workflow_dispatch:
+
+jobs:
+  test-docker-build-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-2
+      docker_push: false
+      snyk: false
+      sign: false
+
+  test-docker-build-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-docker-build-multi-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-docker-build-secrets:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/sles
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-secrets-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-secrets-2
+      snyk: false
+      sign: false
+    secrets:
+      docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+      docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+      docker_secrets: |
+        SLES_REPO_USERNAME=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_USERNAME }}
+        SLES_REPO_PASSWORD=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_TOKEN }}
+      gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+      gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+      gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+
+  test-docker-build-google:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      docker_login: false
+      docker_oidc: true
+      docker_tag: us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: local
+      docker_login: false
+      env: |
+        VERSION=test-makefile-local-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-local-2
+      snyk: false
+      sign: false
+
+  test-makefile-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: unstable
+      env: |
+        PLATFORM=linux/amd64
+        VERSION=test-makefile-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-single-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-multi-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: unstable
+      env: |
+        VERSION=test-makefile-multi-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-multi-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-secrets:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/sles
+      make_target: unstable
+      env: |
+        VERSION=test-makefile-secrets-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-secrets-2
+      snyk: false
+      sign: false
+    secrets:
+      docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+      docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+      docker_secrets: |
+        SLES_REPO_USERNAME=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_USERNAME }}
+        SLES_REPO_PASSWORD=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_TOKEN }}
+      gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+      gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+      gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+
+  test-makefile-google:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: build-sign-scan/tests/alpine
+      make_target: unstable
+      docker_login: false
+      docker_oidc: true
+      env: |
+        REGISTRY=us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable
+        VERSION=test-makefile-google-1
+      docker_additional_tags: |
+        us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-makefile-google-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    needs:
+    - test-docker-build-local
+    - test-docker-build-single-platform
+    - test-docker-build-multi-platform
+    - test-docker-build-secrets
+    - test-docker-build-google
+    - test-makefile-local
+    - test-makefile-single-platform
+    - test-makefile-multi-platform
+    - test-makefile-secrets
+    - test-makefile-google
+
+    steps:
+      - name: Report Test Results
+        env:
+          NEEDS_CONTEXT: ${{ toJSON(needs) }}
+        run: |
+          function assert() {
+              if [ "${2}" != "${3}" ]; then
+                echo "::error::Test ${test_name}: unexpected ${1}: \"${3}\". Expected values is \"${2}\"."
+                exit_code=$((exit_code+1))
+              fi
+          }
+
+          echo "$NEEDS_CONTEXT" > outputs.json
+          exit_code=0
+          for build_type in docker-build makefile; do
+            for image_type in local single-platform multi-platform secrets google; do
+              test_name="test-${build_type}-${image_type}"
+
+              # Test built tags
+              image_name=artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan
+              test "${image_type}" == google && image_name=us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan
+              tags=$(jq -r ".\"${test_name}\".outputs.image_tags" outputs.json | tr ',' '\n' | sort  | tr '\n' ',' | sed -e 's/,$//')
+              assert tags "${tags}" "${image_name}:${test_name}-1,${image_name}:${test_name}-2" ]
+
+              # Test built platforms
+              platforms=$(jq -r ".\"${test_name}\".outputs.image_platforms" outputs.json)
+              test "${image_type}" == single && assert platforms "${platforms}" '[]"linux/amd64"]'
+              test "${image_type}" != local -a "${image_type}" != local && assert platforms "${platforms}" '["linux/amd64","linux/arm64"]'
+            done
+          done
+          exit $exit_code
+        shell: bash