Handle unauthorized files / dirs for cleanup #2379
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Verify snapshot of test scan | |
env: | |
CD_DETECTOR_EXPERIMENTS: 1 | |
PipReportSkipFallbackOnFailure: "true" | |
PIP_INDEX_URL: "https://pypi.python.org/simple" | |
on: [pull_request] | |
permissions: | |
contents: read | |
jobs: | |
verify: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Make release snapshot output directory | |
run: mkdir ${{ github.workspace }}/release-output | |
- name: Get latest release snapshot download url | |
id: download-latest-release-snapshot | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
with: | |
result-encoding: string | |
script: | | |
const res = await github.paginate( | |
github.rest.actions.listArtifactsForRepo.endpoint.merge({ | |
owner: 'microsoft', | |
repo: 'component-detection', | |
}) | |
); | |
return res | |
.filter( | |
(artifact) => artifact.name === 'release-snapshot-output-${{ matrix.os }}' | |
) | |
.sort((a, b) => new Date(b.updated_at) - new Date(a.updated_at))[0] | |
.archive_download_url; | |
- name: Download latest release snapshot | |
working-directory: ${{ github.workspace }}/release-output | |
run: | | |
curl -v -L -u octocat:${{ secrets.GITHUB_TOKEN }} -o output.zip "${{ steps.download-latest-release-snapshot.outputs.result }}" | |
unzip output.zip | |
rm output.zip | |
- name: Setup .NET Core | |
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0 | |
- name: Setup Python | |
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 | |
with: | |
python-version: '3.10' | |
- run: dotnet restore | |
- name: Install Apache Ivy | |
if: ${{ matrix.os == 'ubuntu-latest' }} | |
run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > /usr/share/ant/lib/ivy.jar | |
- name: Install Apache Ivy | |
if: ${{ matrix.os == 'windows-latest' }} | |
shell: bash | |
run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > "$ANT_HOME/lib/ivy.jar" | |
- name: Install Apache Ivy | |
if: ${{ matrix.os == 'macos-latest' }} | |
run: brew install ivy | |
- name: Make output directory | |
run: mkdir ${{ github.workspace }}/output | |
- name: LinuxDetection warning | |
if: >- | |
${{ | |
matrix.os == 'macos-latest' || | |
matrix.os == 'windows-latest' | |
}} | |
run: echo "Linux detection is not supported on ${{ matrix.os }}. Please rely on ubuntu run for LinuxDetection." | |
- name: Scan verification repo | |
working-directory: src/Microsoft.ComponentDetection | |
run: | |
dotnet run scan --Verbosity Verbose --SourceDirectory ${{ github.workspace }}/test/Microsoft.ComponentDetection.VerificationTests/resources --Output ${{ github.workspace }}/output | |
--DockerImagesToScan "docker.io/library/debian@sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d,mcr.microsoft.com/cbl-mariner/base/core@sha256:c1bc83a3d385eccbb2f7f7da43a726c697e22a996f693a407c35ac7b4387cd59,docker.io/library/alpine@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870" | |
--DetectorArgs DockerReference=EnableIfDefaultOff,SPDX22SBOM=EnableIfDefaultOff --MaxDetectionThreads 5 | |
- name: Run Verification Tests | |
working-directory: test/Microsoft.ComponentDetection.VerificationTests | |
run: dotnet test | |
env: | |
GITHUB_OLD_ARTIFACTS_DIR: ${{ github.workspace }}/release-output | |
GITHUB_NEW_ARTIFACTS_DIR: ${{ github.workspace }}/output | |
ALLOWED_TIME_DRIFT_RATIO: ".75" | |
- name: Upload logs | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: ${{ !cancelled() }} | |
with: | |
name: verify-snapshot-output-${{ matrix.os }} | |
path: ${{ github.workspace }}/output |