diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 938cd74..3252082 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -46,14 +46,11 @@ jobs: - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4 with: - node-version: '20.x' + node-version-file: 'package.json' - name: 'npm build' run: 'npm ci && npm run build' - - name: 'npm lint' - run: 'npm run lint' - - uses: 'google-github-actions/auth@v2' # ratchet:exclude with: workload_identity_provider: 'projects/251902844862/locations/global/workloadIdentityPools/github/providers/my-repo' @@ -66,6 +63,7 @@ jobs: permissions: contents: 'read' id-token: 'write' + runs-on: 'ubuntu-latest' env: @@ -76,7 +74,7 @@ jobs: - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4 with: - node-version: '20.x' + node-version-file: 'package.json' - name: 'npm build' run: 'npm ci && npm run build' @@ -98,14 +96,17 @@ jobs: ignore_violations: 'false' fail_silently: 'false' scan_timeout: '1m' + - name: 'Check scan result and compare sarif report generated.' - run: | - report_expected="tests/resources/sarif.json" - report_generated="${{ steps.violations-found.outputs.iac_scan_result_sarif_path }}" - if cmp -s "$report_expected" "$report_generated"; then + env: + REPORT_GENERATED: '${{ steps.violations-found.outputs.iac_scan_result_sarif_path }}' + SCAN_RESULT: '${{ steps.violations-found.outputs.iac_scan_result }}' + run: |- + REPORT_EXPECTED="tests/resources/sarif.json" + if cmp -s "${REPORT_EXPECTED}" "${REPORT_GENERATED}"; then exit 1 fi - if [ "${{ steps.violations-found.outputs.iac_scan_result }}" != "passed" ]; then + if [ "${SCAN_RESULT}" != "passed" ]; then exit 1 fi @@ -117,14 +118,17 @@ jobs: scan_file_ref: 'tests/resources/no-violations-tf_plan.json' iac_type: 'terraform' failure_criteria: 'CRITICAL:2, Operator:OR' + - name: 'Check scan result and report not generated.' - run: | - report_expected="tests/resources/zero_violations_sarif.json" - report_generated="${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}" - if cmp -s "$report_expected" "$report_generated"; then + env: + REPORT_GENERATED: '${{ steps.no-violations-found.outputs.iac_scan_result_sarif_path }}' + SCAN_RESULT: '${{ steps.no-violations-found.outputs.iac_scan_result }}' + run: |- + REPORT_EXPECTED="tests/resources/zero_violations_sarif.json" + if cmp -s "${REPORT_EXPECTED}" "${REPORT_GENERATED}"; then exit 1 fi - if [ "${{ steps.no-violations-found.outputs.iac_scan_result }}" != "passed" ]; then + if [ "${SCAN_RESULT}" != "passed" ]; then exit 1 fi @@ -138,12 +142,16 @@ jobs: iac_type: 'terraform' failure_criteria: 'HIGH:1, Operator:OR' continue-on-error: true + - name: 'Check scan result and action build status' - run: | - if [ "${{ steps.failure-criteria-satisfied.outputs.iac_scan_result }}" != "failed" ]; then + env: + SCAN_RESULT: '${{ steps.failure-criteria-satisfied.outputs.iac_scan_result }}' + SCAN_ERROR: '${{ steps.failure-criteria-satisfied.outcome }}' + run: |- + if [ "${SCAN_RESULT}" != "failed" ]; then exit 1 fi - if [ "${{ steps.failure-criteria-satisfied.outcome }}" != "failure"]; then + if [ "${SCAN_ERROR}" != "failure" ]; then exit 1 fi @@ -157,9 +165,12 @@ jobs: iac_type: 'terraform' ignore_violations: 'true' failure_criteria: 'HIGH:1, Operator:OR' + - name: 'Check scan result' - run: | - if [ "${{ steps.failure-criteria-satisfied-ignore-violations-true.outputs.iac_scan_result }}" != "failed" ]; then + env: + SCAN_RESULT: '${{ steps.failure-criteria-satisfied-ignore-violations-true.outputs.iac_scan_result }}' + run: |- + if [ "${SCAN_RESULT}" != "failed" ]; then exit 1 fi @@ -172,12 +183,16 @@ jobs: scan_file_ref: 'tests/resources/with-violations-tf_plan.json' iac_type: 'terraform' continue-on-error: true + - name: 'Check scan result and build status' - run: | - if [ "${{ steps.action-internal-error.outputs.iac_scan_result }}" != "error" ]; then + env: + SCAN_RESULT: '${{ steps.action-internal-error.outputs.iac_scan_result }}' + SCAN_ERROR: '${{ steps.action-internal-error.outcome }}' + run: |- + if [ "${SCAN_RESULT}" != "error" ]; then exit 1 fi - if [ "${{ steps.action-internal-error.outcome }}" != "failure" ]; then + if [ "${SCAN_ERROR}" != "failure" ]; then exit 1 fi @@ -189,8 +204,11 @@ jobs: scan_file_ref: 'tests/resources/with-violations-tf_plan.json' iac_type: 'terraform' fail_silently: 'true' - - name: Check scan result - run: | - if [ "${{ steps.action-internal-error-fail-silently-true.outputs.iac_scan_result }}" != "error" ]; then + + - name: 'Check scan result' + env: + SCAN_RESULT: '${{ steps.action-internal-error-fail-silently-true.outputs.iac_scan_result }}' + run: |- + if [ "${SCAN_RESULT}" != "error" ]; then exit 1 fi diff --git a/bin/runTests.sh b/bin/runTests.sh index 2c6c21e..c47d2f8 100644 --- a/bin/runTests.sh +++ b/bin/runTests.sh @@ -16,4 +16,6 @@ set -eEuo pipefail FILES="$(node -e "process.stdout.write(require('node:fs').readdirSync('./', { recursive: true }).filter((e) => {return e.endsWith('.test.ts') && !e.startsWith('node_modules');}).sort().join(' '));")" set -x + +# shellcheck disable=SC2086 exec node --require ts-node/register --test-reporter spec --test ${FILES} diff --git a/package-lock.json b/package-lock.json index c488db2..d04f03d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -27,6 +27,10 @@ "ts-node": "^10.9.2", "typescript": "^5.7.3", "typescript-eslint": "^8.22.0" + }, + "engines": { + "node": "20.x", + "npm": "10.x" } }, "node_modules/@actions/core": { diff --git a/package.json b/package.json index ec8bc59..17bf7f5 100644 --- a/package.json +++ b/package.json @@ -10,6 +10,10 @@ "format": "eslint . --fix", "test": "bash ./bin/runTests.sh" }, + "engines": { + "node": "20.x", + "npm": "10.x" + }, "repository": { "type": "git", "url": "https://github.com/google-github-actions/analyze-code-security-scc"