From ca0d55b925470deb5b04b556e6c4276ea94d03c3 Mon Sep 17 00:00:00 2001 From: msugakov <537715+msugakov@users.noreply.github.com> Date: Mon, 4 Oct 2021 19:30:04 +0200 Subject: [PATCH] Allow to override output format and action fixes (#7) Co-authored-by: Armel Soro --- .github/workflows/self-test.yml | 86 ++++++++++++++++++--------------- README.md | 9 +++- action.yml | 51 +++++++++++-------- 3 files changed, 87 insertions(+), 59 deletions(-) diff --git a/.github/workflows/self-test.yml b/.github/workflows/self-test.yml index 59d1d7b..b053044 100755 --- a/.github/workflows/self-test.yml +++ b/.github/workflows/self-test.yml @@ -10,56 +10,66 @@ on: branches: [ main ] jobs: - test-scan-linux: + test-scan: + strategy: + matrix: + os: [ ubuntu-latest, windows-latest, macos-latest ] + format: [ plain, json, sarif ] + version: [ latest, 0.2.3 ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v2 + + - name: Scan 1 - should succeed + uses: ./ + with: + directory: sample/valid-yaml + config: sample/.kube-linter-config.yaml + format: ${{ matrix.format }} + version: ${{ matrix.version }} + + - name: Scan 2 - should fail + id: failing-scan + uses: ./ + with: + directory: sample/invalid-yaml + config: sample/.kube-linter-config.yaml + format: ${{ matrix.format }} + version: ${{ matrix.version }} + continue-on-error: true + + - name: Verify Scan 2 should have failed + shell: bash + run: | + echo "Verifying that kube-linter-action outcome (${{ steps.failing-scan.outcome }}) from Scan 2 is failure." + [[ "${{ steps.failing-scan.outcome }}" == "failure" ]] + + test-with-sarif-upload: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Scan 1 - succeeding + # Setup directory where github/codeql-action/upload-sarif@v1 looks up files by default. + - name: Create ../results directory for sarif files + shell: bash + run: mkdir -p ../results + + - name: Scan 1 - should succeed uses: ./ with: directory: sample/valid-yaml config: sample/.kube-linter-config.yaml + format: sarif + output-file: ../results/kube-linter-success.sarif - - name: Scan 2 - failing + - name: Scan 2 - should fail uses: ./ with: directory: sample/invalid-yaml config: sample/.kube-linter-config.yaml + format: sarif + output-file: ../results/kube-linter-fail.sarif continue-on-error: true - test-scan-windows: - runs-on: windows-latest - steps: - - uses: actions/checkout@v2 - - - name: Scan 1 - succeeding - uses: ./ - with: - directory: sample/valid-yaml - config: sample/.kube-linter-config.yaml - - - name: Scan 2 - failing - uses: ./ - with: - directory: sample/invalid-yaml - config: sample/.kube-linter-config.yaml - continue-on-error: true - - test-scan-macos: - runs-on: macos-latest - steps: - - uses: actions/checkout@v2 - - - name: Scan 1 - succeeding - uses: ./ - with: - directory: sample/valid-yaml - config: sample/.kube-linter-config.yaml - - - name: Scan 2 - failing - uses: ./ - with: - directory: sample/invalid-yaml - config: sample/.kube-linter-config.yaml - continue-on-error: true + - name: Upload SARIF output file to GitHub + uses: github/codeql-action/upload-sarif@v1 diff --git a/README.md b/README.md index 858b70a..35dbc2d 100755 --- a/README.md +++ b/README.md @@ -24,5 +24,10 @@ Workflow will fail if kube-linter detects issues. You'll find issues in the outp ### Parameters -* `directory` (required) - path of file or directory to scan, absolute or relative to the root of the repo. -* `config` (optional) - path to a [configuration file](https://docs.kubelinter.io/#/configuring-kubelinter) if you wish to use a non-default configuration. +| Parameter name | Required? | Description | +| --- | --- | --- | +| `directory` | **(required)** | Path of file or directory to scan, absolute or relative to the root of the repo. | +| `config` | (optional) | Path to a [configuration file](https://docs.kubelinter.io/#/configuring-kubelinter) if you wish to use a non-default configuration. | +| `format` | (optional) | Output format. Allowed values: `sarif`, `plain`, `json`. Default is `plain`. | +| `output-file` | (optional) | Path to a file where kube-linter output will be stored. Default is `kube-linter.log`. File will be overwritten if it exists. | +| `version` | (optional) | kube-linter release version to use, e.g. "0.2.4". The latest available version is used by default. | diff --git a/action.yml b/action.yml index 22ea026..d754df0 100755 --- a/action.yml +++ b/action.yml @@ -10,46 +10,59 @@ inputs: config: description: 'Path to config file' required: false + format: + description: 'Output format. Allowed values: sarif, plain, json. Default: "plain"' + required: false + default: 'plain' output-file: - description: 'Filename to store output. Default "kubelinter.log"' + description: 'Filename to store output. File will be overwritten if it exists. Default: "kubelinter.log"' required: false default: 'kubelinter.log' version: - description: 'Version of kube-linter to use. Default "latest"' + description: 'Version of kube-linter to use. E.g. "0.2.4". Default: "latest"' required: false default: 'latest' runs: using: "composite" steps: - name: Download kube-linter + shell: bash run: | - set -euo pipefail + set -u case "${{ runner.os }}" in macOS) OS=darwin ;; Windows) OS=windows ;; *) OS=linux ;; esac - RELEASE_INFO=$(curl --silent --show-error --fail https://api.github.com/repos/stackrox/kube-linter/releases/${{ inputs.version }}) - RELEASE_NAME=$(echo "${RELEASE_INFO}" | jq --raw-output ".name") - LOCATION=$(echo "${RELEASE_INFO}" \ - | jq --raw-output ".assets[].browser_download_url" \ - | grep --fixed-strings kube-linter-${OS}.tar.gz) - TARGET=kube-linter-${OS}-${RELEASE_NAME}.tar.gz - # Skip downloading release if downloaded already, e.g. when the action is used multiple times. - if [ ! -e $TARGET ]; then - curl --silent --show-error --fail --location --output $TARGET "$LOCATION" - tar -xf $TARGET + RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/latest' + if [[ "${{ inputs.version }}" != "latest" ]]; then + RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/tags/${{ inputs.version }}' + fi + # Although releases endpoint is available without authentication, the current github.token is still passed + # in order to increase the limit of 60 requests per hour per IP address to a higher value that's also counted + # per GitHub account. + # Caching is disabled in order not to receive stale responses from Varnish cache fronting GitHub API. + RELEASE_INFO="$(curl --silent --show-error --fail \ + --header 'authorization: Bearer ${{ github.token }}' \ + --header 'Cache-Control: no-cache, must-revalidate' \ + "${RELEASE_URL}")" + RELEASE_NAME="$(echo "${RELEASE_INFO}" | jq --raw-output ".name")" + LOCATION="$(echo "${RELEASE_INFO}" \ + | jq --raw-output ".assets[].browser_download_url" \ + | grep --fixed-strings "kube-linter-${OS}.tar.gz")" + TARGET="kube-linter-${OS}-${RELEASE_NAME}.tar.gz" + # Skip downloading release if downloaded already, e.g. when the action is used multiple times. + if [[ ! -e "$TARGET" ]]; then + curl --silent --show-error --fail --location --output "$TARGET" "$LOCATION" + tar -xf "$TARGET" fi - shell: bash - name: Lint files + shell: bash run: | set -u - set +e - if [ -z ${{ inputs.config }} ]; then + if [[ -z "${{ inputs.config }}" ]]; then CONFIG="" else CONFIG="--config ${{ inputs.config }}" fi - ./kube-linter $CONFIG lint ${{ inputs.directory }} 2>&1 | tee -a ${{ inputs.output-file }} - exit ${PIPESTATUS[0]} - shell: bash + ./kube-linter $CONFIG lint "${{ inputs.directory }}" --format "${{ inputs.format }}" | tee "${{ inputs.output-file }}"