complytime · jpower432 · May 17, 2024 · May 13, 2024 · May 14, 2024 · May 14, 2024
diff --git a/.github/actions/e2e-testing/action.yml b/.github/actions/e2e-testing/action.yml
@@ -0,0 +1,35 @@
+name: "e2e-testing"
+description: "Composite action for trestle-bot end-to-end tests."
+
+inputs:
+    build:
+      description: "Whether to build the image before testing."
+      required: false
+      default: "true"
+    image:
+      description: |
+        "Name of the trestlebot image you want to test if pre-existing. Required if build is false."
+      required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up poetry and install
+      uses: ./.github/actions/setup-poetry
+      with:
+        python-version: "3.9"
+
+    # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+    - name: Pull the image
+      if: ${{ inputs.build == 'false' }}
+      run: |
+          podman pull "${IMAGE}"
+          echo "TRESTLEBOT_IMAGE=$(sed -e 's/^docker-daemon://' <<<${IMAGE})" >> "$GITHUB_ENV"
+      env:
+        IMAGE: ${{ inputs.image }}
+      shell: bash
+
+    - name: Run tests
+      run: make test-e2e
+      shell: bash
+
diff --git a/.github/actions/publish-image/action.yml b/.github/actions/publish-image/action.yml
@@ -15,6 +15,10 @@ inputs:
     description: Skip using cache when building the image.
     required: false
     default: "false"
+  skip_tests:
+    description: Skip pre-push testing
+    required: false
+    default: "false"
 outputs:
   image_sha:
     value: ${{ inputs.image }}@${{ steps.build-and-push.outputs.digest }}
@@ -28,9 +32,6 @@ runs:
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
-
-    - name: Set up cosign
-      uses: sigstore/[email protected]
 
     # Tags are defined here based on workflow triggers
     - name: Define metadata
@@ -42,7 +43,7 @@ runs:
           type=semver,pattern=v{{major}},enable=${{ !startsWith(inputs.release_version, 'v0.') }},value=${{ inputs.release_version }}
           type=semver,pattern=v{{major}}.{{minor}},value=${{ inputs.release_version }}
           type=semver,pattern=v{{version}},value=${{ inputs.release_version }}
-          type=raw,value=${{ inputs.release_version }}-{{branch}}-{{sha}},event=workflow_dispatch
+          type=raw,value=${{ inputs.release_version }}-{{branch}}-{{sha}},enable=${{ github.event_name == 'workflow_dispatch' }}
           type=schedule,pattern={{date 'YYYYMMDD'}},prefix=${{ inputs.release_version }}.
         flavor: |
           latest=false
@@ -67,6 +68,13 @@ runs:
         skip-files:  "**/.venv/lib/**/METADATA"
         scanners: secret
         severity: HIGH,CRITICAL,MEDIUM
+
+    - name: Pre-push testing
+      if: ${{ inputs.skip_tests == 'false' }}
+      uses: ./.github/actions/e2e-testing
+      with:
+        image: "docker-daemon:${{ inputs.image }}:${{ steps.meta.outputs.version }}"
+        build: false
 
     # Does not rebuild. Uses internal cache from previous step.
     - name: Build and Push
@@ -77,20 +85,3 @@ runs:
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
-
-    - name: Sign the image with GitHub OIDC Token
-      run: cosign sign --yes "$IMAGE@$DIGEST"
-      env:
-        DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        IMAGE: ${{ inputs.image }}
-      shell: bash
-
-    - name: Verify image
-      run: |
-        cosign verify "$IMAGE@$DIGEST" --certificate-identity-regexp="$SUBJECT" \
-        --certificate-oidc-issuer=https://token.actions.githubusercontent.com
-      env:
-        SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
-        IMAGE: ${{ inputs.image }}
-        DIGEST: ${{ steps.build-and-push.outputs.digest }}
-      shell: bash
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,7 +2,11 @@ version: 2
 updates:
 
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - '/'
+      - '/.github/actions/e2e-testing'
+      - '/.github/actions/publish-image'
+      - '/.github/actions/setup-poetry'
     schedule:
       interval: "daily"
     commit-message:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,7 +10,7 @@ on:
     - main
 
 concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
+  group: ${{ github.ref }}-${{ github.workflow }}-ci
   cancel-in-progress: true
 
 jobs:
@@ -70,11 +70,11 @@ jobs:
       - name: Run tests
         run: make test
 
-  # Image is for testing and not pushing to a registry
   e2e-test:
+    runs-on: ubuntu-latest
     permissions:
       contents: read
-    uses: ./.github/workflows/e2e.yml
-    with:
-      image: localhost/trestle-bot:${{ github.sha }}
-      build: true
+    steps:
+      - name: Check out
+        uses: actions/checkout@v4
+      - uses: ./.github/actions/e2e-testing
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -27,18 +27,17 @@ env:
     IMAGE_NAME: trestle-bot
     IMAGE_REGISTRY: quay.io
 
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}-publish
+  cancel-in-progress: true
+
 jobs:
   publish-image:
     runs-on: 'ubuntu-latest'
     permissions:
       contents: read
       # kics-scan ignore-line
       id-token: write # needed for signing the images with GitHub OIDC Token
-    outputs:
-      skip_tests: ${{ steps.check_event.outputs.event_type == 'release' ||
-                  (steps.check_event.outputs.event_type == 'workflow_dispatch' &&
-                  github.event.inputs.skip_tests == 'true') }}
-      image: ${{ steps.build_publish_image.outputs.image_sha }}
     steps:
       - name: Login to Quay
         uses: docker/login-action@v3
@@ -51,6 +50,9 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+
+      - name: Set up cosign
+        uses: sigstore/[email protected]
 
       - name: Check if triggered by release or workflow dispatch
         id: check_event
@@ -64,6 +66,7 @@ jobs:
             echo "TAG=$RELEASE_VERSION"
             echo "NO_CACHE=true"
             echo "BUILD_GIT_REF=$RELEASE_VERSION"
+            echo "SKIP_TESTS=true"
           } >> "$GITHUB_ENV"
         env:
           RELEASE_VERSION: ${{ github.event.release.tag_name }}
@@ -75,10 +78,12 @@ jobs:
             echo "TAG=$INPUT_VERSION" 
             echo "NO_CACHE=$INPUT_NO_CACHE"
             echo "BUILD_GIT_REF=${{ github.ref }}"
+            echo "SKIP_TESTS=$INPUT_SKIP_TESTS"
           } >> "$GITHUB_ENV"
         env:
           INPUT_VERSION: ${{ github.event.inputs.tag }}
           INPUT_NO_CACHE: ${{ github.event.inputs.no_cache }}
+          INPUT_SKIP_TESTS: ${{ github.event.inputs.skip_tests }}
 
       - name: Set environment information for schedule
         if: ${{ steps.check_event.outputs.event_type == 'schedule' }}
@@ -88,6 +93,7 @@ jobs:
             echo "TAG=$LATEST_VERSION"
             echo "NO_CACHE=true"
             echo "BUILD_GIT_REF=$LATEST_VERSION"
+            echo "SKIP_TESTS=false"
           } >> "$GITHUB_ENV"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -100,12 +106,17 @@ jobs:
           release_version: ${{ env.TAG }}
           no_cache: ${{ env.NO_CACHE }}
           git_ref: ${{ env.BUILD_GIT_REF }}
+          skip_tests: ${{ env.SKIP_TESTS }}
+
+      - name: Sign the image with GitHub OIDC Token
+        run: cosign sign --yes "$IMAGE"
+        env:
+          IMAGE: ${{ steps.build_publish_image.outputs.image_sha }}
 
-  test:
-    permissions:
-        contents: read
-    needs: publish-image
-    if: ${{ needs.publish-image.outputs.skip_tests != 'true' }}
-    uses: ./.github/workflows/e2e.yml
-    with:
-      image: ${{ needs.publish-image.outputs.image }}
+      - name: Verify image
+        run: |
+          cosign verify "$IMAGE" --certificate-identity-regexp="$SUBJECT" \
+          --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+        env:
+          SUBJECT: https://github\.com/${{ github.repository_owner }}/trestle-bot/\.github/.+
+          IMAGE: ${{ steps.build_publish_image.outputs.image_sha }}
diff --git a/tests/e2e/e2e_testutils.py b/tests/e2e/e2e_testutils.py
@@ -84,7 +84,7 @@ def teardown(self) -> None:
     def _image_exists(image_name: str) -> bool:
         """Check if the image already exists."""
         try:
-            subprocess.check_output(["podman", "image", "inspect", image_name])
+            subprocess.check_output(["podman", "image", "exists", image_name])
             return True
         except subprocess.CalledProcessError:
             return False