Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: github correlator name when run in matrix build #482

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: github correlator name when run in matrix build #482

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
da75980
fix: github correlator name when run in matrix build
kzantow Jul 18, 2024
634fd43
Merge remote-tracking branch 'upstream/main' into fix/matrix-build-co…
kzantow Aug 13, 2024
d880107
chore: add explicit check for correlator containing artifact-name
kzantow Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions dist/attachReleaseAssets/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 17 additions & 2 deletions dist/downloadSyft/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 17 additions & 2 deletions dist/runSyftAction/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 19 additions & 3 deletions src/github/SyftGithubAction.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ const exeSuffix = process.platform == "win32" ? ".exe" : "";
* Tries to get a unique artifact name or otherwise as appropriate as possible
*/
export function getArtifactName(): string {
const fileName = core.getInput("artifact-name");
const fileName = getArtifactNameInput();

// if there is an explicit filename just return it, this could cause issues
// where earlier sboms are overwritten by later ones
Expand Down Expand Up @@ -93,6 +93,13 @@ export function getArtifactName(): string {
return `${repo}-${job}${stepName}.${extension}`;
}

/**
* Returns the artifact-name input value
*/
function getArtifactNameInput() {
return core.getInput("artifact-name");
}

/**
* Gets a reference to the syft command and executes the syft action
* @param input syft input parameters
Expand Down Expand Up @@ -443,10 +450,19 @@ export async function uploadDependencySnapshot(): Promise<void> {
fs.readFileSync(githubDependencySnapshotFile).toString("utf8")
) as DependencySnapshot;

let correlator = `${workflow}_${job}`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are 3 paths through here:

  1. dependency-snapshot-correlator input is defined
  2. artifact-name input is defined
  3. Neither artifact-name nor dependency-snapshot-correlator is defined.

Is it worth having a table test to hit all 3 of these? AFAICT, only scenario 2 is currently exercised by tests.

It might be worth extracting a helper method to make the test set up simpler.

// if running in a matrix build, it is not possible to determine a unique value,
// so a user must explicitly specify the artifact-name input, there isn't any
// other indicator of being run within a matrix build, so we must use that
// here in order to properly correlate dependency snapshots
const artifactInput = getArtifactNameInput();
if (artifactInput) {
correlator += `_${artifactInput}`;
}

// Need to add the job and repo details
snapshot.job = {
correlator:
core.getInput("dependency-snapshot-correlator") || `${workflow}_${job}`,
correlator: core.getInput("dependency-snapshot-correlator") || correlator,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to hide core.getInput("artifact-name") behind a helper, but not core.getInput("dependency-snapshot-correlator")?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependency-snapshot-correlator should really not ever be used, it's not a supported parameter, it was originally used for testing. I just left it in to not break anyone who may have set it

id: `${runId}`,
};
snapshot.sha = sha;
Expand Down
43 changes: 43 additions & 0 deletions tests/integration/GitHubSnapshot.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,4 +75,47 @@ describe("GitHub Snapshot", () => {

expect(submission).toMatchSnapshot();
});

it("runs with artifact-name input", async () => {
setData({
inputs: {
path: "tests/fixtures/npm-project",
"dependency-snapshot": "true",
"upload-artifact": "false",
"artifact-name": "my-matrix-build-1",
},
context: {
...context.push({
ref: "main",
}),
sha: "f293f09uaw90gwa09f9wea",
workflow: "my-workflow",
job: "default-import-job",
action: "__anchore_sbom-action",
},
});

await action.runSyftAction();
await action.uploadDependencySnapshot();

// validate the request was made
expect(requestArgs).toBeDefined();
expect(requestArgs).toHaveLength(2);
expect(requestArgs[0]).toBe("POST /repos/test-org/test-repo/dependency-graph/snapshots");

// check the resulting snapshot file
const data = requestArgs[1].data;
const submission = JSON.parse(data);

expect(submission.scanned).toBeDefined();

// redact changing data
submission.scanned = "";
submission.detector.version = "";

expect(submission.job).toBeDefined()
expect(submission.job.correlator).toContain("my-matrix-build-1")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason not to assert more specifically?

It looks like this will always be my-workflow_default-import-job_my-matrix-build-1.


expect(submission).toMatchSnapshot();
});
});
93 changes: 93 additions & 0 deletions tests/integration/__snapshots__/GitHubSnapshot.test.ts.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,98 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`GitHub Snapshot runs with artifact-name input 1`] = `
{
"detector": {
"name": "syft",
"url": "https://github.com/anchore/syft",
"version": "",
},
"job": {
"correlator": "my-workflow_default-import-job_my-matrix-build-1",
"id": "1",
},
"manifests": {
"tests/fixtures/npm-project/package-lock.json": {
"file": {
"source_location": "tests/fixtures/npm-project/package-lock.json",
},
"name": "tests/fixtures/npm-project/package-lock.json",
"resolved": {
"pkg:npm/chownr@2.0.0": {
"package_url": "pkg:npm/chownr@2.0.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/fs-minipass@2.1.0": {
"package_url": "pkg:npm/fs-minipass@2.1.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/js-tokens@4.0.0": {
"package_url": "pkg:npm/js-tokens@4.0.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/loose-envify@1.4.0": {
"package_url": "pkg:npm/loose-envify@1.4.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/minipass@3.1.3": {
"package_url": "pkg:npm/minipass@3.1.3",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/minizlib@2.1.2": {
"package_url": "pkg:npm/minizlib@2.1.2",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/mkdirp@1.0.4": {
"package_url": "pkg:npm/mkdirp@1.0.4",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/object-assign@4.1.1": {
"package_url": "pkg:npm/object-assign@4.1.1",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/prop-types@15.7.2": {
"package_url": "pkg:npm/prop-types@15.7.2",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/react-is@16.13.1": {
"package_url": "pkg:npm/react-is@16.13.1",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/react@16.14.0": {
"package_url": "pkg:npm/react@16.14.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/tar@6.1.0": {
"package_url": "pkg:npm/tar@6.1.0",
"relationship": "direct",
"scope": "runtime",
},
"pkg:npm/yallist@4.0.0": {
"package_url": "pkg:npm/yallist@4.0.0",
"relationship": "direct",
"scope": "runtime",
},
},
},
},
"ref": "v0.0.0",
"scanned": "",
"sha": "f293f09uaw90gwa09f9wea",
"version": 0,
}
`;

exports[`GitHub Snapshot runs with default inputs 1`] = `
{
"detector": {
Expand Down
Loading