chore: add setup test env gh action (#5897)

* chore: add setup test env gh action Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * score card Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 18:38:40 +00:00 · 2023-01-05 23:36:13 +01:00 · 2023-01-05 23:36:13 +01:00 · 8f65abd5d8
commit 8f65abd5d8
parent 07cf2c120b
3 changed files with 33 additions and 29 deletions
--- a/.github/actions/setup-test-env/action.yaml
+++ b/.github/actions/setup-test-env/action.yaml
@ -0,0 +1,17 @@
+name: Setup test env
+
+description: Create kind cluster, deploy kyverno, and wait pods are ready.
+
+inputs:
+  version:
+    description: kubernetes version
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        export KIND_IMAGE=kindest/node:${{ inputs.version }}
+        make kind-create-cluster kind-deploy-kyverno
+    - uses: ./.github/actions/kyverno-wait-ready
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@ -24,12 +24,10 @@ jobs:
        uses: ./.github/actions/setup-build-env
        with:
          build-cache-key: run-conformance
-      - name: Prepare environment
-        run: |
-          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
-          make kind-create-cluster kind-deploy-kyverno
-      - name: Wait for Kyverno to start
-        uses: ./.github/actions/kyverno-wait-ready
+      - name: Setup test env
+        uses: ./.github/actions/setup-test-env
+        with:
+          version: ${{ matrix.k8s-version }}
      - name: Test with kuttl
        run: make test-kuttl
      - name: Debug failure
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@ -1,50 +1,39 @@
 name: Scorecards supply-chain security
+
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
  schedule:
    - cron: '30 1 * * 6'
  push:
-    branches: [ "main" ]
-
-# Declare default permissions as read only.
-permissions: read-all
+    branches:
+      - main

 jobs:
  analysis:
-    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload the results to code-scanning dashboard.
      security-events: write
-      # Used to receive a badge.
      id-token: write
-
    steps:
-      - name: "Checkout code"
+      - name: Checkout
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # tag=v2.1.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
        with:
          results_file: results.sarif
          results_format: sarif
          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.0.0
+      - name: Upload artifact
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # tag=v2.1.37
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
        with:
          sarif_file: results.sarif