-
Notifications
You must be signed in to change notification settings - Fork 11
136 lines (125 loc) · 4.43 KB
/
selftest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Self-test
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
selftest-requirements:
strategy:
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: ./
id: pip-audit
with:
inputs: ./test/vulnerable.txt
no-deps: true
# NOTE: We intentionally allow failure here, since the self-test
# explicitly uses a vulnerable requirements file.
internal-be-careful-allow-failure: true
- name: assert expected output
shell: bash
env:
PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
selftest-environment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: make the environment vulnerable
run: |
python -m pip install --no-deps --requirement ./test/vulnerable.txt
- uses: ./
id: pip-audit
with:
# NOTE: We intentionally allow failure here, since the self-test
# explicitly uses a vulnerable requirements file.
internal-be-careful-allow-failure: true
- name: assert expected output
env:
PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
selftest-virtualenv:
strategy:
matrix:
local: [true, false]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: make a virtual environment vulnerable
run: |
python -m venv env
./env/bin/python -m pip install --upgrade pip wheel
./env/bin/python -m pip install --no-deps --requirement ./test/vulnerable.txt
- uses: ./
id: pip-audit
with:
virtual-environment: env/
local: ${{ matrix.local }}
# NOTE: We intentionally allow failure here, since the self-test
# explicitly uses a vulnerable requirements file.
internal-be-careful-allow-failure: true
- name: assert expected output
env:
PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
selftest-pyproject:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ./
id: pip-audit
with:
# should attempt to discover test/pyproject/pyproject.toml
inputs: test/pyproject/
# NOTE: We intentionally allow failure here, since the self-test
# explicitly uses a vulnerable requirements file.
internal-be-careful-allow-failure: true
- name: assert expected output
env:
PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
selftest-pipaudit-fail:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ./
id: pip-audit
with:
# we do not care about pip-audit's actual output in this test, we just need a file to pass
# in so as to not exercise `pip list` mode.
inputs: ./test/empty.txt
# pass in a fake flag here to reliably trigger the failure we're looking for.
internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
internal-be-careful-allow-failure: true
- name: assert expected output
env:
PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
run: |
grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
all-selftests-pass:
if: always()
needs:
- selftest-requirements
- selftest-environment
- selftest-virtualenv
- selftest-pyproject
- selftest-pipaudit-fail
runs-on: ubuntu-latest
steps:
- name: check test jobs
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}