fix(terraform): pod security policy removed in GKE 1.25 #11774
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Test | |
on: pull_request | |
permissions: | |
contents: read | |
jobs: | |
lint: | |
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main | |
with: | |
python-version: "3.9" | |
danger-check: | |
runs-on: [ self-hosted, public, linux, x64 ] | |
permissions: | |
contents: read | |
pull-requests: read | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- name: Install Node.js | |
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 | |
with: | |
node-version: "16" | |
- name: Install and run DangerJS | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
npm install -g danger | |
danger ci --verbose --failOnErrors | |
cfn-lint: | |
runs-on: ubuntu-latest | |
env: | |
PYTHON_VERSION: "3.8" | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
- name: Install cfn-lint | |
run: | | |
pip install -U cfn-lint | |
- name: Lint Cloudformation templates | |
run: | | |
cfn-lint tests/cloudformation/checks/resource/aws/**/* -i W | |
mypy: | |
uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main | |
with: | |
python-version: "3.8" | |
unit-tests: | |
strategy: | |
fail-fast: true | |
matrix: | |
python: ["3.8", "3.9", "3.10", "3.11"] | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- name: Set up Python ${{ matrix.python }} | |
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ matrix.python }} | |
cache: "pipenv" | |
cache-dependency-path: "Pipfile.lock" | |
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Install dependencies | |
run: | | |
# remove venv, if exists | |
pipenv --rm || true | |
pipenv --python ${{ matrix.python }} | |
pipenv install --dev -v | |
pipenv run pip install redefine --index-url https://pip.redefine.dev | |
- name: Unit tests | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
REDEFINE_AUTH: ${{ secrets.REDEFINE_AUTH }} | |
run: | | |
pipenv run redefine config set stable_branch=main matrix_value=${{ matrix.python }} | |
pipenv run redefine start --pytest --discover | |
pipenv run python -m pytest tests | |
integration-tests: | |
strategy: | |
fail-fast: true | |
matrix: | |
python: ["3.8", "3.9", "3.10", "3.11"] | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ matrix.python }} | |
cache: "pipenv" | |
cache-dependency-path: "Pipfile.lock" | |
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 | |
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
if: ${{ runner.os != 'windows' }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Build & install checkov package | |
run: | | |
# remove venv, if exists | |
pipenv --rm || true | |
pipenv --python ${{ matrix.python }} | |
pipenv run pip install pytest pytest-xdist | |
pipenv run python setup.py sdist bdist_wheel | |
bash -c 'pipenv run pip install dist/checkov-*.whl' | |
- name: Clone Terragoat - vulnerable terraform | |
run: git clone https://github.com/bridgecrewio/terragoat | |
- name: Clone Cfngoat - vulnerable cloudformation | |
run: git clone https://github.com/bridgecrewio/cfngoat | |
- name: Clone Kubernetes-goat - vulnerable kubernetes | |
run: git clone https://github.com/madhuakula/kubernetes-goat | |
- name: Clone kustomize-goat - vulnerable kustomize | |
run: git clone https://github.com/bridgecrewio/kustomizegoat | |
- name: Create checkov reports | |
env: | |
LOG_LEVEL: INFO | |
BC_KEY: ${{ secrets.BC_API_KEY }} | |
run: | | |
# Just making sure the API key tests don't run on PRs | |
bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8' | |
- name: Run integration tests | |
run: | | |
pipenv run pytest integration_tests -k 'not api_key' | |
performance-tests: | |
env: | |
PYTHON_VERSION: "3.8" | |
working-directory: ./performance_tests | |
runs-on: [self-hosted, public, linux, x64] | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: "pipenv" | |
cache-dependency-path: "Pipfile.lock" | |
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 | |
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Build & install checkov package | |
run: | | |
# remove venv, if exists | |
pipenv --rm || true | |
pipenv --python ${{ env.PYTHON_VERSION }} | |
# 'py' package is used in 'pytest-benchmark', but 'pytest' removed it in their latest version | |
pipenv run pip install pytest pytest-benchmark py | |
pipenv run python setup.py sdist bdist_wheel | |
bash -c 'pipenv run pip install dist/checkov-*.whl' | |
- name: Clone terraform-aws-components | |
run: git clone --branch 0.182.0 https://github.com/cloudposse/terraform-aws-components.git | |
working-directory: ${{ env.working-directory }} | |
- name: Clone aws-cloudformation-templates | |
run: git clone --branch 0.0.1 https://github.com/awslabs/aws-cloudformation-templates.git | |
working-directory: ${{ env.working-directory }} | |
- name: Clone kubernetes-yaml-templates | |
run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git | |
working-directory: ${{ env.working-directory }} | |
- name: Run performance tests | |
run: | | |
pipenv run pytest | |
working-directory: ${{ env.working-directory }} | |
dogfood-tests: | |
runs-on: ubuntu-latest | |
env: | |
PYTHON_VERSION: "3.8" | |
WORKING_DIRECTORY: ./dogfood_tests | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3 | |
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: "pipenv" | |
cache-dependency-path: "Pipfile.lock" | |
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install pipenv | |
run: | | |
python -m pip install --no-cache-dir --upgrade pipenv | |
- name: Build & install checkov package | |
run: | | |
# remove venv, if exists | |
pipenv --rm || true | |
pipenv --python ${{ env.PYTHON_VERSION }} | |
pipenv run pip install pytest pytest-xdist | |
pipenv run python setup.py sdist bdist_wheel | |
bash -c 'pipenv run pip install dist/checkov-*.whl' | |
- name: Run dogfood tests | |
run: | | |
pipenv run pytest | |
working-directory: ${{ env.WORKING_DIRECTORY }} |