Skip to content

fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema #3237

fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema

fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema #3237

Workflow file for this run

name: Tests
on:
pull_request:
types: [opened, synchronize, reopened]
paths-ignore:
- "README.md"
push:
branches:
- main
- release/v*
paths-ignore:
- ".github/**"
- "docs/**"
- "examples/**"
- "test/**"
workflow_dispatch:
env:
TERRAFORM_VERSION: "1.9.7"
jobs:
# ensure the code builds...
build:
name: Build
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
target: linux
- os: windows-latest
target: windows
- os: macos-latest
target: macos
runs-on: ${{ matrix.os }}
steps:
- name: Build
run: echo "Building on ${{ matrix.os }}"
- name: Add GNU tar to PATH (significantly faster than windows tar)
if: matrix.target == 'windows'
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
id: go
- name: Get dependencies
run: |
make deps
- name: Build
run: |
make build-${{ matrix.target }}
- name: Version
run: |
make version-${{ matrix.target }}
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: build-artifacts-${{ matrix.target }}
path: |
./build/
# run acceptance tests
test:
name: Acceptance Tests
needs: build
strategy:
fail-fast: false
matrix:
flavor:
- { os: ubuntu-latest, target: linux }
- { os: windows-latest, target: windows }
- { os: macos-latest, target: macos }
timeout-minutes: 15
runs-on: ${{ matrix.flavor.os }}
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Add GNU tar to PATH (significantly faster than windows tar)
if: matrix.flavor.target == 'windows'
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH
- name: Download build artifacts for ${{ matrix.flavor.target }}
uses: actions/download-artifact@v4
with:
name: build-artifacts-${{ matrix.flavor.target }}
path: ${{ github.workspace }}
- name: Add build artifacts directory to PATH for linux or macos
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos'
run: |
echo "${{ github.workspace }}" >> $GITHUB_PATH
chmod +x "${{ github.workspace }}/atmos"
- name: Add build artifacts directory to PATH for windows
if: matrix.flavor.target == 'windows'
shell: pwsh
run: |
$atmosPath = Join-Path ${{ github.workspace }} "atmos.exe"
if (-not (Test-Path $atmosPath)) {
throw "atmos.exe not found at: $atmosPath"
}
echo "${{ github.workspace }}" >> $Env:GITHUB_PATH
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: false
- name: Check atmos.exe integrity
if: matrix.flavor.target == 'windows'
shell: pwsh
run: |
Write-Output "PATH=$Env:PATH"
Write-Output "PATHEXT=$Env:PATHEXT"
Get-ChildItem "${{ github.workspace }}"
Get-Command "${{ github.workspace }}\atmos.exe"
atmos version
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
id: go
- name: Get dependencies
run: |
make deps
- name: Acceptance tests
timeout-minutes: 10
run: make testacc
docker:
name: "Docker Lint"
needs: build
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- uses: hadolint/hadolint-action@v3.1.0
id: hadolint
with:
dockerfile: Dockerfile
failure-threshold: warning
format: sarif
output-file: hadolint.sarif
# https://github.com/hadolint/hadolint?tab=readme-ov-file#rules
# DL3008 Pin versions in apt-get install
ignore: DL3008
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: hadolint.sarif
# Optional category for the results (used to differentiate multiple results for one commit)
category: hadolint
wait-for-processing: true
# run localstack demo tests
localstack:
name: "[localstack] ${{ matrix.demo-folder }}"
needs: build
runs-on: ubuntu-latest
services:
localstack:
image: localstack/localstack:1.4.0
ports:
- 4566:4566
- 4510-4559:4510-4559
env:
SERVICES: s3, iam, lambda, dynamodb, sts, account, ec2
DEBUG: 0
DOCKER_HOST: unix:///var/run/docker.sock
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
volumes:
- /var/run/docker.sock:/var/run/docker.sock
strategy:
fail-fast: false
matrix:
demo-folder:
- demo-localstack
timeout-minutes: 20
steps:
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifacts-linux
path: /usr/local/bin
- name: Set execute permissions on atmos
run: chmod +x /usr/local/bin/atmos
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: false
- name: Run tests for ${{ matrix.demo-folder }}
run: |
cd examples/${{ matrix.demo-folder }}
atmos test
# run k3s demo tests
k3s:
name: "[k3s] ${{ matrix.demo-folder }}"
needs: build
runs-on: ubuntu-latest
env:
KUBECONFIG: ${{github.workspace}}/examples/${{ matrix.demo-folder }}/kubeconfig.yaml
ATMOS_LOGS_LEVEL: Debug
strategy:
matrix:
demo-folder:
- demo-helmfile
timeout-minutes: 20
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Start Docker Compose
working-directory: examples/${{ matrix.demo-folder }}
run: docker compose up -d --wait
- name: Wait for k3s to start
working-directory: examples/${{ matrix.demo-folder }}
run: |
until kubectl get pods --all-namespaces >/dev/null 2>&1; do
echo "Retrying..."
sleep 1
done
kubectl get pods --all-namespaces
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-artifacts-linux
path: /usr/local/bin
- name: Set execute permissions on atmos
run: chmod +x /usr/local/bin/atmos
- name: Install the Cloud Posse package repository
run: curl -1sLf 'https://dl.cloudsmith.io/public/cloudposse/packages/cfg/setup/bash.deb.sh' | sudo bash
- name: Install kubectl, helmfile, and helm
run: sudo apt-get -y install kubectl helmfile helm
- name: Install helm-diff plugin
run: helm plugin install https://github.com/databus23/helm-diff
- name: Write a default AWS profile to the AWS config file
run: |
mkdir -p ~/.aws
echo '[default]' > ~/.aws/config
- name: Run tests for ${{ matrix.demo-folder }}
run: |
cd examples/${{ matrix.demo-folder }}
atmos test
# run other demo tests
mock:
name: "[mock-${{ matrix.flavor.target}}] ${{ matrix.demo-folder }}"
needs: build
runs-on: ${{ matrix.flavor.os }}
strategy:
fail-fast: false
matrix:
flavor:
- { os: ubuntu-latest, target: linux }
- { os: windows-latest, target: windows }
- { os: macos-latest, target: macos }
demo-folder:
- demo-atlantis
# - demo-component-manifest
- demo-component-versions
- demo-context
# - demo-custom-command
# - demo-json-validation
# - demo-opa-validation
# - demo-opentofu
# - demo-project
# - demo-stacks
# - demo-terraform
# - demo-terraform-overrides
# - demo-workflows
# - demo-yaml-anchors
# - demo-mock-architecture
# - demo-stack-templating
# - demo-multi-cloud
- demo-vendoring
- tests
timeout-minutes: 20
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Add GNU tar to PATH (significantly faster than windows tar)
if: matrix.flavor.target == 'windows'
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH
- name: Download build artifacts for ${{ matrix.flavor.target }}
uses: actions/download-artifact@v4
with:
name: build-artifacts-${{ matrix.flavor.target }}
path: ${{ github.workspace }}
- name: Add build artifacts directory to PATH for linux or macos
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos'
run: |
echo "${{ github.workspace }}" >> $GITHUB_PATH
chmod +x "${{ github.workspace }}/atmos"
- name: Add build artifacts directory to PATH for windows
if: matrix.flavor.target == 'windows'
run: |
echo "${{ github.workspace }}" >> $Env:GITHUB_PATH
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: false
- name: Run tests in ${{ matrix.demo-folder }} for ${{ matrix.flavor.target }}
working-directory: examples/${{ matrix.demo-folder }}
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos'
run: |
atmos test
- name: Check atmos.exe integrity
if: matrix.flavor.target == 'windows'
shell: pwsh
run: |
Write-Output "PATH=$Env:PATH"
Write-Output "PATHEXT=$Env:PATHEXT"
Get-ChildItem "${{ github.workspace }}"
Get-Command "${{ github.workspace }}\atmos.exe"
atmos version
- name: Run tests in ${{ matrix.demo-folder }} for ${{ matrix.flavor.target }}
working-directory: examples/${{ matrix.demo-folder }}
if: matrix.flavor.target == 'windows'
shell: pwsh
run: |
atmos test
# run other demo tests
lint:
name: "[lint] ${{ matrix.demo-folder }}"
needs: build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
demo-folder:
# - demo-component-manifest
- demo-context
# - demo-custom-command
# - demo-json-validation
# - demo-library
# - demo-localstack
# - demo-opa-validation
# - demo-opentofu
# - demo-project
# - demo-stacks
# - demo-terraform
# - demo-terraform-overrides
# - demo-workflows
# - demo-yaml-anchors
# - demo-mock-architecture
# - demo-stack-templating
# - demo-multi-cloud
- quick-start-advanced
#- quick-start-simple
timeout-minutes: 20
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- name: Install Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
terraform_wrapper: false
- name: Lint examples/${{ matrix.demo-folder }}/components/terraform
uses: reviewdog/action-tflint@v1
with:
github_token: ${{ secrets.github_token }}
working_directory: examples/${{ matrix.demo-folder }}/components/terraform
flags: >-
--enable-rule=terraform_unused_declarations
--disable-rule=terraform_typed_variables
--minimum-failure-severity=warning
--recursive
--config=${{ github.workspace }}/examples/.tflint.hcl
fail_level: error
# run other demo tests
validate:
name: "[validate] ${{ matrix.demo-folder }}"
needs: build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
demo-folder:
- demo-context
- demo-localstack
- demo-stacks
- demo-helmfile
- quick-start-advanced
- quick-start-simple
timeout-minutes: 20
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Validate YAML Schema
uses: InoUno/yaml-ls-check@v1.4.0
with:
root: "examples/${{ matrix.demo-folder }}/stacks"
schemaMapping: |
{
"https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json": [
"examples/${{ matrix.demo-folder }}/stacks/**/*.yaml",
"examples/${{ matrix.demo-folder }}/stacks/**/*.yml"
]
}
release:
needs: [test, lint, mock, k3s, localstack, docker, validate]
if: github.event_name == 'push'
uses: cloudposse/.github/.github/workflows/shared-go-auto-release.yml@main
with:
publish: false
format: binary
secrets: inherit