fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema #3239
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened] | |
paths-ignore: | |
- "README.md" | |
push: | |
branches: | |
- main | |
- release/v* | |
paths-ignore: | |
- ".github/**" | |
- "docs/**" | |
- "examples/**" | |
- "test/**" | |
workflow_dispatch: | |
env: | |
TERRAFORM_VERSION: "1.9.7" | |
jobs: | |
# ensure the code builds... | |
build: | |
name: Build | |
timeout-minutes: 15 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: ubuntu-latest | |
target: linux | |
- os: windows-latest | |
target: windows | |
- os: macos-latest | |
target: macos | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Build | |
run: echo "Building on ${{ matrix.os }}" | |
- name: Add GNU tar to PATH (significantly faster than windows tar) | |
if: matrix.target == 'windows' | |
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
id: go | |
- name: Get dependencies | |
run: | | |
make deps | |
- name: Build | |
run: | | |
make build-${{ matrix.target }} | |
- name: Version | |
run: | | |
make version-${{ matrix.target }} | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: build-artifacts-${{ matrix.target }} | |
path: | | |
./build/ | |
# run acceptance tests | |
test: | |
name: Acceptance Tests | |
needs: build | |
strategy: | |
fail-fast: false | |
matrix: | |
flavor: | |
- { os: ubuntu-latest, target: linux } | |
- { os: windows-latest, target: windows } | |
- { os: macos-latest, target: macos } | |
timeout-minutes: 15 | |
runs-on: ${{ matrix.flavor.os }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Add GNU tar to PATH (significantly faster than windows tar) | |
if: matrix.flavor.target == 'windows' | |
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH | |
- name: Download build artifacts for ${{ matrix.flavor.target }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: build-artifacts-${{ matrix.flavor.target }} | |
path: ${{ github.workspace }} | |
- name: Add build artifacts directory to PATH for linux or macos | |
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos' | |
run: | | |
echo "${{ github.workspace }}" >> $GITHUB_PATH | |
chmod +x "${{ github.workspace }}/atmos" | |
- name: Add build artifacts directory to PATH for windows | |
if: matrix.flavor.target == 'windows' | |
shell: pwsh | |
run: | | |
$atmosPath = Join-Path ${{ github.workspace }} "atmos.exe" | |
if (-not (Test-Path $atmosPath)) { | |
throw "atmos.exe not found at: $atmosPath" | |
} | |
echo "${{ github.workspace }}" >> $Env:GITHUB_PATH | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Check atmos.exe integrity | |
if: matrix.flavor.target == 'windows' | |
shell: pwsh | |
run: | | |
Write-Output "PATH=$Env:PATH" | |
Write-Output "PATHEXT=$Env:PATHEXT" | |
Get-ChildItem "${{ github.workspace }}" | |
Get-Command "${{ github.workspace }}\atmos.exe" | |
atmos version | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
id: go | |
- name: Get dependencies | |
run: | | |
make deps | |
- name: Acceptance tests | |
timeout-minutes: 10 | |
run: make testacc | |
docker: | |
name: "Docker Lint" | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- uses: hadolint/hadolint-action@v3.1.0 | |
id: hadolint | |
with: | |
dockerfile: Dockerfile | |
failure-threshold: warning | |
format: sarif | |
output-file: hadolint.sarif | |
# https://github.com/hadolint/hadolint?tab=readme-ov-file#rules | |
# DL3008 Pin versions in apt-get install | |
ignore: DL3008 | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@v3 | |
if: always() | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: hadolint.sarif | |
# Optional category for the results (used to differentiate multiple results for one commit) | |
category: hadolint | |
wait-for-processing: true | |
# run localstack demo tests | |
localstack: | |
name: "[localstack] ${{ matrix.demo-folder }}" | |
needs: build | |
runs-on: ubuntu-latest | |
services: | |
localstack: | |
image: localstack/localstack:1.4.0 | |
ports: | |
- 4566:4566 | |
- 4510-4559:4510-4559 | |
env: | |
SERVICES: s3, iam, lambda, dynamodb, sts, account, ec2 | |
DEBUG: 0 | |
DOCKER_HOST: unix:///var/run/docker.sock | |
AWS_ACCESS_KEY_ID: test | |
AWS_SECRET_ACCESS_KEY: test | |
AWS_DEFAULT_REGION: us-east-1 | |
AWS_REGION: us-east-1 | |
volumes: | |
- /var/run/docker.sock:/var/run/docker.sock | |
strategy: | |
fail-fast: false | |
matrix: | |
demo-folder: | |
- demo-localstack | |
timeout-minutes: 20 | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: build-artifacts-linux | |
path: /usr/local/bin | |
- name: Set execute permissions on atmos | |
run: chmod +x /usr/local/bin/atmos | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Run tests for ${{ matrix.demo-folder }} | |
run: | | |
cd examples/${{ matrix.demo-folder }} | |
atmos test | |
# run k3s demo tests | |
k3s: | |
name: "[k3s] ${{ matrix.demo-folder }}" | |
needs: build | |
runs-on: ubuntu-latest | |
env: | |
KUBECONFIG: ${{github.workspace}}/examples/${{ matrix.demo-folder }}/kubeconfig.yaml | |
ATMOS_LOGS_LEVEL: Debug | |
strategy: | |
matrix: | |
demo-folder: | |
- demo-helmfile | |
timeout-minutes: 20 | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Start Docker Compose | |
working-directory: examples/${{ matrix.demo-folder }} | |
run: docker compose up -d --wait | |
- name: Wait for k3s to start | |
working-directory: examples/${{ matrix.demo-folder }} | |
run: | | |
until kubectl get pods --all-namespaces >/dev/null 2>&1; do | |
echo "Retrying..." | |
sleep 1 | |
done | |
kubectl get pods --all-namespaces | |
- name: Download build artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: build-artifacts-linux | |
path: /usr/local/bin | |
- name: Set execute permissions on atmos | |
run: chmod +x /usr/local/bin/atmos | |
- name: Install the Cloud Posse package repository | |
run: curl -1sLf 'https://dl.cloudsmith.io/public/cloudposse/packages/cfg/setup/bash.deb.sh' | sudo bash | |
- name: Install kubectl, helmfile, and helm | |
run: sudo apt-get -y install kubectl helmfile helm | |
- name: Install helm-diff plugin | |
run: helm plugin install https://github.com/databus23/helm-diff | |
- name: Write a default AWS profile to the AWS config file | |
run: | | |
mkdir -p ~/.aws | |
echo '[default]' > ~/.aws/config | |
- name: Run tests for ${{ matrix.demo-folder }} | |
run: | | |
cd examples/${{ matrix.demo-folder }} | |
atmos test | |
# run other demo tests | |
mock: | |
name: "[mock-${{ matrix.flavor.target}}] ${{ matrix.demo-folder }}" | |
needs: build | |
runs-on: ${{ matrix.flavor.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
flavor: | |
- { os: ubuntu-latest, target: linux } | |
- { os: windows-latest, target: windows } | |
- { os: macos-latest, target: macos } | |
demo-folder: | |
- demo-atlantis | |
# - demo-component-manifest | |
- demo-component-versions | |
- demo-context | |
# - demo-custom-command | |
# - demo-json-validation | |
# - demo-opa-validation | |
# - demo-opentofu | |
# - demo-project | |
# - demo-stacks | |
# - demo-terraform | |
# - demo-terraform-overrides | |
# - demo-workflows | |
# - demo-yaml-anchors | |
# - demo-mock-architecture | |
# - demo-stack-templating | |
# - demo-multi-cloud | |
- demo-vendoring | |
- tests | |
timeout-minutes: 20 | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Add GNU tar to PATH (significantly faster than windows tar) | |
if: matrix.flavor.target == 'windows' | |
run: echo "C:\Program Files\Git\usr\bin" >> $Env:GITHUB_PATH | |
- name: Download build artifacts for ${{ matrix.flavor.target }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: build-artifacts-${{ matrix.flavor.target }} | |
path: ${{ github.workspace }} | |
- name: Add build artifacts directory to PATH for linux or macos | |
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos' | |
run: | | |
echo "${{ github.workspace }}" >> $GITHUB_PATH | |
chmod +x "${{ github.workspace }}/atmos" | |
- name: Add build artifacts directory to PATH for windows | |
if: matrix.flavor.target == 'windows' | |
run: | | |
echo "${{ github.workspace }}" >> $Env:GITHUB_PATH | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Run tests in ${{ matrix.demo-folder }} for ${{ matrix.flavor.target }} | |
working-directory: examples/${{ matrix.demo-folder }} | |
if: matrix.flavor.target == 'linux' || matrix.flavor.target == 'macos' | |
run: | | |
atmos test | |
- name: Check atmos.exe integrity | |
if: matrix.flavor.target == 'windows' | |
shell: pwsh | |
run: | | |
Write-Output "PATH=$Env:PATH" | |
Write-Output "PATHEXT=$Env:PATHEXT" | |
Get-ChildItem "${{ github.workspace }}" | |
Get-Command "${{ github.workspace }}\atmos.exe" | |
atmos version | |
- name: Run tests in ${{ matrix.demo-folder }} for ${{ matrix.flavor.target }} | |
working-directory: examples/${{ matrix.demo-folder }} | |
if: matrix.flavor.target == 'windows' | |
shell: pwsh | |
run: | | |
atmos test | |
# run other demo tests | |
lint: | |
name: "[lint] ${{ matrix.demo-folder }}" | |
needs: build | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
demo-folder: | |
# - demo-component-manifest | |
- demo-context | |
# - demo-custom-command | |
# - demo-json-validation | |
# - demo-library | |
# - demo-localstack | |
# - demo-opa-validation | |
# - demo-opentofu | |
# - demo-project | |
# - demo-stacks | |
# - demo-terraform | |
# - demo-terraform-overrides | |
# - demo-workflows | |
# - demo-yaml-anchors | |
# - demo-mock-architecture | |
# - demo-stack-templating | |
# - demo-multi-cloud | |
- quick-start-advanced | |
#- quick-start-simple | |
timeout-minutes: 20 | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Lint examples/${{ matrix.demo-folder }}/components/terraform | |
uses: reviewdog/action-tflint@v1 | |
with: | |
github_token: ${{ secrets.github_token }} | |
working_directory: examples/${{ matrix.demo-folder }}/components/terraform | |
flags: >- | |
--enable-rule=terraform_unused_declarations | |
--disable-rule=terraform_typed_variables | |
--minimum-failure-severity=warning | |
--recursive | |
--config=${{ github.workspace }}/examples/.tflint.hcl | |
fail_level: error | |
# run other demo tests | |
validate: | |
name: "[validate] ${{ matrix.demo-folder }}" | |
needs: build | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
demo-folder: | |
- demo-context | |
- demo-localstack | |
- demo-stacks | |
- demo-helmfile | |
- quick-start-advanced | |
- quick-start-simple | |
timeout-minutes: 20 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Validate YAML Schema | |
uses: InoUno/yaml-ls-check@v1.4.0 | |
with: | |
root: "examples/${{ matrix.demo-folder }}/stacks" | |
schemaMapping: | | |
{ | |
"https://atmos.tools/schemas/atmos/atmos-manifest/1.0/atmos-manifest.json": [ | |
"examples/${{ matrix.demo-folder }}/stacks/**/*.yaml", | |
"examples/${{ matrix.demo-folder }}/stacks/**/*.yml" | |
] | |
} | |
release: | |
needs: [test, lint, mock, k3s, localstack, docker, validate] | |
if: github.event_name == 'push' | |
uses: cloudposse/.github/.github/workflows/shared-go-auto-release.yml@main | |
with: | |
publish: false | |
format: binary | |
secrets: inherit |