test: allowlist dead-entry + FastAPI dependant-contract guards (PER-15249) #305
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PDP CI Tests | |
| on: | |
| pull_request: | |
| push: | |
| branches: [ master, main, v* ] | |
| workflow_call: | |
| secrets: | |
| PDP_TESTER_API_KEY: | |
| required: true | |
| CLONE_REPO_TOKEN: | |
| required: true | |
| jobs: | |
| pre-commit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| - uses: pre-commit/action@v3.0.1 | |
| pytests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Python setup | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11.8' | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Pytests | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install ".[dev]" | |
| pytest -s --cache-clear horizon/tests/ | |
| build-pdp-image: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/checkout@v4 | |
| with: | |
| repository: permitio/permit-opa | |
| ref: main | |
| path: './permit-opa' | |
| token: ${{ secrets.CLONE_REPO_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Pre build PDP tests | |
| run: | | |
| echo "next" > permit_pdp_version | |
| rm -rf custom | |
| mkdir custom | |
| build_root="$PWD" | |
| cd ./permit-opa | |
| find * \( -name '*go*' -o -name 'LICENSE.md' \) -print0 | xargs -0 tar -czf "$build_root"/custom/custom_opa.tar.gz --exclude '.*' | |
| - name: Build and load PDP Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| push: false | |
| load: true | |
| context: . | |
| platforms: linux/amd64 | |
| tags: permitio/pdp-v2:next | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Save Docker image as artifact | |
| run: docker save permitio/pdp-v2:next -o pdp-image.tar | |
| - name: Upload Docker image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pdp-image | |
| path: pdp-image.tar | |
| retention-days: 1 | |
| pdp-tester: | |
| runs-on: ubuntu-latest | |
| needs: build-pdp-image | |
| # Cap the run so a hung tester fails fast instead of holding the runner | |
| # until GitHub's 360-minute default. The old k3d path was bounded by | |
| # `kubectl wait --timeout=600s`; the tester's own max_running_time only | |
| # applies in interval mode, not the run-once mode CI uses. | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pdp-image | |
| - name: Load Docker image | |
| run: docker load -i pdp-image.tar | |
| # Checkout the pdp-tester repository | |
| - name: Checkout pdp-tester repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: "permitio/pdp-tester" | |
| token: ${{ secrets.CLONE_REPO_TOKEN }} | |
| path: './pdp-tester' | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| # Cache pdp-tester's deps so each run doesn't re-resolve/re-download | |
| # from PyPI (faster, and resilient to transient PyPI outages). | |
| cache: "pip" | |
| cache-dependency-path: pdp-tester/pyproject.toml | |
| # Docker runtime backend: launch the PDP as a local container via aiodocker | |
| # (no k3d/Helm/kubectl). This is the runtime the pdp-tester maintainers | |
| # recommend for CI and sidesteps the AbsaOSS/k3d-action download breakage | |
| # (its default k3d v5.4.6 has no checksums.txt, so install.sh now 404s). | |
| - name: Install pdp-tester (docker extra) | |
| working-directory: ./pdp-tester | |
| run: pip install -e ".[docker]" | |
| - name: Run PDP tester against the local Docker PDP image | |
| working-directory: ./pdp-tester | |
| env: | |
| TOKEN: ${{ secrets.PDP_TESTER_API_KEY }} | |
| API_URL: https://permitio.api.stg.permit.io | |
| # Test the locally built image (loaded above) instead of pulling from | |
| # Docker Hub. LOCAL_IMAGE forces the runtime's local-only tag path, so | |
| # only permitio/pdp-v2:next is launched. | |
| LOCAL_IMAGE: permitio/pdp-v2 | |
| # Preserve the previous Helm startTimeout, and keep crashed containers | |
| # around so the post-mortem step below can read their logs. | |
| START_TIMEOUT: "180" | |
| AUTO_REMOVE: "false" | |
| run: | | |
| set -o pipefail | |
| # The default GitHub Actions shell runs with `-e`, so capture the | |
| # tester's exit status explicitly (via `|| status=$?`) instead of | |
| # letting a non-zero exit abort the step before the log is parsed. | |
| status=0 | |
| python -m pdp_tester --docker --local --tag next --skip-generate 2>&1 | tee /tmp/tester.log || status=$? | |
| if grep -q "test cases failed" /tmp/tester.log; then | |
| echo "::error::Some test cases failed!" | |
| exit 1 | |
| fi | |
| if [ "$status" -ne 0 ]; then | |
| echo "::error::pdp-tester exited with a non-zero status (${status})" | |
| exit 1 | |
| fi | |
| - name: Capture PDP container state and logs | |
| if: always() | |
| run: | | |
| filter="label=pdp-tester.permit.io/managed-by=pdp-tester" | |
| echo "=== PDP containers (all states) ===" | |
| docker ps -a --filter "$filter" --format '{{.Names}}\t{{.Status}}' || true | |
| echo "" | |
| echo "=== PDP container logs ===" | |
| for name in $(docker ps -a --filter "$filter" --format '{{.Names}}'); do | |
| echo "--- ${name} ---" | |
| docker logs --tail 200 "$name" 2>&1 || true | |
| done | |
| docker-scout: | |
| runs-on: ubuntu-latest | |
| needs: build-pdp-image | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| # required to upload the SARIF report | |
| security-events: write | |
| # required to download the Docker image artifact | |
| contents: read | |
| # required to create a pull request comment with the SARIF report | |
| pull-requests: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pdp-image | |
| - name: Load Docker image | |
| run: docker load -i pdp-image.tar | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Docker Scout CVE report (all severities) | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: local://permitio/pdp-v2:next | |
| exit-code: false | |
| sarif-file: scout-results.sarif | |
| summary: true | |
| - name: Docker Scout CVE gate (high and critical) | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: local://permitio/pdp-v2:next | |
| only-severities: critical,high | |
| exit-code: true | |
| # Accept CVEs marked not_affected in the OpenVEX doc (see | |
| # .docker/scout/pdp-v2.vex.json) so the gate does not fail on | |
| # vulnerabilities whose code path the PDP never executes and for which | |
| # no usable fix is available: oras-go CVE-2026-50163 (no upstream fix | |
| # yet) and starlette CVE-2026-48818 / CVE-2026-54283 (fixed only in | |
| # starlette >=1.x, which OPAL's starlette<1 cap forbids). See PER-15358. | |
| vex-location: .docker/scout | |
| only-vex-affected: true | |
| # REQUIRED: docker scout only *applies* VEX statements whose author | |
| # matches its accept-list, which defaults to `<.*@docker.com>`. Without | |
| # this, our Permit.io-authored statements are matched and displayed | |
| # ("VEX: not affected") but NOT suppressed, so the gate still fails on | |
| # the waived CVEs. Must match the `author` field in pdp-v2.vex.json. | |
| vex-author: Permit.io | |
| - name: Upload SARIF report | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: scout-results.sarif | |
| rust-ci: | |
| name: Rust CI | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@v1 | |
| with: | |
| toolchain: stable | |
| components: rustfmt, clippy | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@v2 | |
| with: | |
| shared-key: "rust-cache" | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Run cargo check | |
| run: cargo check --all --verbose | |
| - name: Run clippy | |
| run: cargo clippy --all -- -D warnings | |
| - name: Run tests | |
| run: cargo test --all --verbose |