Skip to content

feat: debounce forced-reload trigger endpoints (PER-15248) #308

feat: debounce forced-reload trigger endpoints (PER-15248)

feat: debounce forced-reload trigger endpoints (PER-15248) #308

Workflow file for this run

name: PDP CI Tests
on:
pull_request:
push:
branches: [ master, main, v* ]
workflow_call:
secrets:
PDP_TESTER_API_KEY:
required: true
CLONE_REPO_TOKEN:
required: true
jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: pre-commit/action@v3.0.1
pytests:
runs-on: ubuntu-latest
steps:
- name: Python setup
uses: actions/setup-python@v5
with:
python-version: '3.11.8'
- name: Checkout code
uses: actions/checkout@v4
- name: Run Pytests
run: |
python -m pip install --upgrade pip
pip install ".[dev]"
pytest -s --cache-clear horizon/tests/
build-pdp-image:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: permitio/permit-opa
ref: main
path: './permit-opa'
token: ${{ secrets.CLONE_REPO_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Pre build PDP tests
run: |
echo "next" > permit_pdp_version
rm -rf custom
mkdir custom
build_root="$PWD"
cd ./permit-opa
find * \( -name '*go*' -o -name 'LICENSE.md' \) -print0 | xargs -0 tar -czf "$build_root"/custom/custom_opa.tar.gz --exclude '.*'
- name: Build and load PDP Docker image
uses: docker/build-push-action@v5
with:
push: false
load: true
context: .
platforms: linux/amd64
tags: permitio/pdp-v2:next
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Save Docker image as artifact
run: docker save permitio/pdp-v2:next -o pdp-image.tar
- name: Upload Docker image artifact
uses: actions/upload-artifact@v4
with:
name: pdp-image
path: pdp-image.tar
retention-days: 1
pdp-tester:
runs-on: ubuntu-latest
needs: build-pdp-image
# Cap the run so a hung tester fails fast instead of holding the runner
# until GitHub's 360-minute default. The old k3d path was bounded by
# `kubectl wait --timeout=600s`; the tester's own max_running_time only
# applies in interval mode, not the run-once mode CI uses.
timeout-minutes: 15
steps:
- name: Download Docker image artifact
uses: actions/download-artifact@v4
with:
name: pdp-image
- name: Load Docker image
run: docker load -i pdp-image.tar
# Checkout the pdp-tester repository
- name: Checkout pdp-tester repository
uses: actions/checkout@v4
with:
repository: "permitio/pdp-tester"
token: ${{ secrets.CLONE_REPO_TOKEN }}
path: './pdp-tester'
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
# Cache pdp-tester's deps so each run doesn't re-resolve/re-download
# from PyPI (faster, and resilient to transient PyPI outages).
cache: "pip"
cache-dependency-path: pdp-tester/pyproject.toml
# Docker runtime backend: launch the PDP as a local container via aiodocker
# (no k3d/Helm/kubectl). This is the runtime the pdp-tester maintainers
# recommend for CI and sidesteps the AbsaOSS/k3d-action download breakage
# (its default k3d v5.4.6 has no checksums.txt, so install.sh now 404s).
- name: Install pdp-tester (docker extra)
working-directory: ./pdp-tester
run: pip install -e ".[docker]"
- name: Run PDP tester against the local Docker PDP image
working-directory: ./pdp-tester
env:
TOKEN: ${{ secrets.PDP_TESTER_API_KEY }}
API_URL: https://permitio.api.stg.permit.io
# Test the locally built image (loaded above) instead of pulling from
# Docker Hub. LOCAL_IMAGE forces the runtime's local-only tag path, so
# only permitio/pdp-v2:next is launched.
LOCAL_IMAGE: permitio/pdp-v2
# Preserve the previous Helm startTimeout, and keep crashed containers
# around so the post-mortem step below can read their logs.
START_TIMEOUT: "180"
AUTO_REMOVE: "false"
run: |
set -o pipefail
# The default GitHub Actions shell runs with `-e`, so capture the
# tester's exit status explicitly (via `|| status=$?`) instead of
# letting a non-zero exit abort the step before the log is parsed.
status=0
python -m pdp_tester --docker --local --tag next --skip-generate 2>&1 | tee /tmp/tester.log || status=$?
if grep -q "test cases failed" /tmp/tester.log; then
echo "::error::Some test cases failed!"
exit 1
fi
if [ "$status" -ne 0 ]; then
echo "::error::pdp-tester exited with a non-zero status (${status})"
exit 1
fi
- name: Capture PDP container state and logs
if: always()
run: |
filter="label=pdp-tester.permit.io/managed-by=pdp-tester"
echo "=== PDP containers (all states) ==="
docker ps -a --filter "$filter" --format '{{.Names}}\t{{.Status}}' || true
echo ""
echo "=== PDP container logs ==="
for name in $(docker ps -a --filter "$filter" --format '{{.Names}}'); do
echo "--- ${name} ---"
docker logs --tail 200 "$name" 2>&1 || true
done
docker-scout:
runs-on: ubuntu-latest
needs: build-pdp-image
if: github.event_name == 'pull_request'
permissions:
# required to upload the SARIF report
security-events: write
# required to download the Docker image artifact
contents: read
# required to create a pull request comment with the SARIF report
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download Docker image artifact
uses: actions/download-artifact@v4
with:
name: pdp-image
- name: Load Docker image
run: docker load -i pdp-image.tar
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker Scout CVE report (all severities)
uses: docker/scout-action@v1
with:
command: cves
image: local://permitio/pdp-v2:next
exit-code: false
sarif-file: scout-results.sarif
summary: true
- name: Docker Scout CVE gate (high and critical)
uses: docker/scout-action@v1
with:
command: cves
image: local://permitio/pdp-v2:next
only-severities: critical,high
exit-code: true
# Accept CVEs marked not_affected in the OpenVEX doc (see
# .docker/scout/pdp-v2.vex.json) so the gate does not fail on
# vulnerabilities whose code path the PDP never executes and for which
# no usable fix is available: oras-go CVE-2026-50163 (no upstream fix
# yet) and starlette CVE-2026-48818 / CVE-2026-54283 (fixed only in
# starlette >=1.x, which OPAL's starlette<1 cap forbids). See PER-15358.
vex-location: .docker/scout
only-vex-affected: true
# REQUIRED: docker scout only *applies* VEX statements whose author
# matches its accept-list, which defaults to `<.*@docker.com>`. Without
# this, our Permit.io-authored statements are matched and displayed
# ("VEX: not affected") but NOT suppressed, so the gate still fails on
# the waived CVEs. Must match the `author` field in pdp-v2.vex.json.
vex-author: Permit.io
- name: Upload SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: scout-results.sarif
rust-ci:
name: Rust CI
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@v1
with:
toolchain: stable
components: rustfmt, clippy
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
shared-key: "rust-cache"
- name: Check formatting
run: cargo fmt --all -- --check
- name: Run cargo check
run: cargo check --all --verbose
- name: Run clippy
run: cargo clippy --all -- -D warnings
- name: Run tests
run: cargo test --all --verbose