Sync with Pro (TEST) #24380
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AUTOGENERATED FROM tests.jsonnet DO NOT MODIFY | |
| jobs: | |
| benchmarks-full: | |
| needs: | |
| - build-test-core-x86 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Fetch semgrep-cli submodules | |
| run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/semgrep_interfaces | |
| - uses: actions/setup-python@v4 | |
| with: | |
| cache: pipenv | |
| python-version: "3.8" | |
| - run: pip install pipenv==2022.6.7 | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-core-x86-artifact | |
| - name: Install artifacts | |
| run: | | |
| tar xf artifacts.tgz | |
| sudo cp artifacts/* /usr/bin | |
| - name: Install Python dependencies | |
| run: pipenv install --dev | |
| working-directory: cli | |
| - name: Run perf benchmark | |
| run: scripts/run-benchmarks.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.event.number }} | |
| - name: Run python performance tests | |
| run: pipenv run pytest tests/performance | |
| working-directory: cli | |
| benchmarks-lite: | |
| needs: | |
| - build-test-core-x86 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Fetch semgrep-cli submodules | |
| run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/semgrep_interfaces | |
| - uses: actions/setup-python@v4 | |
| with: | |
| cache: pipenv | |
| python-version: "3.8" | |
| - run: pip install pipenv==2022.6.7 | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-core-x86-artifact | |
| - name: Install artifacts | |
| run: | | |
| tar xf artifacts.tgz | |
| sudo cp artifacts/* /usr/bin | |
| - name: Install Python dependencies | |
| run: pipenv install --dev | |
| working-directory: cli | |
| - name: Test dummy benchmarks on latest | |
| run: | | |
| pipenv run semgrep --version | |
| pipenv run semgrep-core -version | |
| pipenv run python3 ../perf/run-benchmarks --dummy | |
| working-directory: cli | |
| build-test-core-x86: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-core-x86.yml | |
| build-test-docker: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-docker.yml | |
| with: | |
| artifact-name: semgrep-docker-image-artifact | |
| docker-flavor: | | |
| latest=false | |
| docker-tags: | | |
| type=ref,event=pr | |
| type=ref,event=branch | |
| type=sha,event=branch | |
| enable-tests: true | |
| file: Dockerfile | |
| repository-name: returntocorp/semgrep | |
| target: semgrep-cli | |
| build-test-docker-nonroot: | |
| needs: | |
| - build-test-docker | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-docker.yml | |
| with: | |
| artifact-name: semgrep-docker-image-artifact-nonroot | |
| docker-flavor: | | |
| latest=false | |
| suffix=-nonroot | |
| docker-tags: | | |
| type=sha,event=branch | |
| type=ref,event=pr | |
| enable-tests: false | |
| file: Dockerfile | |
| repository-name: returntocorp/semgrep | |
| target: nonroot | |
| build-test-docker-performance-tests: | |
| needs: | |
| - build-test-docker | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-docker.yml | |
| with: | |
| artifact-name: semgrep-docker-image-artifact-performance-tests | |
| docker-flavor: | | |
| latest=false | |
| suffix=-performance-tests | |
| docker-tags: | | |
| type=sha,event=branch | |
| type=ref,event=pr | |
| enable-tests: false | |
| file: Dockerfile | |
| repository-name: returntocorp/semgrep | |
| target: performance-tests | |
| build-test-javascript: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-javascript.yml | |
| with: | |
| upload-artifacts: ${{ (github.ref == 'refs/heads/develop') || startsWith(github.head_ref, 'release-') || (!github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'publish-js')) }} | |
| build-test-manylinux-aarch64: | |
| needs: | |
| - build-test-docker | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-manylinux-aarch64.yml | |
| build-test-manylinux-x86: | |
| needs: | |
| - build-test-core-x86 | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-manylinux-x86.yml | |
| build-test-osx-arm64: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-osx-arm64.yml | |
| build-test-osx-x86: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-osx-x86.yml | |
| build-test-windows-x86: | |
| secrets: inherit | |
| uses: ./.github/workflows/build-test-windows-x86.yml | |
| check-semgrep-pro: | |
| secrets: inherit | |
| uses: ./.github/workflows/check-semgrep-pro.yml | |
| push-docker-returntocorp: | |
| if: github.ref == 'refs/heads/develop' || (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
| needs: | |
| - build-test-docker | |
| secrets: inherit | |
| uses: ./.github/workflows/push-docker.yml | |
| with: | |
| artifact-name: semgrep-docker-image-artifact | |
| dry-run: false | |
| repository-name: returntocorp/semgrep | |
| test-cli: | |
| name: test semgrep-cli | |
| needs: | |
| - check-semgrep-pro | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Fetch semgrep-cli submodules | |
| run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/semgrep_interfaces | |
| - uses: actions/setup-python@v4 | |
| with: | |
| cache: pipenv | |
| python-version: ${{ matrix.python }} | |
| - run: pip install pipenv==2022.6.7 | |
| - name: Install Python dependencies | |
| run: pipenv install --dev | |
| working-directory: cli | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-core-pro-x86-artifact | |
| - name: Install pro artifacts | |
| run: | | |
| tar xf artifacts.tgz | |
| # All binaries will be placed in cli/tmp-bin first | |
| # before copying over to /usr/bin. This is so that | |
| # we don't need to run semgrep with sudo. | |
| mv artifacts cli/tmp-bin | |
| cd cli | |
| PATH="tmp-bin:$PATH" pipenv run semgrep install-semgrep-pro --custom-binary tmp-bin/semgrep-core-proprietary | |
| # Later we copy these files to /usr/bin which requires sudo | |
| sudo cp tmp-bin/* /usr/bin | |
| - name: Run pytest | |
| run: | | |
| # tests should simulate CI environment iff they need one | |
| unset CI | |
| unset "${!GITHUB_@}" | |
| PYTEST_EXTRA_ARGS="--snapshot-update --allow-snapshot-deletion" make test | |
| working-directory: cli | |
| - if: failure() | |
| name: Prepare repo for snapshot commit | |
| run: | | |
| # the commit step that follows will fail to fetch the pfff submodule | |
| # (perhaps because of the github token's permissions) | |
| # so we disable recursive fetching | |
| git config fetch.recurseSubmodules false | |
| - id: configure-creds | |
| if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
| name: Configure git creds for push | |
| run: | | |
| echo "machine github.com" >> ~/.netrc | |
| echo "login ${{ github.repository }}" >> ~/.netrc | |
| echo "password ${{ secrets.GITHUB_TOKEN }}" >> ~/.netrc | |
| - id: snapshot-commit | |
| if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
| name: Commit snapshot updates | |
| uses: EndBug/add-and-commit@v9 | |
| with: | |
| add: cli/tests/default/e2e/snapshots | |
| default_author: github_actions | |
| message: Update pytest snapshots | |
| new_branch: snapshot-updates-${{ github.run_id }}-${{ github.run_attempt }} | |
| - id: remove-creds | |
| if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
| name: Remove Credentials | |
| run: rm ~/.netrc | |
| - env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| if: failure() && steps.snapshot-commit.outputs.pushed == 'true' | |
| name: Comment about any snapshot updates | |
| run: | | |
| echo ":camera_flash: The pytest shapshots changed in your PR." >> /tmp/message.txt | |
| echo "Please carefully review these changes and make sure they are intended:" >> /tmp/message.txt | |
| echo >> /tmp/message.txt | |
| echo "1. Review the changes at https://github.com/returntocorp/semgrep/commit/${{ steps.snapshot-commit.outputs.commit_long_sha }}" >> /tmp/message.txt | |
| echo "2. Accept the new snapshots with" >> /tmp/message.txt | |
| echo >> /tmp/message.txt | |
| echo " git fetch origin && git cherry-pick ${{ steps.snapshot-commit.outputs.commit_sha }} && git push" >> /tmp/message.txt | |
| gh pr comment ${{ github.event.pull_request.number }} --body-file /tmp/message.txt | |
| strategy: | |
| matrix: | |
| python: | |
| - "3.8" | |
| - "3.9" | |
| - "3.10" | |
| - "3.11" | |
| test-osemgrep: | |
| container: returntocorp/ocaml:alpine-2024-01-18 | |
| env: | |
| HOME: /root | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Make checkout speedy | |
| run: git config --global fetch.parallel 50 | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - name: Configure git safedir properly | |
| run: git config --global --add safe.directory $(pwd) | |
| - name: Build semgrep-core | |
| run: | | |
| eval $(opam env) | |
| make install-deps-ALPINE-for-semgrep-core | |
| make install-deps-for-semgrep-core | |
| make core | |
| - name: Install osemgrep | |
| run: | | |
| eval $(opam env) | |
| make copy-core-for-cli | |
| - name: Install Python dependencies | |
| run: | | |
| make install-deps-ALPINE-for-pysemgrep | |
| (cd cli; pipenv install --dev) | |
| - name: Run pytest for osemgrep known passing tests | |
| run: | | |
| git config --global --add safe.directory "$(pwd)" | |
| make osempass | |
| working-directory: cli | |
| test-qa: | |
| name: quality assurance on semgrep | |
| needs: | |
| - build-test-core-x86 | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Fetch semgrep-cli submodules | |
| run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/semgrep_interfaces tests/semgrep-rules | |
| - uses: actions/setup-python@v4 | |
| with: | |
| cache: pipenv | |
| python-version: "3.11" | |
| - run: pip install pipenv==2022.6.7 | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-core-x86-artifact | |
| - name: Install artifacts | |
| run: | | |
| tar xf artifacts.tgz | |
| sudo cp artifacts/* /usr/bin | |
| - name: Install semgrep | |
| run: | | |
| export PATH=/github/home/.local/bin:$PATH | |
| pipenv install --dev | |
| working-directory: cli | |
| - uses: actions/cache@v3 | |
| with: | |
| key: qa-public-repos-${{ hashFiles('semgrep/tests/qa/*public_repos*') }}-${{ matrix.split }} | |
| path: ~/.cache/qa-public-repos | |
| - run: | | |
| mkdir -p ~/.cache/qa-public-repos | |
| touch ~/.cache/qa-public-repos/ok | |
| - env: | |
| QA_TESTS_CACHE_PATH: ~/.cache/qa-public-repos | |
| name: Test semgrep | |
| run: | | |
| export PATH=/github/home/.local/bin:$PATH | |
| pipenv run pytest -n auto -vv --tb=short --splits 4 --group ${{ matrix.split }} tests/qa | |
| working-directory: cli | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| split: | |
| - 1 | |
| - 2 | |
| - 3 | |
| - 4 | |
| test-semgrep-core: | |
| container: returntocorp/ocaml:alpine-2024-01-18 | |
| env: | |
| HOME: /root | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Make checkout speedy | |
| run: git config --global fetch.parallel 50 | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - name: Configure git safedir properly | |
| run: git config --global --add safe.directory $(pwd) | |
| - env: | |
| SEGMENT_DOWNLOAD_TIMEOUT_MINS: 2 | |
| name: Set GHA cache for OPAM in ~/.opam | |
| uses: actions/cache@v3 | |
| with: | |
| key: ${{ runner.os }}-${{ runner.arch }}-opam-deps-4.14.0-${{hashFiles('semgrep.opam')}} | |
| path: ~/.opam | |
| - name: Install dependencies | |
| run: | | |
| eval $(opam env) | |
| make install-deps-ALPINE-for-semgrep-core | |
| make install-deps-for-semgrep-core | |
| - name: Build semgrep-core | |
| run: opam exec -- make core | |
| - name: Test semgrep-core (and time it) | |
| run: | | |
| eval $(opam env) | |
| START=`date +%s` | |
| make core-test | |
| make core-test-e2e | |
| END=`date +%s` | |
| TEST_RUN_TIME=$((END-START)) | |
| curl --fail -L -X POST "https://dashboard.semgrep.dev/api/metric/semgrep.core.test-run-time-seconds.num" -d "$TEST_RUN_TIME" | |
| - if: github.ref == 'refs/heads/develop' | |
| name: Report Number of Tests Stats | |
| run: ./scripts/report_test_metrics.sh | |
| - name: Publish match performance | |
| run: opam exec -- make report-perf-matching | |
| test-semgrep-pro: | |
| if: github.ref == 'refs/heads/develop' || github.event.pull_request.head.repo.full_name == github.repository | |
| needs: | |
| - build-test-docker | |
| - push-docker-returntocorp | |
| secrets: inherit | |
| uses: ./.github/workflows/test-semgrep-pro.yml | |
| with: | |
| artifact-name: semgrep-docker-image-artifact | |
| repository-name: returntocorp/semgrep | |
| trigger-semgrep-comparison-argo: | |
| if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.base.ref, 'release') && !startsWith(github.head_ref, 'release') }} | |
| needs: | |
| - push-docker-returntocorp | |
| secrets: inherit | |
| uses: ./.github/workflows/trigger-semgrep-comparison-argo.yml | |
| name: tests | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| push: | |
| branches: | |
| - develop | |
| paths-ignore: | |
| - '**.md' | |
| workflow_dispatch: null | |
| permissions: | |
| contents: write | |
| id-token: write |