From ad5ad440d4cdbd903fd31aa8fbc04384e8ef30f1 Mon Sep 17 00:00:00 2001 From: Marcin Bruzda <94437843+mbruzda-splunk@users.noreply.github.com> Date: Wed, 8 Jul 2026 18:33:48 +0200 Subject: [PATCH 01/10] ci: bump actions to Node 24 runtime versions (#512) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## What Bumps all GitHub Actions still bundling the deprecated Node 20 runtime to their first major version that targets Node 24, resolving the `Node.js 20 is deprecated` warnings across all jobs in this workflow family. | Action | Before | After | |---|---|---| | `actions/checkout` | v4 | v5 | | `actions/setup-python` | v5 | v6 | | `actions/download-artifact` | v4 | v7 | | `actions/upload-artifact` | v4 | v6 | | `actions/cache` | v4 | v5 | | `amannn/action-semantic-pull-request` | v5.5.3 | v6.1.1 | | `aws-actions/configure-aws-credentials` | v4 | v6 | | `dorny/test-reporter` | v1.9.1 | v3.0.0 | | `geekyeggo/delete-artifact` | v5 | v6 | | `softprops/action-gh-release` | v2 | v3 | Applied consistently across all four workflow files: - `reusable-build-test-release.yml` - `build-test-release.yaml` - `reusable-publish-to-splunkbase.yml` - `reusable-validate-deploy-docs.yml` ### Left unchanged (already Node 24, or docker/composite) `setup-java@v5`, `create-github-app-token@v3`, `amazon-ecr-login@v2`, `svenstaro/upload-release-action@v2`, and all docker/composite actions (`splunk/*`, `fsfe/reuse-action`, `pre-commit/action`, `trufflehog`, `skywalking-eyes`). ## Testing Ran the full `build-test-release` pipeline on `splunk-add-on-for-microsoft-cloud-services` pointed at this branch β€” **pipeline succeeded**, and the Node 20 deprecation warnings are gone from every job that consumes these actions (build, setup, meta, unit tests, all appinspect jobs, etc.). https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/runs/28662878022 ### Known remaining warnings (out of scope β€” external sources) - `pre-commit` job β†’ `actions/cache@v4` is hardcoded inside `pre-commit/action@v3.0.1` (latest release). - `semgrep / sast-scan` job β†’ `checkout@v4` / `upload-artifact@v4` come from `splunk/sast-scanning/.github/workflows/sast-scan.yml@main` (separate repo; addressed here: https://github.com/splunk/sast-scanning/pull/7). πŸ€– Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude --- .github/workflows/build-test-release.yaml | 10 +- .../workflows/reusable-build-test-release.yml | 224 +++++++++--------- .../reusable-publish-to-splunkbase.yml | 4 +- .../reusable-validate-deploy-docs.yml | 8 +- 4 files changed, 123 insertions(+), 123 deletions(-) diff --git a/.github/workflows/build-test-release.yaml b/.github/workflows/build-test-release.yaml index 561fefc8a..230d5daff 100644 --- a/.github/workflows/build-test-release.yaml +++ b/.github/workflows/build-test-release.yaml @@ -19,7 +19,7 @@ jobs: compliance-copyrights: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: apache/skywalking-eyes@v0.6.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -27,8 +27,8 @@ jobs: pre-commit: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: "3.7" - run: | @@ -47,7 +47,7 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: false persist-credentials: false @@ -72,7 +72,7 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: splunk/addonfactory-update-semver@v1 env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 6b5c14b6b..f221810fe 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -146,7 +146,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.inputs.custom-version != '' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Validate custom version run: | if [[ ! ${{ github.event.inputs.custom-version }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then @@ -163,7 +163,7 @@ jobs: check-splunktafunctionaltests-exists: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - run: | if grep -q 'splunktafunctionaltests' poetry.lock || grep -q 'splunktafunctionaltests' dev_deps/requirements_dev.txt 2>/dev/null; then echo "::warning title=\"splunktafunctionaltests\" should NOT be used for modinput tests::For more details, please see https://splunk.slack.com/archives/C081JT7R69Z/p1754662758743839." @@ -178,7 +178,7 @@ jobs: docs-only: ${{ steps.check.outputs.docs-only }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Fetch all refs run: git fetch --prune --unshallow @@ -237,7 +237,7 @@ jobs: fi - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Determine Test Execution Flags id: determine-test-execution-flags @@ -367,7 +367,7 @@ jobs: pull-requests: read statuses: write steps: - - uses: amannn/action-semantic-pull-request@v5.5.3 + - uses: amannn/action-semantic-pull-request@v6.1.1 with: wip: true validateSingleCommit: true @@ -387,7 +387,7 @@ jobs: contents: write packages: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: false persist-credentials: false @@ -425,7 +425,7 @@ jobs: fossa-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: run fossa analyze and create report id: fossa-scan run: | @@ -440,7 +440,7 @@ jobs: env: FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} - name: upload THIRDPARTY file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: THIRDPARTY path: /tmp/THIRDPARTY @@ -455,7 +455,7 @@ jobs: needs: - fossa-scan steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: run fossa test run: | curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash @@ -468,15 +468,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: REUSE Compliance Check uses: fsfe/reuse-action@v1.1 pre-commit: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION }} - uses: actions/setup-java@v5 @@ -498,13 +498,13 @@ jobs: steps: - name: Checkout if: github.event_name != 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: submodules: false fetch-depth: "0" - name: Checkout for PR if: github.event_name == 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: submodules: false fetch-depth: "0" @@ -542,8 +542,8 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Setup addon @@ -588,7 +588,7 @@ jobs: echo "no XML File found, exiting" exit 1 fi - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: success() || failure() with: name: test-results-unit-python_${{ env.PYTHON_VERSION }} @@ -620,13 +620,13 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: # Very Important semantic-release won't trigger a tagged # build if this is not set false persist-credentials: false - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION }} - uses: actions/setup-java@v5 @@ -680,7 +680,7 @@ jobs: run: if [ -f dev_deps/requirements_dev.txt ]; then echo "ENABLED=true" >> "$GITHUB_OUTPUT"; fi - name: pip cache if: ${{ steps.checklibs.outputs.ENABLED == 'true' }} - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ${{ steps.pip-cache.outputs.dir }} key: ${{ runner.os }}-pip-${{ hashFiles('dev_deps/requirements_dev.txt') }} @@ -729,13 +729,13 @@ jobs: echo "VERSION=${FINALVERSION}" >> "$GITHUB_OUTPUT" - name: Download THIRDPARTY if: github.event_name != 'pull_request' && github.event_name != 'schedule' - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: THIRDPARTY - name: Download THIRDPARTY (Optional for PR and schedule) if: github.event_name == 'pull_request' || github.event_name == 'schedule' continue-on-error: true - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: THIRDPARTY - name: Update Notices @@ -785,13 +785,13 @@ jobs: echo "OUTPUT=$PACKAGE" >> "$GITHUB_OUTPUT" if: always() - name: artifact-openapi - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: artifact-openapi path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/appserver/static/openapi.json if: ${{ !cancelled() && needs.setup-workflow.outputs.execute-ucc_modinput == 'true' }} - name: artifact-splunk-base - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: package-splunkbase path: ${{ steps.slim.outputs.OUTPUT }} @@ -807,7 +807,7 @@ jobs: basename "${{ steps.slim.outputs.OUTPUT }}" aws s3 cp "${{ steps.slim.outputs.OUTPUT }}" "s3://${{ needs.setup-workflow.outputs.s3_bucket_k8s }}/ta-apps/" - name: artifact-splunk-parts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: package-deployment path: build/package/deployment** @@ -831,8 +831,8 @@ jobs: - "self-service" - "manual" steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/checkout@v5 + - uses: actions/download-artifact@v7 with: name: package-splunkbase path: build/package/ @@ -844,13 +844,13 @@ jobs: result_file: appinspect_result_${{ matrix.tags }}.json - name: upload-appinspect-report if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: appinspect_${{ matrix.tags }}_checks.json path: appinspect_result_${{ matrix.tags }}.json - name: upload-markdown if: matrix.tags == 'manual' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: check_markdown path: | @@ -870,8 +870,8 @@ jobs: tags: - "cloud" steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/checkout@v5 + - uses: actions/download-artifact@v7 with: name: package-splunkbase path: build/package @@ -882,7 +882,7 @@ jobs: password: ${{ secrets.SPL_COM_PASSWORD }} app_path: build/package/ included_tags: ${{ matrix.tags }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: always() with: name: appinspect-api-html-report-${{ matrix.tags }} @@ -902,9 +902,9 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.GSSA_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }} @@ -933,7 +933,7 @@ jobs: -v "$(pwd)":/addon \ 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:"${{ env.GS_IMAGE_VERSION }}" - name: Upload GS Scorecard report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: gs-scorecard-report path: ./gs_scorecard.json @@ -984,7 +984,7 @@ jobs: client-id: ${{ secrets.GH_APP_CLIENT_ID }} private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive token: ${{ steps.app-token.outputs.token }} @@ -1022,14 +1022,14 @@ jobs: echo "spl-host-suffix=wfe.splgdi.com" echo "k8s-manifests-branch=${{ inputs.k8s-manifests-branch }}" } >> "$GITHUB_OUTPUT" - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v7 if: ${{ needs.setup-workflow.outputs.execute-ucc_modinput == 'true' }} id: download-openapi with: name: artifact-openapi path: ${{ github.workspace }} - name: Setup python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: setup-poetry @@ -1112,7 +1112,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: capture start time @@ -1120,7 +1120,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -1264,13 +1264,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() && steps.check-workflow-status.outputs.workflow-status != 'Succeeded' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() && steps.check-workflow-status.outputs.workflow-status != 'Succeeded' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests logs @@ -1292,7 +1292,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -1308,7 +1308,7 @@ jobs: spl2_tests_run cli -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml test-results/report.xml - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: spl2 test report @@ -1347,7 +1347,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -1362,7 +1362,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -1500,20 +1500,20 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests logs path: | ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Upload cim-compliance-report for ${{ matrix.splunk.version }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ matrix.splunk.islatest == true }} with: name: cim-compliance-report @@ -1521,7 +1521,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/test-results/cim-compliance-report.md - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} test report @@ -1546,7 +1546,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-ko-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} @@ -1556,7 +1556,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} tests diag @@ -1569,7 +1569,7 @@ jobs: if: ${{ !cancelled() && needs.run-knowledge-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-ko* - name: Combine summaries into a table @@ -1579,7 +1579,7 @@ jobs: for file in summary-ko*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-ko* @@ -1619,7 +1619,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -1634,7 +1634,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -1785,13 +1785,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests logs @@ -1799,7 +1799,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} test report @@ -1824,7 +1824,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ matrix.browser }}-${{ matrix.vendor-version.image }}-${{ matrix.marker }}-artifact @@ -1834,7 +1834,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests diag @@ -1847,7 +1847,7 @@ jobs: if: ${{ !cancelled() && needs.run-ui-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-ui* - name: Combine summaries into a table @@ -1857,7 +1857,7 @@ jobs: for file in summary-ui-*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-ui* @@ -1896,7 +1896,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -1911,7 +1911,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -2061,13 +2061,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests logs @@ -2075,7 +2075,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} test report @@ -2100,7 +2100,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ matrix.vendor-version.image }}-${{ matrix.marker }}-artifact @@ -2110,7 +2110,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests diag @@ -2123,7 +2123,7 @@ jobs: if: ${{ !cancelled() && needs.run-modinput-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-modinput* - name: Combine summaries into a table @@ -2133,7 +2133,7 @@ jobs: for file in summary-modinput*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-modinput* @@ -2171,7 +2171,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -2186,7 +2186,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -2336,13 +2336,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests logs @@ -2350,7 +2350,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} test report @@ -2375,7 +2375,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ matrix.vendor-version.image }}-${{ matrix.marker }}-artifact @@ -2385,7 +2385,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests diag @@ -2398,7 +2398,7 @@ jobs: if: ${{ !cancelled() && needs.run-ucc-modinput-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-ucc_modinput* - name: Combine summaries into a table @@ -2408,7 +2408,7 @@ jobs: for file in summary-ucc_modinput*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-ucc_modinput* @@ -2446,7 +2446,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -2461,7 +2461,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -2600,13 +2600,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.ta-version-from-upgrade }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.ta-version-from-upgrade }} tests logs @@ -2614,7 +2614,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} test report @@ -2639,7 +2639,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ matrix.vendor-version.image }}-${{ matrix.ta-version-from-upgrade }}-artifact @@ -2649,7 +2649,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} tests diag @@ -2662,7 +2662,7 @@ jobs: if: ${{ !cancelled() && needs.run-upgrade-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-upgrade* - name: Combine summaries into a table @@ -2672,7 +2672,7 @@ jobs: for file in summary-upgrade*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-upgrade* @@ -2708,7 +2708,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -2723,7 +2723,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -2869,13 +2869,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests logs @@ -2883,7 +2883,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} test report @@ -2908,7 +2908,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ steps.os-name-version.outputs.os-name }}-${{ steps.os-name-version.outputs.os-version }} @@ -2918,7 +2918,7 @@ jobs: run: | echo "pulling diag" aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/diag-${{ steps.create-job-name.outputs.job-name }}/diag-${{ steps.create-job-name.outputs.job-name }}.tgz ${{ needs.setup.outputs.directory-path }}/ - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ steps.os-name-version.outputs.os-name }} ${{ steps.os-name-version.outputs.os-version }} tests diag @@ -2931,7 +2931,7 @@ jobs: if: ${{ !cancelled() && needs.run-scripted-input-tests-full-matrix.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-scripted* - name: Combine summaries into a table @@ -2941,7 +2941,7 @@ jobs: for file in summary-scripted*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-scripted* @@ -2978,7 +2978,7 @@ jobs: statuses: read checks: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: submodules: recursive - name: configure git # This step configures git to omit "dubious git ownership error" in later test-reporter stage @@ -2993,7 +2993,7 @@ jobs: run: | echo "start_time=$(date +%s)" >> "$GITHUB_OUTPUT" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -3131,13 +3131,13 @@ jobs: echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ env.SPL2_TEST_TYPE }} tests artifacts path: | ${{ needs.setup.outputs.directory-path }}/test-results - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ env.SPL2_TEST_TYPE }} tests logs @@ -3145,7 +3145,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/argo-logs - name: Test Report id: test_report - uses: dorny/test-reporter@v1.9.1 + uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ env.SPL2_TEST_TYPE }} test report @@ -3170,7 +3170,7 @@ jobs: exit 1 fi - name: Upload-artifact-for-github-summary - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: ${{ !cancelled() }} with: name: summary-${{ env.TEST_TYPE }}-${{ matrix.splunk.version }}-${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}-${{ env.SPL2_TEST_TYPE }}-artifact @@ -3182,7 +3182,7 @@ jobs: if: ${{ !cancelled() && needs.run-spl2-integration-tests.result != 'skipped' }} steps: - name: Download all summaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: pattern: summary-spl2_integration_tests* - name: Combine summaries into a table @@ -3192,7 +3192,7 @@ jobs: for file in summary-spl2_integration_tests*/job_summary.txt; do cat "$file" >> "$GITHUB_STEP_SUMMARY" done - - uses: geekyeggo/delete-artifact@v5 + - uses: geekyeggo/delete-artifact@v6 with: name: | summary-spl2_integration_tests* @@ -3267,7 +3267,7 @@ jobs: statuses: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: submodules: false persist-credentials: false @@ -3285,7 +3285,7 @@ jobs: - name: Release custom version if: ${{ github.event.inputs.custom-version != '' }} id: custom - uses: "softprops/action-gh-release@v2" + uses: "softprops/action-gh-release@v3" with: token: "${{ secrets.GH_TOKEN_ADMIN }}" tag_name: v${{ github.event.inputs.custom-version }} @@ -3293,14 +3293,14 @@ jobs: make_latest: false - name: Download package-deployment if: ${{ steps.semantic.outputs.new_release_published == 'true' || steps.custom.outputs.upload_url != '' }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 id: download-package-deployment with: name: package-deployment path: download/artifacts/ - name: Download package-splunkbase if: ${{ steps.semantic.outputs.new_release_published == 'true' || steps.custom.outputs.upload_url != '' }} - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 id: download-package-splunkbase with: name: package-splunkbase @@ -3309,7 +3309,7 @@ jobs: id: download-cim-compliance-report if: ${{ steps.semantic.outputs.new_release_published == 'true' || steps.custom.outputs.upload_url != '' }} continue-on-error: true - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: cim-compliance-report path: download/artifacts/deployment diff --git a/.github/workflows/reusable-publish-to-splunkbase.yml b/.github/workflows/reusable-publish-to-splunkbase.yml index 2ad434ef8..2bfc23a69 100644 --- a/.github/workflows/reusable-publish-to-splunkbase.yml +++ b/.github/workflows/reusable-publish-to-splunkbase.yml @@ -35,8 +35,8 @@ jobs: needs: - inputs-validator steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: "3.12" - run: pip install splunk_add_on_ucc_framework-5.69.1-py3-none-any.whl diff --git a/.github/workflows/reusable-validate-deploy-docs.yml b/.github/workflows/reusable-validate-deploy-docs.yml index 7d721df76..b772bde22 100644 --- a/.github/workflows/reusable-validate-deploy-docs.yml +++ b/.github/workflows/reusable-validate-deploy-docs.yml @@ -9,8 +9,8 @@ jobs: outputs: status: ${{ steps.validate.outputs.status }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: 3.12 - name: Install mkdocs and plugins @@ -40,8 +40,8 @@ jobs: pages: write if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: 3.12 - name: Install mkdocs and plugins From 0b20ebb6a25754d02cd527b3deb1450732e5ad9d Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 10 Jul 2026 10:02:44 +0200 Subject: [PATCH 02/10] fix: split run-spl2-tests by pipeline directory for parallel execution ADDON-88924 (#513) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Splits the single monolithic `run-spl2-tests` box-test job into a matrix, one job per pipeline subdirectory under `package/default/data/spl2/` (discovered dynamically in `setup-workflow`), plus a `__root__` shard for any top-level `*.test.json`/`*.test.spl2` fixtures. - Each shard is scoped with `--test_dir` (using `spl2-testing-framework`'s existing directory-scoping support β€” no framework changes needed); `--code_dir` stays pointed at the full tree so module resolution still works for TAs that don't duplicate pipeline code per-subdirectory. - Motivated by the AWS TA SPL2 suite, where one pipeline (`aws_cloudtrail`) accounts for ~78% of all box tests and made the single job take 4+ hours; sharding lets pipelines with skewed test-count distributions run concurrently instead of serially. ## Test plan - [x] Verify against `splunk-add-on-for-amazon-web-services` (`feature/spl2-content-for-aws-ta`) via a throwaway PR pointing `build-test-release.yml`'s `uses:` at this branch β€” confirm shard discovery finds `aws_cloudtrail`/`aws_cloudwatch`/`aws_cloudwatchlogs_vpcflow`/`__root__`, all four run in parallel, and total test count/pass-fail matches the current single-job baseline. [link](https://github.com/splunk/splunk-add-on-for-amazon-web-services/actions/runs/28942569538/job/85878959228a) πŸ€– Generated with [Claude Code](https://claude.com/claude-code) --- .../workflows/reusable-build-test-release.yml | 42 +++++++++++++++++-- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index f221810fe..22ca51c51 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -213,6 +213,7 @@ jobs: exit-first: ${{ steps.determine-test-execution-flags.outputs.exit-first }} execute-unit: ${{ steps.determine-test-execution-flags.outputs.execute_unit }} execute-gs-scorecard: ${{ steps.determine-test-execution-flags.outputs.execute_gs_scorecard }} + spl2-pipelines: ${{ steps.determine-test-execution-flags.outputs.spl2_pipelines }} s3_bucket_k8s: ${{ steps.k8s-environment.outputs.s3_bucket }} argo_server_domain_k8s: ${{ steps.k8s-environment.outputs.argo_server_domain }} argo_token_secret_id_k8s: ${{ steps.k8s-environment.outputs.argo_token_secret_id }} @@ -249,6 +250,7 @@ jobs: EXECUTION_FLAGS["$test_type"]="false" done + SPL2_PIPELINES="[]" if [[ "${{ needs.check-docs-changes.outputs.docs-only }}" == "true" ]]; then echo "Docs-only changes detected. No tests will be executed." else @@ -265,6 +267,21 @@ jobs: if [[ -d "package/default/data/spl2" ]]; then TESTS_TO_CONSIDER_FOR_EXECUTION+=("execute_spl2") echo "spl2::true" + + declare -a SPL2_PIPELINE_DIRS + while read -r PIPELINE_DIR; do + # Tests can live at any depth under a pipeline dir (rglob), not just directly inside it. + if find "$PIPELINE_DIR" \( -name '*.test.json' -o -name '*.test.spl2' \) -print -quit | grep -q .; then + SPL2_PIPELINE_DIRS+=("$(basename "$PIPELINE_DIR")") + fi + done < <(find package/default/data/spl2 -mindepth 1 -maxdepth 1 -type d | sort) + # Test files directly under data/spl2 (no pipeline subdir) get their own "__root__" entry. + if find package/default/data/spl2 -mindepth 1 -maxdepth 1 \( -name '*.test.json' -o -name '*.test.spl2' \) -print -quit | grep -q .; then + SPL2_PIPELINE_DIRS+=("__root__") + fi + if [[ ${#SPL2_PIPELINE_DIRS[@]} -gt 0 ]]; then + SPL2_PIPELINES=$(printf '%s\n' "${SPL2_PIPELINE_DIRS[@]}" | jq -R . | jq -sc .) + fi fi found_unit_test=false @@ -344,6 +361,8 @@ jobs: EXECUTION_FLAGS["execute_gs_scorecard"]="true" fi fi + echo "spl2_pipelines=${SPL2_PIPELINES}" >> "$GITHUB_OUTPUT" + echo "spl2 pipelines: ${SPL2_PIPELINES}" echo "Tests to be executed:" for test_type in "${TESTSET[@]}"; do echo "$test_type""=${EXECUTION_FLAGS["$test_type"]}" >> "$GITHUB_OUTPUT" @@ -1281,6 +1300,10 @@ jobs: if: ${{ !cancelled() && needs.setup-workflow.outputs.execute-spl2 == 'true'}} needs: - setup-workflow + strategy: + fail-fast: false + matrix: + pipeline: ${{ fromJSON(needs.setup-workflow.outputs.spl2-pipelines) }} runs-on: ubuntu-latest container: image: ghcr.io/splunk/spl2-testing-base:latest @@ -1302,16 +1325,29 @@ jobs: git_path="$(pwd)" echo "$git_path" git config --global --add safe.directory "$git_path" + - name: Stage root-level spl2 tests # tests directly under data/spl2 (no pipeline subdir) get copied into their own dir + if: ${{ matrix.pipeline == '__root__' }} + run: | + ROOT_PIPELINE_DIR="package/default/data/spl2-pipeline-root" + mkdir -p "$ROOT_PIPELINE_DIR" + find package/default/data/spl2 -mindepth 1 -maxdepth 1 \( -name '*.spl2' -o -name '*.test.json' \) -exec cp {} "$ROOT_PIPELINE_DIR/" \; - name: Run spl2 tests + shell: bash run: | - echo "Running SPL2 Tests" - spl2_tests_run cli -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml test-results/report.xml + echo "Running SPL2 Tests for pipeline: ${{ matrix.pipeline }}" + if [[ "${{ matrix.pipeline }}" == "__root__" ]]; then + TEST_DIR="package/default/data/spl2-pipeline-root" + else + TEST_DIR="package/default/data/spl2/${{ matrix.pipeline }}" + fi + # code_dir must match test_dir, otherwise discovery falls back to the other dir and re-pulls in every other pipeline's tests. + spl2_tests_run cli --test_dir "$TEST_DIR" --code_dir "$TEST_DIR" -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml "test-results/report-${{ matrix.pipeline }}.xml" - name: Test Report id: test_report uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: - name: spl2 test report + name: spl2 test report (${{ matrix.pipeline }}) path: "test-results/*.xml" reporter: java-junit From bfb95342d5fd9e35eee61abb64bec8707e60e8b5 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 10 Jul 2026 10:03:29 +0200 Subject: [PATCH 03/10] feat: upload spl2 test results as artifact after execution (#510) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Add `actions/upload-artifact@v4` step to `run-spl2-tests` job so test results are preserved as downloadable artifacts after each run - Matches the artifact upload pattern already used in `run-knowledge-tests` and `run-unit-tests` - Artifact named `spl2 test results`, contains the `test-results/` directory with JUnit XML output ## Test plan - [ ] Verify CI runs `run-spl2-tests` and produces a downloadable `spl2 test results` artifact - [ ] Confirm artifact contains `test-results/report.xml` πŸ€– Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 --- .github/workflows/reusable-build-test-release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 22ca51c51..06aaa749c 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -1350,6 +1350,11 @@ jobs: name: spl2 test report (${{ matrix.pipeline }}) path: "test-results/*.xml" reporter: java-junit + - uses: actions/upload-artifact@v4 + if: ${{ !cancelled() }} + with: + name: spl2 test results + path: test-results/ run-knowledge-tests: if: ${{ !cancelled() && needs.build.result == 'success' && needs.setup-workflow.outputs.execute-knowledge == 'true' }} From 214cd9bd62d00fffb8ea368d1661b48d312f362a Mon Sep 17 00:00:00 2001 From: nayanak-896 Date: Fri, 10 Jul 2026 14:02:08 +0530 Subject: [PATCH 04/10] feat: ADDON-87374 Split FOSSA license and vulnerability checks in reusable release workflow (#503) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary This PR updates the reusable add-on build-test-release workflow to split FOSSA findings into separate license and vulnerability checks, improve release gating, and document the new workflow behavior. JIRA Link - []https://splunk.atlassian.net/browse/ADDON-87374 ## Changes - Extends `fossa-scan` to run `fossa test --debug` in a dedicated step (only when analyze succeeds) and upload its output as the `fossa-test-output` artifact - Adds separate lightweight FOSSA CI jobs that parse `fossa-test-output`: - `fossa-license-test` β€” extracts and counts issues from the `COMPLIANCE ISSUES` section - `fossa-vulnerability-test` β€” extracts and counts issues from the `SECURITY ISSUES` section - Exposes separate pipeline outputs for: - active license issues - active vulnerability issues - release-blocking vulnerability issues - Publishes separate job summaries for license and vulnerability findings. - Updates `pre-publish` release gating so release paths can block independently on: - unresolved vulnerability issues - Keeps merge-to-develop and other non-release workflows usable by reporting split FOSSA results without enforcing release gating there. - Updates README documentation for the new split FOSSA jobs and release gating behavior. ### Checklist - [X] `README.md` has been updated - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [X] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Tested TA GitHub Actions run: 1. Successful FOSSA Tests for Apache web server TA - []https://github.com/splunk/splunk-add-on-for-apache-web-server/actions/runs/29075781494 2. Crowdstrike TA FOSSA tests failure - []https://github.com/splunk/splunk-add-on-for-crowdstrike-fdr/actions/runs/29077637023 3. Salesforce TA FOSSA tests failure - []https://github.com/splunk/splunk-add-on-for-salesforce/actions/runs/29077050887 --------- Co-authored-by: Claude Sonnet 4.6 --- .../workflows/reusable-build-test-release.yml | 135 +++++++++++++++++- README.md | 38 +++-- 2 files changed, 158 insertions(+), 15 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 06aaa749c..2db5831c5 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -443,6 +443,8 @@ jobs: fossa-scan: runs-on: ubuntu-latest + outputs: + report-url: ${{ steps.fossa-scan.outputs.FOSSA_REPORT_URL }} steps: - uses: actions/checkout@v5 - name: run fossa analyze and create report @@ -458,29 +460,147 @@ jobs: exit "$exit_code" env: FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} + - name: run fossa test and capture output + if: success() + run: | + fossa test --debug 2>&1 | tee fossa-test-output.txt || true + env: + FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} - name: upload THIRDPARTY file uses: actions/upload-artifact@v6 with: name: THIRDPARTY path: /tmp/THIRDPARTY + - name: upload fossa test output + if: always() + uses: actions/upload-artifact@v4 + with: + name: fossa-test-output + path: fossa-test-output.txt + if-no-files-found: ignore - name: job summary if: success() || failure() run: | echo "FOSSA Report: ${{ steps.fossa-scan.outputs.FOSSA_REPORT_URL }}" >> "$GITHUB_STEP_SUMMARY" - fossa-test: + fossa-license-test: continue-on-error: true runs-on: ubuntu-latest needs: - fossa-scan + outputs: + active-issues: ${{ steps.fossa-license-test.outputs.active-issues }} steps: - - uses: actions/checkout@v5 - - name: run fossa test - run: | - curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash - fossa test --debug + - name: download fossa test output + uses: actions/download-artifact@v4 + with: + name: fossa-test-output + - name: run fossa license test + id: fossa-license-test + shell: bash env: - FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} + FOSSA_REPORT_URL: ${{ needs.fossa-scan.outputs.report-url }} + run: | + set -euo pipefail + header=$(awk '/^ *Using project name:|^ *Using revision:/{print}' fossa-test-output.txt || true) + section=$(awk '/^ *COMPLIANCE ISSUES/{found=1} found{print} /^\[/{if(found) exit}' fossa-test-output.txt || true) + issue_count=$(echo "$section" | grep -c "^ *βš‘ " || true) + echo "active-issues=$issue_count" >> "$GITHUB_OUTPUT" + echo "$header" + if [[ "$issue_count" -gt 0 ]]; then + echo "$section" + else + echo "" + echo "Test passed! 0 issues found" + fi + { + echo "## FOSSA License Test" + echo "" + echo "| Field | Value |" + echo "| --- | --- |" + if [[ "$issue_count" -gt 0 ]]; then + echo "| Status | Failed |" + else + echo "| Status | Passed |" + fi + echo "| FOSSA report | ${FOSSA_REPORT_URL:-Not available} |" + echo "| Active license issues | \`${issue_count}\` |" + echo "" + echo "### License Issues" + echo "" + echo '```text' + echo "$header" + echo "" + if [[ "$issue_count" -gt 0 ]]; then + echo "$section" + else + echo "Test passed! 0 issues found" + fi + echo '```' + } >> "$GITHUB_STEP_SUMMARY" + if [[ "$issue_count" -gt 0 ]]; then + echo "::error::Found ${issue_count} active FOSSA licensing issue(s)." + exit 1 + fi + + fossa-vulnerability-test: + runs-on: ubuntu-latest + needs: + - fossa-scan + outputs: + active-issues: ${{ steps.fossa-vulnerability-test.outputs.active-issues }} + steps: + - name: download fossa test output + uses: actions/download-artifact@v4 + with: + name: fossa-test-output + - name: run fossa vulnerability test + id: fossa-vulnerability-test + shell: bash + env: + FOSSA_REPORT_URL: ${{ needs.fossa-scan.outputs.report-url }} + run: | + set -euo pipefail + header=$(awk '/^ *Using project name:|^ *Using revision:/{print}' fossa-test-output.txt || true) + section=$(awk '/^ *COMPLIANCE ISSUES/{if(found) exit} /^ *SECURITY ISSUES/{found=1} found{print}' fossa-test-output.txt || true) + issue_count=$(echo "$section" | grep -c "^ *βš‘ " || true) + echo "active-issues=$issue_count" >> "$GITHUB_OUTPUT" + echo "$header" + if [[ "$issue_count" -gt 0 ]]; then + echo "$section" + else + echo "" + echo "Test passed! 0 issues found" + fi + { + echo "## FOSSA Vulnerability Test" + echo "" + echo "| Field | Value |" + echo "| --- | --- |" + if [[ "$issue_count" -gt 0 ]]; then + echo "| Status | Failed |" + else + echo "| Status | Passed |" + fi + echo "| FOSSA report | ${FOSSA_REPORT_URL:-Not available} |" + echo "| Active vulnerability issues | \`${issue_count}\` |" + echo "" + echo "### Vulnerability Issues" + echo "" + echo '```text' + echo "$header" + echo "" + if [[ "$issue_count" -gt 0 ]]; then + echo "$section" + else + echo "Test passed! 0 issues found" + fi + echo '```' + } >> "$GITHUB_STEP_SUMMARY" + if [[ "$issue_count" -gt 0 ]]; then + echo "::error::Found ${issue_count} active FOSSA vulnerability issue(s)." + exit 1 + fi compliance-copyrights: name: compliance-copyrights @@ -3264,6 +3384,7 @@ jobs: - run-ui-tests - validate-pr-title - run-gs-scorecard + - fossa-vulnerability-test runs-on: ubuntu-latest env: NEEDS: ${{ toJson(needs) }} diff --git a/README.md b/README.md index 35bd0c86a..674197830 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ * [[Job] validate-pr-title](#job-validate-pr-title) * [[Job] meta](#job-meta) * [[Job] fossa-scan](#job-fossa-scan) - * [[Job] fossa-test](#job-fossa-test) + * [[Job] fossa-license-test](#job-fossa-license-test) + * [[Job] fossa-vulnerability-test](#job-fossa-vulnerability-test) * [[Job] compliance-copyrights](#job-compliance-copyrights) * [[Job] lint](#job-lint) * [[Job] security-detect-secrets](#job-security-detect-secrets) @@ -301,6 +302,8 @@ gitGraph - Detected issues can be found in FOSSA app site https://app.fossa.com/. Link to direct report is generated per job and printed in logs +- Also runs `fossa test --debug` in a dedicated step (only when analyze succeeds) and uploads its output as the `fossa-test-output` artifact for downstream parsing by `fossa-license-test` and `fossa-vulnerability-test` + **Pass/fail behaviour:** - This stage fails if FOSSA cannot create report - for example some internal FOSSA error @@ -314,25 +317,42 @@ gitGraph ``` THIRDPARTY +fossa-test-output ``` -## [Job] fossa-test +## [Job] fossa-license-test **Description:** -- This action checks report created in fossa-scan job. This action checks license compliance and vulnerabilities. This job uses `.fossa.yml` configuration file +- This job parses the `fossa-test-output` artifact produced by `fossa-scan` and extracts the `COMPLIANCE ISSUES` section to identify active license findings. + +- It publishes license-only results in the CI job summary and job log so CI can distinguish license compliance findings from vulnerability findings. **Pass/fail behaviour:** -- This stage fails if FOSSA finds any license or security issues. Detected issues can be found in FOSSA app site https://app.fossa.com/. Link to direct report is generated in fossa-scan job. License issues should be checked by legal team, vulnerabilities should be solved by TA-dev or TA-qa team with assist of prodsec team if needed (some issues with critical status for example). +- This stage fails if active FOSSA licensing issues are found. The job result is informational only β€” license issues do not block release. -**Troubleshooting steps for failures if any:** +**Troubleshooting steps for failures if any:** -- The error log is present in the stage as well user should be able to reproduce that in local environment with FOSSA CLI tool https://github.com/fossas/fossa-cli +- Review the job log and job summary. Both display the project details and all active license findings. License issues should be checked by the legal team. -**Artifacts:** +## [Job] fossa-vulnerability-test -- No additional Artifacts. +**Description:** + +- This job parses the `fossa-test-output` artifact produced by `fossa-scan` and extracts the `SECURITY ISSUES` section to identify active vulnerability findings. + +- It publishes vulnerability-only results in the CI job summary and job log so CI can distinguish security findings from license compliance findings. + +**Pass/fail behaviour:** + +- This stage fails if any active FOSSA vulnerability issues are found at any severity level. CI continues regardless (`continue-on-error: true`) β€” the failure is surfaced via the job summary and log. + +- Release is blocked in `pre-publish` when any active vulnerability issues are reported, regardless of severity. + +**Troubleshooting steps for failures if any:** + +- Review the job log and job summary. Both display the project details and all active vulnerability findings. Vulnerabilities should be triaged by TA-dev or TA-qa with prodsec support when needed. ## [Job] compliance-copyrights @@ -1001,6 +1021,8 @@ argo-logs - If this stage is failing and PR is merged to main/develop Publsih stage will not get executed in the pipeline run. +- Release readiness is blocked when `fossa-vulnerability-test` fails, as `pre-publish` depends on it directly via the `needs` dependency. + **Troubleshooting steps for failures if any** - In the logs it outputs a json with the info of stages and their pass/fail status.
From e48a3c2f4ad028589206e51e705be28c85f0620b Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Tue, 14 Jul 2026 12:19:35 +0200 Subject: [PATCH 05/10] fix: bump matrix version (#509) ### Description This PR bumps matrix version to 3.2 including Splunk 10.4 ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here) --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 2db5831c5..7abb32c98 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -411,7 +411,7 @@ jobs: submodules: false persist-credentials: false - id: matrix - uses: splunk/addonfactory-test-matrix-action@v3.1 + uses: splunk/addonfactory-test-matrix-action@v3.2 with: features: PYTHON39 - id: determine_splunk From 787d48ab7be1699bdf6074efd0c5c525a5354000 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Tue, 14 Jul 2026 13:20:44 +0200 Subject: [PATCH 06/10] Revert "fix: split run-spl2-tests by pipeline directory for parallel execution ADDON-88924" (#516) Reverts splunk/addonfactory-workflow-addon-release#513 No longer needed due to improvements on spl2-cli side --- .../workflows/reusable-build-test-release.yml | 42 ++----------------- 1 file changed, 3 insertions(+), 39 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 7abb32c98..09039dd47 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -213,7 +213,6 @@ jobs: exit-first: ${{ steps.determine-test-execution-flags.outputs.exit-first }} execute-unit: ${{ steps.determine-test-execution-flags.outputs.execute_unit }} execute-gs-scorecard: ${{ steps.determine-test-execution-flags.outputs.execute_gs_scorecard }} - spl2-pipelines: ${{ steps.determine-test-execution-flags.outputs.spl2_pipelines }} s3_bucket_k8s: ${{ steps.k8s-environment.outputs.s3_bucket }} argo_server_domain_k8s: ${{ steps.k8s-environment.outputs.argo_server_domain }} argo_token_secret_id_k8s: ${{ steps.k8s-environment.outputs.argo_token_secret_id }} @@ -250,7 +249,6 @@ jobs: EXECUTION_FLAGS["$test_type"]="false" done - SPL2_PIPELINES="[]" if [[ "${{ needs.check-docs-changes.outputs.docs-only }}" == "true" ]]; then echo "Docs-only changes detected. No tests will be executed." else @@ -267,21 +265,6 @@ jobs: if [[ -d "package/default/data/spl2" ]]; then TESTS_TO_CONSIDER_FOR_EXECUTION+=("execute_spl2") echo "spl2::true" - - declare -a SPL2_PIPELINE_DIRS - while read -r PIPELINE_DIR; do - # Tests can live at any depth under a pipeline dir (rglob), not just directly inside it. - if find "$PIPELINE_DIR" \( -name '*.test.json' -o -name '*.test.spl2' \) -print -quit | grep -q .; then - SPL2_PIPELINE_DIRS+=("$(basename "$PIPELINE_DIR")") - fi - done < <(find package/default/data/spl2 -mindepth 1 -maxdepth 1 -type d | sort) - # Test files directly under data/spl2 (no pipeline subdir) get their own "__root__" entry. - if find package/default/data/spl2 -mindepth 1 -maxdepth 1 \( -name '*.test.json' -o -name '*.test.spl2' \) -print -quit | grep -q .; then - SPL2_PIPELINE_DIRS+=("__root__") - fi - if [[ ${#SPL2_PIPELINE_DIRS[@]} -gt 0 ]]; then - SPL2_PIPELINES=$(printf '%s\n' "${SPL2_PIPELINE_DIRS[@]}" | jq -R . | jq -sc .) - fi fi found_unit_test=false @@ -361,8 +344,6 @@ jobs: EXECUTION_FLAGS["execute_gs_scorecard"]="true" fi fi - echo "spl2_pipelines=${SPL2_PIPELINES}" >> "$GITHUB_OUTPUT" - echo "spl2 pipelines: ${SPL2_PIPELINES}" echo "Tests to be executed:" for test_type in "${TESTSET[@]}"; do echo "$test_type""=${EXECUTION_FLAGS["$test_type"]}" >> "$GITHUB_OUTPUT" @@ -1420,10 +1401,6 @@ jobs: if: ${{ !cancelled() && needs.setup-workflow.outputs.execute-spl2 == 'true'}} needs: - setup-workflow - strategy: - fail-fast: false - matrix: - pipeline: ${{ fromJSON(needs.setup-workflow.outputs.spl2-pipelines) }} runs-on: ubuntu-latest container: image: ghcr.io/splunk/spl2-testing-base:latest @@ -1445,29 +1422,16 @@ jobs: git_path="$(pwd)" echo "$git_path" git config --global --add safe.directory "$git_path" - - name: Stage root-level spl2 tests # tests directly under data/spl2 (no pipeline subdir) get copied into their own dir - if: ${{ matrix.pipeline == '__root__' }} - run: | - ROOT_PIPELINE_DIR="package/default/data/spl2-pipeline-root" - mkdir -p "$ROOT_PIPELINE_DIR" - find package/default/data/spl2 -mindepth 1 -maxdepth 1 \( -name '*.spl2' -o -name '*.test.json' \) -exec cp {} "$ROOT_PIPELINE_DIR/" \; - name: Run spl2 tests - shell: bash run: | - echo "Running SPL2 Tests for pipeline: ${{ matrix.pipeline }}" - if [[ "${{ matrix.pipeline }}" == "__root__" ]]; then - TEST_DIR="package/default/data/spl2-pipeline-root" - else - TEST_DIR="package/default/data/spl2/${{ matrix.pipeline }}" - fi - # code_dir must match test_dir, otherwise discovery falls back to the other dir and re-pulls in every other pipeline's tests. - spl2_tests_run cli --test_dir "$TEST_DIR" --code_dir "$TEST_DIR" -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml "test-results/report-${{ matrix.pipeline }}.xml" + echo "Running SPL2 Tests" + spl2_tests_run cli -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml test-results/report.xml - name: Test Report id: test_report uses: dorny/test-reporter@v3.0.0 if: ${{ !cancelled() }} with: - name: spl2 test report (${{ matrix.pipeline }}) + name: spl2 test report path: "test-results/*.xml" reporter: java-junit - uses: actions/upload-artifact@v4 From 99ee1ed117c2f951bd0f67eef44e49e7587e6439 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Wed, 15 Jul 2026 15:29:41 +0200 Subject: [PATCH 07/10] fix: validate ADDON Jira ticket in PR title (#511) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Adds a step to the `validate-pr-title` job that enforces `ADDON-XXXXX` (5–6 digit Jira ticket number) in the PR title, failing with a clear `::error::` annotation if missing (runs after the existing semantic PR title check). - Adds a new `comment-on-jira` job: on push to `main`/`develop`, scans commit messages for `ADDON-XXXXX` references and posts a comment on each referenced ticket linking back to the commit (and originating PR, if found), worded to match the existing GitLabβ†’Jira integration convention (`{author} mentioned this issue in a commit of {repo} on branch {branch}:`). - Auth via `ATLASSIAN_EMAIL`/`ATLASSIAN_TOKEN` secrets (hardcoded `https://splunk.atlassian.net` base URL), matching the naming convention already used by `addonfactory-docs-on-github-integration`; posts via raw Jira REST API v3 + ADF body rather than `atlassian/gajira-comment` (which has a known RCE, CVE-2020-14189). - Never fails the workflow: a failed Jira API call only logs a `::warning::`. ## Test plan - [x] Open a PR without `ADDON-XXXXX` in the title β†’ job fails with the error message - [x] Open a PR with `ADDON-12345` or `ADDON-123456` in the title β†’ job passes - [x] Verify existing semantic PR title validation still works - [x] **Live end-to-end verification against `splunk/test-addonfactory-repo`** (sandbox repo, temporarily pointed at this branch, reverted to `v5.4` after each round), commenting on real ticket [ADDON-88759](https://splunk.atlassian.net/browse/ADDON-88759): - `pull_request` event β†’ `comment-on-jira` correctly `skipped` (job only fires on `push`) - Push directly to `main`, no originating PR β†’ comment posted with commit link only, no "via PR" clause ([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979594348)) - Push to `main` via squash-merged PR β†’ comment posted with commit link **and** correct PR link ([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28979730875), [PR #374](https://github.com/splunk/test-addonfactory-repo/pull/374)) - Push with a mix of a ticket-referencing and a non-referencing commit β†’ only the referencing commit produced a comment (dedup/skip logic confirmed) ([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679)) - Bug found and fixed during testing: initial run 403'd on the PR lookup (job only had `contents: read`) and leaked the raw error JSON into the comment's link `href` ([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28978879858), see resulting [malformed comment](https://splunk.atlassian.net/browse/ADDON-88759)) β€” fixed by adding `pull-requests: read` and guarding the `gh api` failure path (`1c8ba82`) - Final wording verified live: "mkolasinski-splunk mentioned this issue in a commit of splunk/test-addonfactory-repo on branch main:" ([run](https://github.com/splunk/test-addonfactory-repo/actions/runs/28980385679)) πŸ€– Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude --- .../workflows/reusable-build-test-release.yml | 77 +++++++++++++++++++ README.md | 18 +++++ 2 files changed, 95 insertions(+) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 09039dd47..e544d54a0 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -129,6 +129,12 @@ on: GSSA_AWS_SECRET_ACCESS_KEY: description: GSSA AWS secret access key required: true + ATLASSIAN_EMAIL: + description: Email of the Atlassian user used to post Jira ticket comments + required: true + ATLASSIAN_TOKEN: + description: API token for the Atlassian user used to post Jira ticket comments + required: true permissions: contents: read packages: read @@ -373,6 +379,77 @@ jobs: validateSingleCommit: true env: GITHUB_TOKEN: ${{ github.token }} + - name: Validate ADDON Jira ticket in PR title + env: + PR_TITLE: ${{ github.event.pull_request.title }} + run: | + if [[ ! "$PR_TITLE" =~ ADDON-[0-9]{5,6}([^0-9]|$) ]]; then + echo "::error::PR title must contain a Jira ticket in the format ADDON-XXXXX (5-6 digits). Got: $PR_TITLE" + exit 1 + fi + + comment-on-jira: + name: Comment on Jira ticket + if: ${{ github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'develop') }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + steps: + - name: Comment on referenced ADDON ticket(s) + env: + GH_TOKEN: ${{ github.token }} + COMMITS: ${{ toJson(github.event.commits) }} + REPO: ${{ github.repository }} + BRANCH: ${{ github.ref_name }} + JIRA_BASE_URL: https://splunk.atlassian.net + ATLASSIAN_EMAIL: ${{ secrets.ATLASSIAN_EMAIL }} + ATLASSIAN_TOKEN: ${{ secrets.ATLASSIAN_TOKEN }} + run: | + SEEN="" + echo "$COMMITS" | jq -c '.[]' | while read -r commit; do + MESSAGE=$(jq -r '.message' <<<"$commit") + SHA=$(jq -r '.id' <<<"$commit") + AUTHOR=$(jq -r '.author.username // .author.name' <<<"$commit") + TICKETS=$(grep -oP 'ADDON-[0-9]{5,6}(?![0-9])' <<<"$MESSAGE" | sort -u) + if [[ -z "$TICKETS" ]]; then + continue + fi + while read -r TICKET; do + if [[ " $SEEN " == *" $TICKET "* ]]; then + continue + fi + SEEN="$SEEN $TICKET" + + COMMIT_URL="https://github.com/$REPO/commit/$SHA" + if ! PR_URL=$(gh api "repos/$REPO/commits/$SHA/pulls" --jq '.[0].html_url // ""' 2>/dev/null); then + PR_URL="" + fi + BODY=$(jq -n \ + --arg author "$AUTHOR" --arg branch "$BRANCH" --arg repo "$REPO" \ + --arg commit_url "$COMMIT_URL" --arg sha "${SHA:0:7}" --arg pr_url "$PR_URL" \ + '{body: {type: "doc", version: 1, content: [ + {type: "paragraph", content: [ + {type: "text", text: ($author + " mentioned this issue in a commit of " + $repo + " on branch " + $branch + ":")} + ]}, + {type: "paragraph", content: ( + [{type: "text", text: $sha, marks: [{type: "link", attrs: {href: $commit_url}}]}] + + (if $pr_url != "" then + [{type: "text", text: " (via "}, + {type: "text", text: "PR", marks: [{type: "link", attrs: {href: $pr_url}}]}, + {type: "text", text: ")"}] + else [] end) + )} + ]}}') + + echo "Commenting on $TICKET for commit ${SHA:0:7}" + curl --fail --silent --show-error \ + -u "$ATLASSIAN_EMAIL:$ATLASSIAN_TOKEN" \ + -H "Content-Type: application/json" \ + -X POST "$JIRA_BASE_URL/rest/api/3/issue/$TICKET/comment" \ + -d "$BODY" || echo "::warning::Failed to comment on $TICKET for commit ${SHA:0:7}" + done <<<"$TICKETS" + done meta: runs-on: ubuntu-latest diff --git a/README.md b/README.md index 674197830..cd9092063 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ * [[Job] check-docs-changes](#job-check-docs-changes) * [[Job] setup-workflow](#job-setup-workflow) * [[Job] validate-pr-title](#job-validate-pr-title) + * [[Job] comment-on-jira](#job-comment-on-jira) * [[Job] meta](#job-meta) * [[Job] fossa-scan](#job-fossa-scan) * [[Job] fossa-license-test](#job-fossa-license-test) @@ -286,6 +287,23 @@ gitGraph - No additional artifacts. +## [Job] comment-on-jira + +**Description:** + +- Runs only on push events to `main` or `develop`. +- Scans the commit messages in the push for an `ADDON-XXXXX` Jira ticket reference (5-6 digits) and posts a comment on each referenced ticket (e.g. "*author* mentioned this issue in a commit of *repo* on branch *branch*:") linking back to the commit (and originating PR, if found). +- Requires the `ATLASSIAN_EMAIL` and `ATLASSIAN_TOKEN` secrets to be configured; the Atlassian user needs comment permission on the referenced tickets in `https://splunk.atlassian.net`. + +**Pass/fail behaviour:** + +- Never fails the workflow: a failed Jira API call only logs a warning. + +**Artifacts:** + +- No additional artifacts. + + ## [Job] meta **Description:** From 81b68fc38f6c329b7635bf2cb8781d49df563e64 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Thu, 16 Jul 2026 16:21:25 +0200 Subject: [PATCH 08/10] fix: allow ignoring known false-positive FOSSA vulnerabilities (#517) Adds a fossa-ignore-vulnerabilities workflow_call input (JSON array of "package@version" strings) so callers can filter out known false positives, such as urllib3@1.26.19, before the fossa-vulnerability-test job counts issues and fails. ### Description (PR description goes here) ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here) Co-authored-by: Claude --- .../workflows/reusable-build-test-release.yml | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index e544d54a0..9a626eae9 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -77,6 +77,11 @@ on: description: "Version of the GS scorecard" type: string default: "0.3" + fossa-ignore-vulnerabilities: + required: false + description: 'JSON array of "package@version" strings identifying known false-positive FOSSA vulnerability issues to exclude from the fossa-vulnerability-test job. Example: ["urllib3@1.26.19"]' + type: string + default: "[]" secrets: GH_TOKEN_ADMIN: description: Github admin token @@ -617,10 +622,31 @@ jobs: shell: bash env: FOSSA_REPORT_URL: ${{ needs.fossa-scan.outputs.report-url }} + FOSSA_IGNORE_VULNERABILITIES: ${{ inputs.fossa-ignore-vulnerabilities }} run: | set -euo pipefail header=$(awk '/^ *Using project name:|^ *Using revision:/{print}' fossa-test-output.txt || true) - section=$(awk '/^ *COMPLIANCE ISSUES/{if(found) exit} /^ *SECURITY ISSUES/{found=1} found{print}' fossa-test-output.txt || true) + raw_section=$(awk '/^ *COMPLIANCE ISSUES/{if(found) exit} /^ *SECURITY ISSUES/{found=1} found{print}' fossa-test-output.txt || true) + ignore_packages=$(echo "$FOSSA_IGNORE_VULNERABILITIES" | jq -r '.[]' 2>/dev/null || true) + section=$(echo "$raw_section" | awk -v ignore="$ignore_packages" ' + BEGIN { + skip = 0 + n = split(ignore, arr, "\n") + for (i = 1; i <= n; i++) if (arr[i] != "") ignored[arr[i]] = 1 + } + /βš‘/ { + skip = 0 + if (match($0, /on [^ ]+@[^ ]+/)) { + pkg = substr($0, RSTART + 3, RLENGTH - 3) + if (pkg in ignored) { + skip = 1 + print "::notice::Ignoring known false-positive FOSSA vulnerability on " pkg > "/dev/stderr" + } + } + } + !skip { print } + $0 == "" { skip = 0 } + ') issue_count=$(echo "$section" | grep -c "^ *βš‘ " || true) echo "active-issues=$issue_count" >> "$GITHUB_OUTPUT" echo "$header" From 2000470d3fd1ed95c70c55857c0b9e7ea3783cf2 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 17 Jul 2026 11:11:50 +0200 Subject: [PATCH 09/10] fix: add --cache to run-spl2-tests (#518) ### Description Utilise new feature of spl2-testing-base and add --cli_cache to speed up spl2 tests executin ### Checklist - [ ] `README.md` has been updated or is not required - [ ] push trigger tests - [ ] manual release test - [ ] automated releases test - [ ] pull request trigger tests - [ ] schedule trigger tests - [ ] workflow errors/warnings reviewed and addressed ### Testing done (for each selected checkbox, the corresponding test results link should be listed here) --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 9a626eae9..d1a6f379a 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -1528,7 +1528,7 @@ jobs: - name: Run spl2 tests run: | echo "Running SPL2 Tests" - spl2_tests_run cli -n 8 --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml test-results/report.xml + spl2_tests_run cli -n 8 --cli_cache --ignore_additional_fields_in_actual --ignore_empty_strings -o log_cli=true --log-cli-level=INFO --verbose --junitxml test-results/report.xml - name: Test Report id: test_report uses: dorny/test-reporter@v3.0.0 From 6d7d090e2c8c0f747a09367f11703f8dff5b88ac Mon Sep 17 00:00:00 2001 From: rasteja Date: Fri, 17 Jul 2026 19:12:47 +0530 Subject: [PATCH 10/10] ADDON-89264: fix: generate Swagger artifacts independently of UCC test selection (#522) ## Summary Generate and publish Swagger artifacts for add-ons with UCC modinput tests even when the UCC test job is not selected. ## Root cause Swagger artifact upload was tied to `execute-ucc_modinput`. When that test job was skipped, TACO later failed because the build-specific S3 prefix did not contain `swagger_client`. ## Changes - Detect whether `tests/ucc_modinput_functional` exists. - Use that capability, rather than test selection, when uploading and downloading the OpenAPI artifact. - Preserve existing UCC test-selection behavior. ## Validation - Parsed workflow YAML. - Ran diff whitespace checks. ## Related - ADDON-89264 --- .github/workflows/reusable-build-test-release.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 2338e2bff..0007702a6 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -219,6 +219,7 @@ jobs: execute-ui: ${{ steps.determine-test-execution-flags.outputs.execute_ui }} execute-modinput: ${{ steps.determine-test-execution-flags.outputs.execute_modinput_functional }} execute-ucc_modinput: ${{ steps.determine-test-execution-flags.outputs.execute_ucc_modinput_functional }} + has-ucc_modinput-tests: ${{ steps.determine-test-execution-flags.outputs.has_ucc_modinput_tests }} execute-scripted_inputs: ${{ steps.determine-test-execution-flags.outputs.execute_scripted_inputs }} execute-upgrade: ${{ steps.determine-test-execution-flags.outputs.execute_upgrade }} exit-first: ${{ steps.determine-test-execution-flags.outputs.exit-first }} @@ -256,6 +257,7 @@ jobs: set +e declare -A EXECUTION_FLAGS TESTSET=("execute_unit" "execute_knowledge" "execute_spl2" "execute_ui" "execute_modinput_functional" "execute_ucc_modinput_functional" "execute_scripted_inputs" "execute_upgrade" "execute_gs_scorecard") + HAS_UCC_MODINPUT_TESTS="false" for test_type in "${TESTSET[@]}"; do EXECUTION_FLAGS["$test_type"]="false" done @@ -270,6 +272,9 @@ jobs: if [[ -d "tests/$TEST_BASE_NAME" ]]; then TESTS_TO_CONSIDER_FOR_EXECUTION+=("execute_$TEST_BASE_NAME") echo "$TEST_BASE_NAME::true" + if [[ "$TEST_BASE_NAME" == "ucc_modinput_functional" ]]; then + HAS_UCC_MODINPUT_TESTS="true" + fi fi done < <(find tests -type d -maxdepth 1 -mindepth 1 | sed 's|^tests/||g') @@ -360,6 +365,8 @@ jobs: echo "$test_type""=${EXECUTION_FLAGS["$test_type"]}" >> "$GITHUB_OUTPUT" echo "$test_type"": ${EXECUTION_FLAGS["$test_type"]}" done + echo "has_ucc_modinput_tests=${HAS_UCC_MODINPUT_TESTS}" >> "$GITHUB_OUTPUT" + echo "has_ucc_modinput_tests: ${HAS_UCC_MODINPUT_TESTS}" # exit first fail if label exit-first is present EXIT_FIRST="" if ${{ contains(github.event.pull_request.labels.*.name, 'exit-first') }}; then @@ -1012,7 +1019,7 @@ jobs: with: name: artifact-openapi path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/appserver/static/openapi.json - if: ${{ !cancelled() && needs.setup-workflow.outputs.execute-ucc_modinput == 'true' }} + if: ${{ !cancelled() && needs.setup-workflow.outputs.has-ucc_modinput-tests == 'true' }} - name: artifact-splunk-base uses: actions/upload-artifact@v6 with: @@ -1245,7 +1252,7 @@ jobs: echo "k8s-manifests-branch=${{ inputs.k8s-manifests-branch }}" } >> "$GITHUB_OUTPUT" - uses: actions/download-artifact@v7 - if: ${{ needs.setup-workflow.outputs.execute-ucc_modinput == 'true' }} + if: ${{ needs.setup-workflow.outputs.has-ucc_modinput-tests == 'true' }} id: download-openapi with: name: artifact-openapi