Skip to content

fix: host-runner compatibility for tests and scripts #19712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davdhacs merged 4 commits into from
Apr 2, 2026
Merged

fix: host-runner compatibility for tests and scripts #19712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b9c014f
fix: host-runner compatibility for tests and scripts
davdhacs Mar 31, 2026
3f50506
Merge remote-tracking branch 'origin/master' into davdhacs/host-runne…
davdhacs Mar 31, 2026
fe90602
Merge remote-tracking branch 'origin/master' into davdhacs/host-runne…
davdhacs Apr 1, 2026
58ea483
fix: use sed instead of grep -v in yq_multidoc
davdhacs Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 0 additions & 18 deletions pkg/containers/detection_test.go
View file
Open in desktop

This file was deleted.

3 changes: 2 additions & 1 deletion pkg/logging/rate_limited_logger.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,10 +163,11 @@ const (
localFilePathPrefix = "github.com/stackrox/stackrox/"
filePathPrefix = "github.com/stackrox/rox/"
githubPathPrefix = "/__w/stackrox/stackrox/"
githubHostPrefix = "/home/runner/work/stackrox/stackrox/"
)

func getTrimmedFilePath(path string) string {
prefixes := []string{filePathPrefix, localFilePathPrefix, githubPathPrefix}
prefixes := []string{filePathPrefix, localFilePathPrefix, githubPathPrefix, githubHostPrefix}
for _, prefix := range prefixes {
prefixToCut := strings.Index(path, prefix)
if prefixToCut >= 0 {
Expand Down
7 changes: 5 additions & 2 deletions roxctl/common/zipdownload/download_zip_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package zipdownload
import (
"archive/zip"
"bytes"
"errors"
"io/fs"
"os"
"path/filepath"
Expand Down Expand Up @@ -208,7 +209,9 @@ func TestExtractZipToFolder_PreventPathTraversal(t *testing.T) {

for _, path := range checkPaths {
_, err := os.Stat(path)
// Expect "no such file or directory" - meaning the file wasn't created
assert.ErrorIs(t, err, fs.ErrNotExist, "Malicious file should not exist at %s", path)
// File must not exist. On non-root runners, paths under /root/ return
// ErrPermission instead of ErrNotExist — both confirm the file wasn't written.
assert.True(t, errors.Is(err, fs.ErrNotExist) || errors.Is(err, fs.ErrPermission),
"Malicious file should not exist at %s, got: %v", path, err)
}
}
16 changes: 10 additions & 6 deletions scripts/ci/lib.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2322,12 +2322,16 @@ _EO_SUITE_HEADER_
local result="${lines[1]}"
local details="${lines[2]}"

# XML escape description
description="${description//&/&}"
description="${description//\"/"}"
description="${description//\'/'}"
description="${description//</&lt;}"
description="${description//>/&gt;}"
# XML escape description.
# \& is required: bash 5.2+ treats & in ${var//pat/repl} as the
# matched text (like sed), so without \& the & is replaced by the
# match itself. \& works on all bash versions (4.4–5.3 verified).
# CI container had bash 5.1 (UBI9); ubuntu-latest has bash 5.2+.
description="${description//&/\&amp;}"
description="${description//\"/\&quot;}"
description="${description//\'/\&#39;}"
description="${description//</\&lt;}"
description="${description//>/\&gt;}"

cat << _EO_CASE_HEADER_ >> "${junit_file}"
<testcase name="${description}" classname="${class}">
Expand Down
8 changes: 8 additions & 0 deletions tests/roxctl/bats-tests/helpers.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ fi
load "${bats_helpers_root}/bats-support/load.bash"
load "${bats_helpers_root}/bats-assert/load.bash"

# yq_multidoc runs yq and strips --- document separators from output.
# yq 4.x adds separators between multi-doc results which shift assert_line indices.
yq_multidoc() {
local output
output=$(yq "$@") || return $?
sed '/^---$/d' <<< "$output"
}

# luname outputs uname in lowercase
luname() {
uname | tr '[:upper:]' '[:lower:]'
Expand Down
10 changes: 5 additions & 5 deletions tests/roxctl/bats-tests/local/roxctl-netpol-generate-development.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ teardown() {
assert_line '2'

# Ensure that all yaml docs are of kind 'NetworkPolicy'
run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: NetworkPolicy'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: NetworkPolicy'
Expand All @@ -69,7 +69,7 @@ teardown() {
assert_line --index 5 'doc: 2'

# Ensure that all NetworkPolicies have the generated-by-stackrox label
run yq e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
run yq_multidoc e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
assert_line --index 0 'match: "true"'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: "true"'
Expand Down Expand Up @@ -99,7 +99,7 @@ teardown() {
assert_line '2'

# Ensure that all yaml docs are of kind 'NetworkPolicy'
run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: NetworkPolicy'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: NetworkPolicy'
Expand All @@ -108,7 +108,7 @@ teardown() {
assert_line --index 5 'doc: 2'

# Ensure that dns ports are properly set
run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: null'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: '${dns_port}
Expand All @@ -131,7 +131,7 @@ teardown() {
yaml_valid "$ofile"

# Ensure that dns ports are properly set
run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: null'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: '${dns_port}
Expand Down
31 changes: 5 additions & 26 deletions tests/roxctl/bats-tests/local/roxctl-netpol-generate-release.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,43 +61,22 @@ teardown() {
assert_line '2'

# Ensure that all yaml docs are of kind 'NetworkPolicy'
run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
# Github actions run yq v3
run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: NetworkPolicy'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: NetworkPolicy'
assert_line --index 3 'doc: 1'
assert_line --index 4 'match: NetworkPolicy'
assert_line --index 5 'doc: 2'

# yq v4 assertions
# assert_line --index 0 'match: NetworkPolicy'
# assert_line --index 1 'doc: 0'
# assert_line --index 2 '---'
# assert_line --index 3 'match: NetworkPolicy'
# assert_line --index 4 'doc: 1'
# assert_line --index 5 '---'
# assert_line --index 6 'match: NetworkPolicy'
# assert_line --index 7 'doc: 2'

# Ensure that all NetworkPolicies have the generated-by-stackrox label
run yq e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
run yq_multidoc e '.metadata.labels | ({"match": ."network-policy-buildtime-generator.stackrox.io/generated", "doc": di})' "${ofile}"
assert_line --index 0 'match: "true"'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: "true"'
assert_line --index 3 'doc: 1'
assert_line --index 4 'match: "true"'
assert_line --index 5 'doc: 2'

# yq v4 assertions
# assert_line --index 0 'match: "true"'
# assert_line --index 1 'doc: 0'
# assert_line --index 2 '---'
# assert_line --index 3 'match: "true"'
# assert_line --index 4 'doc: 1'
# assert_line --index 5 '---'
# assert_line --index 6 'match: "true"'
# assert_line --index 7 'doc: 2'
}

@test "roxctl-release netpol generate generates network policies with custom dns port" {
Expand All @@ -121,7 +100,7 @@ teardown() {
assert_line '2'

# Ensure that all yaml docs are of kind 'NetworkPolicy'
run yq e '.kind | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.kind | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: NetworkPolicy'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: NetworkPolicy'
Expand All @@ -130,7 +109,7 @@ teardown() {
assert_line --index 5 'doc: 2'

# Ensure that dns ports are properly set
run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: null'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: '${dns_port}
Expand All @@ -153,7 +132,7 @@ teardown() {
yaml_valid "$ofile"

# Ensure that dns ports are properly set
run yq e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
run yq_multidoc e '.spec.egress[1].ports[0].port | ({"match": ., "doc": di})' "${ofile}"
assert_line --index 0 'match: null'
assert_line --index 1 'doc: 0'
assert_line --index 2 'match: '${dns_port}
Expand Down
Loading