Run Security build on image from opensearch-build (opensearch-project#4966)

cwperks · DarshitChanpura · web-flow · commit dae9f6c71d3d · 2025-03-20T13:16:57.000-04:00
Signed-off-by: Craig Perkins &lt;cwperx@amazon.com&gt;
Co-authored-by: Darshit Chanpura &lt;dchanp@amazon.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,11 @@ env:
   CI_ENVIRONMENT: normal
 
 jobs:
+  Get-CI-Image-Tag:
+    uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
+    with:
+      product: opensearch
+
   generate-test-list:
     runs-on: ubuntu-latest
     outputs:
@@ -32,14 +37,14 @@ jobs:
       run: |
         echo "separateTestsNames=$(./gradlew listTasksAsJSON -q --console=plain | tail -n 1)" >> $GITHUB_OUTPUT
 
-  test:
+  test-windows:
     name: test
     needs: generate-test-list
     strategy:
       fail-fast: false
       matrix:
         gradle_task: ${{ fromJson(needs.generate-test-list.outputs.separateTestsNames) }}
-        platform: [windows-latest, ubuntu-latest]
+        platform: [windows-latest]
         jdk: [21]
     runs-on: ${{ matrix.platform }}
 
@@ -67,8 +72,51 @@ jobs:
         path: |
           ./build/reports/
 
+  test-linux:
+    name: test
+    needs: ["generate-test-list", "Get-CI-Image-Tag"]
+    strategy:
+      fail-fast: false
+      matrix:
+        gradle_task: ${{ fromJson(needs.generate-test-list.outputs.separateTestsNames) }}
+        platform: [ubuntu-latest]
+        jdk: [21]
+    runs-on: ubuntu-latest
+    container:
+      # using the same image which is used by opensearch-build to build the OpenSearch Distribution
+      # this image tag is subject to change as more dependencies and updates will arrive over time
+      image: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-version-linux }}
+      # need to switch to root so that github actions can install runner binary on container without permission issues.
+      options: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-options }}
+
+    steps:
+      - name: Run start commands
+        run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
+      - name: Set up JDK for build and test
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: ${{ matrix.jdk }}
+
+      - name: Checkout security
+        uses: actions/checkout@v4
+
+      - name: Build and Test
+        uses: gradle/gradle-build-action@v3
+        with:
+          cache-disabled: true
+          arguments: |
+            ${{ matrix.gradle_task }} -Dbuild.snapshot=false
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: ${{ matrix.platform }}-JDK${{ matrix.jdk }}-${{ matrix.gradle_task }}-reports
+          path: |
+            ./build/reports/
+
   report-coverage:
-    needs: ["test", "integration-tests"]
+    needs: ["test-windows", "test-linux", "integration-tests-windows", "integration-tests-linux"]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -92,13 +140,13 @@ jobs:
             verbose: true
 
 
-  integration-tests:
+  integration-tests-windows:
     name: integration-tests
     strategy:
       fail-fast: false
       matrix:
         jdk: [21]
-        platform: [ubuntu-latest, windows-latest]
+        platform: [windows-latest]
     runs-on: ${{ matrix.platform }}
 
     steps:
@@ -125,6 +173,47 @@ jobs:
         path: |
           ./build/reports/
 
+  integration-tests-linux:
+    name: integration-tests
+    needs: ["Get-CI-Image-Tag"]
+    strategy:
+      fail-fast: false
+      matrix:
+        jdk: [21]
+        platform: [ubuntu-latest]
+    runs-on: ubuntu-latest
+    container:
+      # using the same image which is used by opensearch-build team to build the OpenSearch Distribution
+      # this image tag is subject to change as more dependencies and updates will arrive over time
+      image: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-version-linux }}
+      # need to switch to root so that github actions can install runner binary on container without permission issues.
+      options: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-options }}
+
+    steps:
+      - name: Run start commands
+        run: ${{ needs.Get-CI-Image-Tag.outputs.ci-image-start-command }}
+      - name: Set up JDK for build and test
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin # Temurin is a distribution of adoptium
+          java-version: ${{ matrix.jdk }}
+
+      - name: Checkout security
+        uses: actions/checkout@v4
+
+      - name: Build and Test
+        uses: gradle/gradle-build-action@v3
+        with:
+          cache-disabled: true
+          arguments: |
+            integrationTest -Dbuild.snapshot=false
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: integration-${{ matrix.platform }}-JDK${{ matrix.jdk }}-reports
+          path: |
+            ./build/reports/
 
   resource-tests:
     env:
