chore(ci): Stop testing twice (#172)

* wip

* wip

* wip

* wip

* wip

* wip

.github/actions/comment/action.yml

@@ -0,0 +1,39 @@
+name: Update Slash Command Dispatch Comment
+
+description: Update Slash Command Dispatch comment with the run URL
+
+inputs:
+  application_id:
+    description: 'The GitHub App ID'
+    required: false
+  application_private_key:
+    description: 'The GitHub App private key'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Get token
+      id: get_installation_token
+      uses: peter-murray/workflow-application-token-action@v2
+      with:
+        application_id: ${{ inputs.application_id }}
+        application_private_key: ${{ inputs.application_private_key }}
+
+    - name: Create URL to the run output
+      id: vars
+      shell: bash -e -o pipefail {0}
+      run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
+
+    # Will update the comment that triggered the /test comment and add the run-url
+    - name: Update comment
+      if: github.event_name == 'repository_dispatch'
+      uses: peter-evans/create-or-update-comment@v3
+      with:
+        token: ${{ inputs.token || steps.get_installation_token.outputs.token }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+        body: |
+          :robot: [View pipeline run][1]
+
+          [1]: ${{ steps.vars.outputs.run-url }}

.github/actions/test/action.yml

@@ -0,0 +1,132 @@
+name: Run Tests
+
+description: Run Tests
+
+inputs:
+  application_id:
+    description: 'The GitHub App ID'
+    required: true
+  application_private_key:
+    description: 'The GitHub App private key'
+    required: true
+  platform:
+    description: 'The platform to run the tests on'
+    required: true
+  github-context:
+    description: The GitHub Status Context to use when updating the status
+    required: true
+  registry:
+    description: The registry to push the image to
+    required: true
+  image-name:
+    description: The name of the image to push
+    required: true
+
+runs:
+  using: composite
+  steps:
+
+    - name: Update GitHub Status for pending
+      uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main
+      with:
+        application_id: ${{ inputs.application_id }}
+        application_private_key: ${{ inputs.application_private_key }}
+        status-check: test-all (${{ matrix.platform }})
+        status: pending
+        description: "started by @${{ github.event.client_payload.github.actor || github.actor }}"
+
+    - name: Convert platform to valid artifact name
+      id: convert-platform
+      uses: mad9000/actions-find-and-replace-string@4
+      with:
+        source: ${{ inputs.platform }}
+        find: '/'
+        replace: '-'
+        replaceAll: "true"
+
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ inputs.registry }}/${{ inputs.image-name }}
+        tags: |
+          type=raw,value=${{ github.ref_name }}
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build image to tarball
+      id: build
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        platforms: ${{ inputs.platform }}
+        labels: ${{ steps.meta.outputs.labels }}
+        outputs: type=docker,dest=./image.tar
+        no-cache: true
+
+    - name: Build SBOM
+      shell: bash -e -o pipefail {0}
+      run: |
+        make sbom IMAGE_TO_SCAN=docker-archive:./image.tar
+
+    - name: Upload SBOM
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom-${{steps.convert-platform.outputs.value}}
+        path: |
+          sbom.cyclonedx.json
+          sbom.spdx.json
+          sbom.syft.json
+          sbom.table.txt
+        if-no-files-found: error
+
+    - name: Build Vuln Report
+      shell: bash -e -o pipefail {0}
+      run: |
+        make vuln-report
+
+    - name: Upload Vuln Report
+      uses: actions/upload-artifact@v4
+      with:
+        name: vuln-report-${{steps.convert-platform.outputs.value}}
+        path: |
+          vulns.grype.json
+          vulns.grype.txt
+        if-no-files-found: error
+
+    - name: Update GitHub Status for success
+      if: ${{ success() }}
+      uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main
+      with:
+        application_id: ${{ inputs.application_id }}
+        application_private_key: ${{ inputs.application_private_key }}
+        status-check: test-all (${{ matrix.platform }})
+        status: success
+        description: run passed
+
+    - name: Update GitHub Status for failure
+      if: ${{ failure() }}
+      uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main
+      with:
+        application_id: ${{ inputs.application_id }}
+        application_private_key: ${{ inputs.application_private_key }}
+        status-check: test-all (${{ matrix.platform }})
+        status: failure
+        description: run failed
+
+    - name: Update GitHub Status for cancelled
+      if: ${{ cancelled() }}
+      uses: defenseunicorns/delivery-github-actions-workflows/.github/actions/report-status-context@main
+      with:
+        application_id: ${{ inputs.application_id }}
+        application_private_key: ${{ inputs.application_private_key }}
+        status-check: test-all (${{ matrix.platform }})
+        status: error
+        description: run failed

.github/workflows/test-command.yml

@@ -0,0 +1,64 @@
+# This workflow is triggered by a comment on a pull request. The comment must contain "/test <command>" to trigger the workflow.
+
+# Attribution for a bunch of this goes to CloudPosse
+# https://github.com/cloudposse/actions/blob/master/.github/workflows/test-command.yml
+
+name: test-command
+
+on:
+  repository_dispatch:
+    types: [test-command]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/build-harness
+
+permissions:
+  id-token: write
+  contents: read
+
+defaults:
+  run:
+    # We need -e -o pipefail for consistency with GitHub Actions' default behavior
+    shell: bash -e -o pipefail {0}
+
+jobs:
+  # Update the comment that triggered the /test command to show the run url
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.client_payload.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event.client_payload.pull_request.head.ref || github.ref_name }}
+      - name: Update Comment
+        uses: ./.github/actions/comment
+        with:
+          application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
+          application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}
+
+  test-all:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+          platform:
+          - linux/amd64
+          - linux/arm64/v8
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.client_payload.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event.client_payload.pull_request.head.ref || github.ref_name }}
+      - name: Run Tests
+        uses: ./.github/actions/test
+        with:
+          application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
+          application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}
+          PLATFORM: ${{ matrix.platform }}
+          github-context: test-all (${{ matrix.platform }})
+          registry: ${{ env.REGISTRY }}
+          image-name: ${{ env.IMAGE_NAME }}
+