Merge 1966937e49 into 56663023f5

Scan ARM images using Anchore's scan action, by utilizing the Ubuntu ARM
runners provided by GitHub. While our ARM images are used only in macOS
silicon platforms, we can use the Ubuntu ARM runners just for scanning.

Closes #1008

.github/workflows/scan.yml

@@ -10,7 +10,12 @@ on:
 
 jobs:
   security-scan-container:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -58,7 +63,12 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/scan_released.yml

@@ -9,11 +9,10 @@ jobs:
     strategy:
       matrix:
         include:
-          - runs-on: ubuntu-latest
+          - runs-on: ubuntu-24.04
             arch: i686
-          # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
-          # - runs-on: macos-latest
-          #   arch: arm64
+          - runs-on: ubuntu-24.04-arm
+            arch: arm64
     runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
@@ -55,7 +54,12 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4

tests/conftest.py

@@ -122,7 +122,7 @@ test_docs_compressed_dir = Path(__file__).parent.joinpath(SAMPLE_COMPRESSED_DIRE
 
 test_docs = [
     p
-    for p in test_docs_dir.rglob("*")
+    for p in test_docs_dir.glob("*")
     if p.is_file()
     and not (p.name.endswith(SAFE_EXTENSION) or p.name.startswith("sample_bad"))
 ]

tests/test_cli.py

@@ -11,6 +11,7 @@ import traceback
 from pathlib import Path
 from typing import Optional, Sequence
 
+import fitz
 import pytest
 from click.testing import CliRunner, Result
 from pytest_mock import MockerFixture
@@ -191,9 +192,26 @@ class TestCliConversion(TestCliBasic):
         result.assert_failure()
 
     @for_each_doc
-    def test_formats(self, doc: Path) -> None:
-        result = self.run_cli(str(doc))
+    def test_formats(self, doc: Path, tmp_path_factory: pytest.TempPathFactory) -> None:
+        reference = (doc.parent / "reference" / doc.stem).with_suffix(".pdf")
+        destination = tmp_path_factory.mktemp(doc.stem).with_suffix(".pdf")
+
+        result = self.run_cli([str(doc), "--output-filename", str(destination)])
         result.assert_success()
+        # When needed, regenerate the reference PDFs by uncommenting the following line:
+        # reference.parent.mkdir(parents=True, exist_ok=True)
+        # shutil.copy(destination, reference)
+
+        converted = fitz.open(destination)
+        ref = fitz.open(reference)
+        assert len(converted) == len(ref), "different number of pages"
+
+        for page, ref_page in zip(converted, ref):
+            page.get_pixmap(dpi=150)
+            ref_page.get_pixmap(dpi=150)
+            assert page.get_pixmap().tobytes() == ref_page.get_pixmap().tobytes(), (
+                f"different page content for page {page.number}"
+            )
 
     def test_output_filename(self, sample_pdf: str) -> None:
         temp_dir = tempfile.mkdtemp(prefix="dangerzone-")