ComplianceAsCode · Mab879 · Jan 23, 2026 · Jan 14, 2026 · Jan 14, 2026 · Jan 16, 2026
diff --git a/.github/workflows/atex-build.yaml b/.github/workflows/atex-build.yaml
@@ -63,12 +63,24 @@ jobs:
           # Clean up temporary metadata
           rm -rf jinja2_cache
 
+      - name: Save file permissions before artifact upload
+        run: |
+          # GitHub Actions artifact upload/download strips execute permissions
+          # Save all file permissions so they can be restored after download
+          echo "=== Saving file permissions ==="
+          find . -type f -printf '%m %p\n' > file-permissions.txt
+          echo "Saved permissions for $(wc -l < file-permissions.txt) files"
+          # Show sample of executable files being saved
+          echo "=== Sample executable files ==="
+          grep -E '^[0-7]*[1357][0-7]* ' file-permissions.txt | head -10 || true
+
       - name: Upload build artifacts
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: content-centos-stream${{ matrix.centos_stream_major }}
           path: .
           retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
+          include-hidden-files: true # make sure all .dot files are included e.g. .cmakelintrc
 
   save_pr_info:
     name: Save PR information for workflow_run

diff --git a/.github/workflows/atex-test.yaml b/.github/workflows/atex-test.yaml
@@ -12,6 +12,9 @@ env:
   CONTEST_REPO: RHSecurityCompliance/contest
   ARTIFACT_RETENTION_DAYS: 1
   TEST_TIMEOUT: 1440 # 24 hours
+  # CentOS Stream versions to test (space-separated for shell loops)
+  # NOTE: Keep in sync with matrix.centos_stream_major in the test job
+  CS_VERSIONS: "8 9 10"
 
 permissions:
   contents: read
@@ -66,8 +69,14 @@ jobs:
     name: Test on CentOS Stream ${{ matrix.centos_stream_major }}
     runs-on: ubuntu-latest
     needs: check_build
+    outputs:
+      # Contest SHA from any matrix job (all use same ref, so same SHA)
+      contest_sha: ${{ steps.get_contest.outputs.contest_sha }}
+      contest_ref: ${{ steps.get_contest.outputs.contest_ref }}
     strategy:
+      fail-fast: false
       matrix:
+        # NOTE: Keep in sync with env.CS_VERSIONS at the top of this file
         centos_stream_major: [8, 9, 10]
     container:
       image: fedora:latest
@@ -84,6 +93,36 @@ jobs:
           name: content-centos-stream${{ matrix.centos_stream_major }}
           path: content-centos-stream${{ matrix.centos_stream_major }}/
 
+      - name: Restore file permissions lost during artifact download
+        run: |
+          # GitHub Actions artifact download strips execute permissions
+          # Restore permissions from the saved file created during build
+          CONTENT_DIR="content-centos-stream${{ matrix.centos_stream_major }}"
+          PERMS_FILE="${CONTENT_DIR}/file-permissions.txt"
+
+          if [ -f "${PERMS_FILE}" ]; then
+            echo "=== Restoring file permissions from ${PERMS_FILE} ==="
+            cd "${CONTENT_DIR}"
+            while IFS=' ' read -r mode filepath; do
+              # Remove leading ./ from filepath if present
+              filepath="${filepath#./}"
+              if [ -f "${filepath}" ]; then
+                chmod "${mode}" "${filepath}"
+              fi
+            done < file-permissions.txt
+            echo "Restored permissions for $(wc -l < file-permissions.txt) files"
+            # Show sample of restored executable files
+            echo "=== Sample executable files after restore ==="
+            find . -type f -executable -name "*.py" 2>/dev/null | head -5 || true
+            find . -type f -executable -name "*.sh" 2>/dev/null | head -5 || true
+          else
+            echo "WARNING: ${PERMS_FILE} not found, permissions may be incorrect"
+            exit 1
+          fi
+
+      - name: Install git for checkout
+        run: dnf -y install git
+
       - name: Checkout Contest Test Suite
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
@@ -92,10 +131,19 @@ jobs:
           path: contest
           fetch-depth: 1
 
+      - name: Get Contest SHA
+        id: get_contest
+        run: |
+          CONTEST_SHA=$(cd contest && git rev-parse HEAD)
+          CONTEST_REF="main"
+          echo "contest_sha=${CONTEST_SHA}" >> $GITHUB_OUTPUT
+          echo "contest_ref=${CONTEST_REF}" >> $GITHUB_OUTPUT
+          echo "Contest: ${CONTEST_SHA:0:12} (${CONTEST_REF})"
+
       - name: Install test dependencies
         run: |
-          dnf -y install python3-pip git rsync
-          pip install fmf atex==0.11
+          dnf -y install python3-pip rsync
+          pip install fmf atex==0.12
 
       - name: Run tests on Testing Farm
         env:
@@ -105,8 +153,7 @@ jobs:
           python3 tests/run_tests_testingfarm.py \
             --contest-dir contest \
             --content-dir content-centos-stream${CS_MAJOR} \
-            --plan "/plans/daily" \
-            --tests "/hardening/host-os/oscap/stig" \
+            --plan "/plans/upstream" \
             --compose "CentOS-Stream-${CS_MAJOR}" \
             --arch x86_64 \
             --os-major-version "${CS_MAJOR}" \
@@ -139,7 +186,7 @@ jobs:
         if: always()
         run: |
           dnf -y install python3-pip git rsync
-          pip install fmf atex==0.11
+          pip install fmf atex==0.12
 
       - name: Checkout ATEX results repository
         if: always()
@@ -155,16 +202,16 @@ jobs:
         working-directory: atex-results-testing-farm
         run: fmf init
 
-      - name: Create TMT dummy plan for artifact transport
+      - name: Create TMT atex_results plan for artifact transport
         if: always()
         working-directory: atex-results-testing-farm
         run: |
           cat > main.fmf <<'EOF'
-          /dummy_plan:
+          /atex_results_plan:
               discover:
                   how: shell
                   tests:
-                    - name: /dummy_test
+                    - name: /atex_results_test
                       test: mv * "$TMT_TEST_DATA/."
               execute:
                   how: tmt
@@ -217,7 +264,7 @@ jobs:
           mkdir -p atex-results-testing-farm/files_dir/
 
           # Process and merge results for all CentOS Stream versions
-          for version in 8 9 10; do
+          for version in ${{ env.CS_VERSIONS }}; do
             results_file="test-results/cs${version}/results-centos-stream-${version}-x86_64.json.xz"
             files_dir="test-results/cs${version}/files-centos-stream-${version}-x86_64"
 
@@ -238,6 +285,74 @@ jobs:
         run: |
           cp -rf atex-html/index.html atex-html/sqljs/ atex-results-testing-farm/
 
+      - name: Generate header.html for results page
+        if: always()
+        env:
+          PR_NUMBER: ${{ needs.check_build.outputs.pr_number }}
+          PR_SHA: ${{ needs.check_build.outputs.pr_sha }}
+          CONTEST_SHA: ${{ needs.test.outputs.contest_sha }}
+          CONTEST_REF: ${{ needs.test.outputs.contest_ref }}
+          WORKFLOW_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+          ACTOR: ${{ github.actor }}
+          RUN_STARTED: ${{ github.event.workflow_run.created_at }}
+          CS_VERSIONS: ${{ env.CS_VERSIONS }}
+        run: |
+          cat > atex-results-testing-farm/header.html <<'HEADER_EOF'
+          <style>
+              #header table {
+                  display: inline-table;
+                  margin-right: 1em;
+                  vertical-align: top;
+                  border-collapse: collapse;
+              }
+              #header th, td {
+                  border: 1px solid black;
+                  padding: 0.3em;
+              }
+              #header h1 {
+                  color: #aaa;
+                  margin: 0;
+              }
+              #header h2 {
+                  color: #555;
+                  margin: 0;
+              }
+          </style>
+          HEADER_EOF
+
+          # Add dynamic content - header section
+          cat >> atex-results-testing-farm/header.html <<EOF
+          <h1>ATEX Upstream Testing</h1>
+          <h2>PR <a href="${REPO_URL}/pull/${PR_NUMBER}">#${PR_NUMBER}</a>
+           - Workflow <a href="${WORKFLOW_URL}">#${{ github.run_id }}</a>
+           started on <span id="header-started-on"></span>
+           by <a href="https://github.com/${ACTOR}"><code>${ACTOR}</code></a></h2>
+          <script>document.getElementById('header-started-on').textContent = new Date('${RUN_STARTED}').toLocaleString()</script>
+          <div style="margin-top: 1em; margin-bottom: 1em">
+              <table>
+                  <tr><th colspan="1">CentOS Stream</th></tr>
+          EOF
+
+          # List each CentOS Stream version that was tested
+          for version in ${CS_VERSIONS}; do
+            echo "            <tr><td>${version}</td></tr>" >> atex-results-testing-farm/header.html
+          done
+
+          # Add commit info table
+          cat >> atex-results-testing-farm/header.html <<EOF
+              </table>
+              <table>
+                  <tr><th>Repo</th><th>Commit used</th></tr>
+                  <tr><td>Content</td><td style="font-family: monospace, monospace;"><a href="${REPO_URL}/commit/${PR_SHA}">${PR_SHA:0:12}</a></td></tr>
+                  <tr><td>Contest (${CONTEST_REF})</td><td style="font-family: monospace, monospace;"><a href="https://github.com/${{ env.CONTEST_REPO }}/commit/${CONTEST_SHA}">${CONTEST_SHA:0:12}</a></td></tr>
+              </table>
+          </div>
+          EOF
+
+          echo "=== Generated header.html ==="
+          cat atex-results-testing-farm/header.html
+
       - name: Commit and tag results in ATEX repository
         if: always()
         working-directory: atex-results-testing-farm
@@ -311,6 +426,7 @@ jobs:
           check_id: ${{ needs.check_build.outputs.check_id }}
           sha: ${{ needs.check_build.outputs.pr_sha }}
           status: completed
-          conclusion: ${{ job.status }}
+          # Use test job result to determine conclusion - needs.test.result will be 'failure' if any matrix job failed
+          conclusion: ${{ needs.test.result }}
           output: |
             {"summary":"ATEX tests completed. Job: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}. View results: ${{ steps.testing_farm_request.outputs.HTML_LINK }}","title":"ATEX Testing Complete"}
diff --git a/.packit.yaml b/.packit.yaml
@@ -23,136 +23,16 @@ jobs:
   trigger: commit
   branch: "gh-readonly-queue/.*"
 
-- &test-static-checks
+# when modifying this, modify also tests/tmt-plans/
+- &fedora-tests
   job: tests
   trigger: pull_request
   fmf_path: tests/tmt
-  identifier: /static-checks
-  tmt_plan: /plans/contest/static-checks$
-  targets:
-    centos-stream-8: {}
-    centos-stream-9: {}
-    centos-stream-10: {}
-
-# when modifying this, modify also tests/tmt-plans/
-
-- <<: *test-static-checks
   identifier: /rpmbuild-ctest-fedora
   tmt_plan: /plans/contest/rpmbuild-ctest-fedora$
   targets:
     fedora-all: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/anssi_bp28_high
-  tmt_plan: /plans/contest/hardening/host-os/ansible/anssi_bp28_high$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/bsi
-  tmt_plan: /plans/contest/hardening/host-os/ansible/bsi$
-  targets:
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/ccn_advanced
-  tmt_plan: /plans/contest/hardening/host-os/ansible/ccn_advanced$
-  targets:
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/cis
-  tmt_plan: /plans/contest/hardening/host-os/ansible/cis$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/cis_server_l1
-  tmt_plan: /plans/contest/hardening/host-os/ansible/cis_server_l1$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/cis_workstation_l1
-  tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l1$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/cis_workstation_l2
-  tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l2$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/cui
-  tmt_plan: /plans/contest/hardening/host-os/ansible/cui$
-  targets:
-    centos-stream-8: {}
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/e8
-  tmt_plan: /plans/contest/hardening/host-os/ansible/e8$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/hipaa
-  tmt_plan: /plans/contest/hardening/host-os/ansible/hipaa$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/ism_o
-  tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/ism_o_top_secret
-  tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o_top_secret$
-  targets:
-    centos-stream-10: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/ospp
-  tmt_plan: /plans/contest/hardening/host-os/ansible/ospp$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/pci-dss
-  tmt_plan: /plans/contest/hardening/host-os/ansible/pci-dss$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/ansible/stig
-  tmt_plan: /plans/contest/hardening/host-os/ansible/stig$
-
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/anssi_bp28_high
-  tmt_plan: /plans/contest/hardening/host-os/oscap/anssi_bp28_high$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/bsi
-  tmt_plan: /plans/contest/hardening/host-os/oscap/bsi$
-  targets:
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/ccn_advanced
-  tmt_plan: /plans/contest/hardening/host-os/oscap/ccn_advanced$
-  targets:
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/cis
-  tmt_plan: /plans/contest/hardening/host-os/oscap/cis$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/cis_server_l1
-  tmt_plan: /plans/contest/hardening/host-os/oscap/cis_server_l1$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/cis_workstation_l1
-  tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l1$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/cis_workstation_l2
-  tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l2$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/cui
-  tmt_plan: /plans/contest/hardening/host-os/oscap/cui$
-  targets:
-    centos-stream-8: {}
-    centos-stream-9: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/e8
-  tmt_plan: /plans/contest/hardening/host-os/oscap/e8$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/hipaa
-  tmt_plan: /plans/contest/hardening/host-os/oscap/hipaa$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/ism_o
-  tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/ism_o_top_secret
-  tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o_top_secret$
-  targets:
-    centos-stream-10: {}
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/ospp
-  tmt_plan: /plans/contest/hardening/host-os/oscap/ospp$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/pci-dss
-  tmt_plan: /plans/contest/hardening/host-os/oscap/pci-dss$
-- <<: *test-static-checks
-  identifier: /hardening/host-os/oscap/stig
-  tmt_plan: /plans/contest/hardening/host-os/oscap/stig$
 
-- <<: *test-static-checks
+- <<: *fedora-tests
   identifier: fedora-cis
   tmt_plan: /plans/fedora-cis$
-  targets:
-    fedora-all: {}