This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ubuntu 20 LXD VM Testing Matrix | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| validate: | |
| name: Validate my profile | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 120 | |
| permissions: | |
| contents: read | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| KITCHEN_LOCAL_YAML: kitchen.lxd.yml | |
| PLATFORM: "ubuntu-20" | |
| LC_ALL: "en_US.UTF-8" | |
| LXD_IMAGE: "ubuntu:20.04" | |
| LXD_VM_USERNAME: "ubuntu" | |
| strategy: | |
| matrix: | |
| suite: ["vanilla", "hardened"] | |
| fail-fast: false | |
| steps: | |
| - name: Install host packages | |
| run: sudo apt-get update && sudo apt-get -y install jq | |
| - name: Check out repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Install and configure LXD | |
| run: sudo bash ./.github/scripts/setup-lxd.sh | |
| - name: Clone full repository so we can push | |
| run: git fetch --prune --unshallow | |
| - name: Set short git commit SHA | |
| id: vars | |
| run: | | |
| calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
| echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
| - name: Confirm git commit SHA output | |
| run: echo ${{ env.COMMIT_SHORT_SHA }} | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: "3.1" | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | |
| - name: Run Bundle Install | |
| run: bundle install | |
| - name: Installed Cinc-auditor | |
| run: bundle exec cinc-auditor version | |
| - name: Vendor the Profile | |
| run: bundle exec cinc-auditor vendor . --overwrite | |
| - name: Generate ephemeral SSH key for Kitchen | |
| run: | | |
| set -euo pipefail | |
| KEY="$RUNNER_TEMP/kitchen_ed25519" | |
| ssh-keygen -t ed25519 -a 64 -N "" -f "$KEY" -C "kitchen-ci-$(date -u +%Y%m%dT%H%M%SZ)" </dev/null | |
| chmod 600 "$KEY" | |
| chmod 644 "$KEY.pub" | |
| { | |
| echo "KITCHEN_SSH_KEY=$KEY" | |
| echo "KITCHEN_SSH_PUBKEY=$(cat "$KEY.pub")" | |
| } >> "$GITHUB_ENV" | |
| - name: Launch LXD VM with cloud-init enabling SSH | |
| run: | | |
| set -euo pipefail | |
| NAME="${{ matrix.suite }}-${{ env.PLATFORM }}" | |
| cat > user-data.yaml <<EOF | |
| #cloud-config | |
| write_files: | |
| - path: /etc/apt/apt.conf.d/99force-ipv4 | |
| permissions: '0644' | |
| content: | | |
| Acquire::ForceIPv4 "true"; | |
| package_update: true | |
| packages: | |
| - openssh-server | |
| users: | |
| - name: ${LXD_VM_USERNAME} | |
| groups: [sudo] | |
| sudo: ALL=(ALL) NOPASSWD:ALL | |
| shell: /bin/bash | |
| ssh_authorized_keys: | |
| - ${KITCHEN_SSH_PUBKEY} | |
| ssh_pwauth: false | |
| EOF | |
| sudo lxc launch ${LXD_IMAGE} "$NAME" --vm -c user.user-data="$(cat user-data.yaml)" -c limits.memory=4GiB | |
| - name: Wait for VM | |
| run: | | |
| set -euo pipefail | |
| NAME="${{ matrix.suite }}-${{ env.PLATFORM }}" | |
| for i in $(seq 1 30); do | |
| lxc list --format=csv | grep -q "$NAME.*RUNNING" && break | |
| sleep 10 | |
| done | |
| lxc list --format=csv | grep -q "$NAME.*RUNNING" || { echo "VM never reached RUNNING"; lxc info "$NAME"; exit 1; } | |
| - name: Export VM IPv4 for Kitchen | |
| run: | | |
| set -euo pipefail | |
| NAME="${{ matrix.suite }}-${{ env.PLATFORM }}" | |
| for i in $(seq 1 24); do | |
| ipv4=$(lxc list "$NAME" --format=json | jq -r '.[0].state.network | to_entries[] | .value.addresses[]? | select(.family=="inet" and .scope=="global") | .address' | head -n1) | |
| [ -n "$ipv4" ] && break | |
| sleep 5 | |
| done | |
| [ -n "$ipv4" ] || { echo "No VM IPv4 found"; lxc info "$NAME"; exit 1; } | |
| echo "KITCHEN_HOST=$ipv4" >> "$GITHUB_ENV" | |
| - name: Run kitchen test | |
| if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} | |
| continue-on-error: true | |
| run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }} | |
| - name: Save results summary JSON | |
| continue-on-error: true | |
| uses: mitre/saf_action@a19f76ed3721c14aa8a1afb8eded117d8bf16a5d # v1.9.0 | |
| with: | |
| command_string: "view summary -f json -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" | |
| - name: Upload Test Result JSON | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json | |
| path: spec/results/ | |
| - name: Upload to Heimdall | |
| continue-on-error: true | |
| env: | |
| SAF_HEIMDALL_UPLOAD_KEY: ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }} | |
| run: | | |
| curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json \ | |
| -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" \ | |
| -F "public=true" \ | |
| -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" \ | |
| -H "Authorization: Api-Key $SAF_HEIMDALL_UPLOAD_KEY" \ | |
| "${{ vars.SAF_HEIMDALL_URL }}/evaluations" | |
| - name: Display results summary | |
| uses: mitre/saf_action@a19f76ed3721c14aa8a1afb8eded117d8bf16a5d # v1.9.0 | |
| with: | |
| command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" | |
| - name: Generate Markdown Summary | |
| continue-on-error: true | |
| id: generate-summary | |
| run: | | |
| cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md | |
| cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY | |
| - name: Validate scan threshold | |
| uses: mitre/saf_action@a19f76ed3721c14aa8a1afb8eded117d8bf16a5d # v1.9.0 | |
| with: | |
| command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" | |
| - name: Cleanup ephemeral SSH key | |
| if: always() | |
| run: rm -f "$RUNNER_TEMP/kitchen_ed25519" "$RUNNER_TEMP/kitchen_ed25519.pub" |