Various hardening for commonutils library internal calls for fuzzing #830
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Universal NRP Test | |
on: | |
workflow_dispatch: | |
pull_request: | |
schedule: | |
- cron: '0 20 * * *' # Every day at 12pm PST (UTC-8) | |
jobs: | |
package: | |
name: Package | |
uses: ./.github/workflows/package-build.yml | |
strategy: | |
matrix: | |
target: | |
[ | |
{ os: ubuntu, version: 14.04, arch: amd64, dist: trusty, package-type: DEB }, | |
] | |
with: | |
target: ${{ matrix.target.os }}-${{ matrix.target.version }} | |
arch: ${{ matrix.target.arch }} | |
artifact: nrp-test-package | |
package-type: ${{ matrix.target.package-type }} | |
machine-config: true | |
release: ${{ github.event_name == 'pull_request' && false || true }} | |
test: | |
name: Test | |
needs: package | |
runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ matrix.target.os }}-${{ matrix.target.version }}'] | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
[ | |
{ os: centos, version: 8, package-type: RPM, tag: ''}, | |
{ os: debian, version: 10, package-type: DEB, tag: ''}, | |
{ os: debian, version: 11, package-type: DEB, tag: ''}, | |
{ os: mariner, version: 2, package-type: RPM, tag: ''}, | |
{ os: oraclelinux, version: 8, package-type: RPM, tag: ''}, | |
{ os: rhel, version: 8, package-type: RPM, tag: ''}, | |
{ os: rhel, version: 9, package-type: RPM, tag: ''}, | |
{ os: rockylinux, version: 9, package-type: RPM, tag: ''}, | |
{ os: sles, version: 15, package-type: RPM, tag: ''}, | |
{ os: ubuntu, version: 20.04, package-type: DEB, tag: ''}, | |
{ os: ubuntu, version: 22.04, package-type: DEB, tag: ''}, | |
] | |
policy-package: | |
[ | |
{ name: LinuxSshServerSecurityBaseline, short-name: SSH, resource-count: 20 }, | |
{ name: AzureLinuxBaseline, short-name: ASB, resource-count: 168 }, | |
] | |
arch: [amd64] | |
mode: [Audit, Remediate] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Normalize variables | |
id: normalize | |
run: | | |
output=${{ matrix.target.os }}-${{ matrix.target.version }}_${{ matrix.policy-package.short-name }}-${{ matrix.mode }} | |
echo name=${output} >> $GITHUB_OUTPUT | |
- uses: actions/download-artifact@v4 | |
id: download | |
with: | |
name: nrp-test-package | |
- name: Run Guest Configuration Test | |
working-directory: ${{ steps.download.outputs.download-path }} | |
run: | | |
script="./universalNRPTest.ps1" | |
cat >$script <<EOL | |
Install-Module -Name GuestConfiguration -Force | |
Install-Module Pester -Force -SkipPublisherCheck | |
Import-Module Pester -Passthru | |
\$params = @{ | |
PolicyPackage = './${{ matrix.policy-package.name }}.zip' | |
SkipRemediation = if ('${{ matrix.mode }}' -eq 'Audit') { \$true } else { \$false } | |
ResourceCount = ${{ matrix.policy-package.resource-count }} | |
} | |
\$container = New-PesterContainer -Path ./src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 -Data \$params | |
\$pesterConfig = [PesterConfiguration]@{ | |
Run = @{ | |
Exit = \$true | |
Container = \$container | |
} | |
Output = @{ | |
Verbosity = 'Detailed' | |
} | |
TestResult = @{ | |
Enabled = \$true | |
OutputFormat = 'JUnitXml' | |
OutputPath = '${{ steps.normalize.outputs.name }}-testResults.xml' | |
} | |
Should = @{ | |
ErrorAction = 'Continue' | |
} | |
Filter = @{ | |
Tag = '${{ matrix.tag }}' | |
} | |
}; | |
Invoke-Pester -Configuration \$pesterConfig | |
EOL | |
sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/omi/lib/ pwsh -Command $script | |
ls -l | |
# if command -v lsb_release &>/dev/null; then | |
# [[ $(lsb_release -is) == "Ubuntu" ]] && sudo chmod 644 *testResults.xml | |
# else | |
# echo "lsb_release not found" | |
# fi | |
stat *testResults.xml | |
- name: Stage OSConfig Logs | |
if: success() || failure() | |
run: | | |
mkdir osconfig-logs | |
stat /var/log/osconfig_nrp.log | |
cp -r /var/log/osconfig* osconfig-logs/ | |
- uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: ${{ steps.normalize.outputs.name }}_report | |
path: '${{ steps.download.outputs.download-path }}/*testResults.xml' | |
- uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: ${{ steps.normalize.outputs.name }}_logs | |
path: osconfig-logs/osconfig* | |
# See for more details: https://github.com/marketplace/actions/publish-test-results | |
report: | |
name: Report | |
needs: test | |
runs-on: ubuntu-latest | |
permissions: | |
checks: write | |
pull-requests: write | |
if: always() | |
steps: | |
- name: Download Test Report Artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: universal-nrp-test | |
pattern: '*_report' | |
merge-multiple: true | |
- name: Publish Test Results | |
uses: EnricoMi/publish-unit-test-result-action@v2 | |
with: | |
files: 'universal-nrp-test/*testResults.xml' |