Skip to content

ci: fix release job permissions #560

ci: fix release job permissions

ci: fix release job permissions #560

Workflow file for this run

name: CI
permissions: {}
on:
push:
branches:
- 'master'
tags:
- '*'
paths-ignore:
- '**/README.md'
- '.github/RELEASE.md'
- 'docs'
pull_request:
paths-ignore:
- '**/README.md'
- '.github/RELEASE.md'
- 'docs'
env:
image_name: intellabs/kafl
jobs:
ansible-lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Setup ansible venv
working-directory: deploy
run: |
make venv
- name: Install ansible-lint
working-directory: deploy
run: |
./venv/bin/pip install wheel
./venv/bin/pip install ansible-lint==6.16.0
# ignore 'meta-no-info', since we don't need to publish our roles to Ansible Galaxy
- name: Run ansible-lint
working-directory: deploy
run: |
./venv/bin/ansible-lint -x 'meta-no-info' -x galaxy -x 'yaml[octal-values]' -x no-changed-when -x risky-file-permissions --exclude venv
check-mode:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Run deployment in check mode (dry-run)
run: make deploy -- --check
local:
strategy:
matrix:
os: [ubuntu-20.04, ubuntu-22.04]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
with:
python-version: '3.9'
# shallow clone for CI speed
- name: Setup ansible extra vars in JSON file
run: |
echo '{"git_clone_depth": 1}' >> parameters.json
working-directory: deploy
# skip tags related to non-existent hardware/configuration in the CI runner environment
- name: Test userspace deployment
run: >
make deploy --
--skip-tags "hardware_check,kvm_device"
--extra-vars "@parameters.json"
remote:
runs-on: ubuntu-20.04
services:
ssh:
image: wenzel/sshd:ubuntu22.04
ports:
# open SSH
- 5000:22
env:
ROOT_PASSWORD: toor
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
with:
python-version: '3.9'
# shallow clone for CI speed
- name: Setup ansible extra vars in JSON file
run: |
echo '{"git_clone_depth": 1}' >> parameters.json
working-directory: deploy
- name: Setup ansible
run: |
make venv
working-directory: deploy
# the service container runs is accessible on 127.0.0.1:5000
- name: Setup inventory
run: |
venv/bin/python - << '__HERE__'
import yaml
with open("host_vars/localhost.yml", "w") as f:
data = {
"ansible_port": 5000,
"ansible_user": "root",
"ansible_ssh_pass": "toor",
"ansible_ssh_common_args": "-o StrictHostKeyChecking=no"
}
yaml.dump(data, f)
__HERE__
working-directory: deploy
- name: Install Python3 on service container
run: |
venv/bin/ansible all -i inventory -m raw -a "apt update"
venv/bin/ansible all -i inventory -m raw -a "apt install -y python3"
working-directory: deploy
- name: Upgrade packages
run: venv/bin/ansible all -i inventory -m ansible.builtin.apt -a "upgrade=dist"
working-directory: deploy
# skip tags related to non-existent hardware/configuration in the CI runner environment
- name: Test userspace deployment
run: >
make deploy --
--skip-tags "hardware_check,kvm_device,update_grub,reboot_kernel"
--extra-vars "@parameters.json"
docker-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
path: kafl
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/[email protected]
with:
images: ${{ env.image_name }}
flavor: |
latest=true
- name: Build image
uses: docker/build-push-action@v3
with:
context: kafl/
push: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
# TODO: refactor in a separate in security.yml workflow
- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ${{ steps.meta.outputs.tags }}
# TODO: this action seems broken
# https://github.com/IntelLabs/kAFL/issues/161
continue-on-error: true
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk.sarif
- run: mkdir bench-logs
- uses: actions/checkout@v4
with:
repository: docker/docker-bench-security
ref: 5a8d6434e6ebd70cb8bb465fce4ae5ed2a572eac
path: bench
# build image since dockerhub one is out of date
- name: Build Docker Bench for Security image
uses: docker/build-push-action@v3
with:
context: bench/
push: false
tags: docker-bench-security
load: true # load build result into docker
- name: Run Docker Bench for Security
run: >
docker run --net host --pid host --userns host --cap-add audit_control
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
-v /var/lib:/var/lib
-v /var/run/docker.sock:/var/run/docker.sock
-v /usr/lib/systemd:/usr/lib/systemd
-v /etc:/etc --label docker_bench_security
-v ${{ github.workspace }}/bench-logs:/usr/local/bin/log
docker-bench-security
-l log/log_file
-c container_images
-i intellabs/kafl
- uses: actions/upload-artifact@v3
with:
name: docker-bench-security
path: bench-logs/
push-docker-image:
runs-on: ubuntu-latest
needs: [docker-image]
if: ${{ github.event_name == 'push' }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/[email protected]
with:
images: ${{ env.image_name }}
flavor: |
latest=true
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build image
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Update Docker Hub description
uses: Wenzel/dockerhub-description@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: ${{ env.image_name }}
readme-filepath: ./.github/DOCKER.md
release:
permissions:
# required for releases
contents: write
# this job makes an official Github release
needs: [ansible-lint, check-mode, local, remote, docker-image]
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get_version.outputs.version }}
upload_url: ${{ steps.step_upload_url.outputs.upload_url }}
steps:
- uses: actions/checkout@v4
- name: Get the version
id: get_version
run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
# only create release if tag start by 'v*'
- name: Create a Release
id: create_release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ steps.get_version.outputs.version }}
body_path: ${{ github.workspace }}/.github/RELEASE.md
if: startsWith(github.ref, 'refs/tags/v')
- id: step_upload_url
run: echo "upload_url=${{ steps.create_release.outputs.upload_url }}" >> $GITHUB_OUTPUT