Merge pull request #287 from IntelLabs/dependabot/pip/deploy/jinja2-3… #563

Workflow file for this run

	name: CI
	permissions: {}

	on:
	push:
	branches:
	- 'master'
	tags:
	- '*'
	paths-ignore:
	- '**/README.md'
	- '.github/RELEASE.md'
	- 'docs'
	pull_request:
	paths-ignore:
	- '**/README.md'
	- '.github/RELEASE.md'
	- 'docs'

	env:
	image_name: intellabs/kafl

	jobs:
	ansible-lint:
	runs-on: ubuntu-20.04
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-python@v4
	with:
	python-version: '3.9'

	- name: Setup ansible venv
	working-directory: deploy
	run: \|
	make venv

	- name: Install ansible-lint
	working-directory: deploy
	run: \|
	./venv/bin/pip install wheel
	./venv/bin/pip install ansible-lint==6.16.0

	# ignore 'meta-no-info', since we don't need to publish our roles to Ansible Galaxy
	- name: Run ansible-lint
	working-directory: deploy
	run: \|
	./venv/bin/ansible-lint -x 'meta-no-info' -x galaxy -x 'yaml[octal-values]' -x no-changed-when -x risky-file-permissions --exclude venv

	check-mode:
	runs-on: ubuntu-20.04
	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-python@v4
	with:
	python-version: '3.9'

	- name: Run deployment in check mode (dry-run)
	run: make deploy -- --check

	local:
	strategy:
	matrix:
	os: [ubuntu-20.04, ubuntu-22.04]
	runs-on: ${{ matrix.os }}
	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-python@v4
	with:
	python-version: '3.9'

	# shallow clone for CI speed
	- name: Setup ansible extra vars in JSON file
	run: \|
	echo '{"git_clone_depth": 1}' >> parameters.json
	working-directory: deploy

	# skip tags related to non-existent hardware/configuration in the CI runner environment
	- name: Test userspace deployment
	run: >
	make deploy --
	--skip-tags "hardware_check,kvm_device"
	--extra-vars "@parameters.json"

	remote:
	runs-on: ubuntu-20.04

	services:
	ssh:
	image: wenzel/sshd:ubuntu22.04
	ports:
	# open SSH
	- 5000:22
	env:
	ROOT_PASSWORD: toor

	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-python@v4
	with:
	python-version: '3.9'

	# shallow clone for CI speed
	- name: Setup ansible extra vars in JSON file
	run: \|
	echo '{"git_clone_depth": 1}' >> parameters.json
	working-directory: deploy

	- name: Setup ansible
	run: \|
	make venv
	working-directory: deploy

	# the service container runs is accessible on 127.0.0.1:5000
	- name: Setup inventory
	run: \|
	venv/bin/python - << '__HERE__'
	import yaml

	with open("host_vars/localhost.yml", "w") as f:
	data = {
	"ansible_port": 5000,
	"ansible_user": "root",
	"ansible_ssh_pass": "toor",
	"ansible_ssh_common_args": "-o StrictHostKeyChecking=no"
	}
	yaml.dump(data, f)
	__HERE__
	working-directory: deploy

	- name: Install Python3 on service container
	run: \|
	venv/bin/ansible all -i inventory -m raw -a "apt update"
	venv/bin/ansible all -i inventory -m raw -a "apt install -y python3"
	working-directory: deploy

	- name: Upgrade packages
	run: venv/bin/ansible all -i inventory -m ansible.builtin.apt -a "upgrade=dist"
	working-directory: deploy

	# skip tags related to non-existent hardware/configuration in the CI runner environment
	- name: Test userspace deployment
	run: >
	make deploy --
	--skip-tags "hardware_check,kvm_device,update_grub,reboot_kernel"
	--extra-vars "@parameters.json"

	docker-image:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	path: kafl

	- name: Set up Docker Buildx
	uses: docker/[email protected]

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/[email protected]
	with:
	images: ${{ env.image_name }}
	flavor: \|
	latest=true

	- name: Build image
	uses: docker/build-push-action@v3
	with:
	context: kafl/
	push: false
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	load: true
	cache-from: type=gha
	cache-to: type=gha,mode=max

	# TODO: refactor in a separate in security.yml workflow
	- name: Run Snyk to check Docker image for vulnerabilities
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	command: monitor
	image: ${{ steps.meta.outputs.tags }}
	# TODO: this action seems broken
	# https://github.com/IntelLabs/kAFL/issues/161
	continue-on-error: true

	# - name: Upload result to GitHub Code Scanning
	# uses: github/codeql-action/upload-sarif@v2
	# with:
	# sarif_file: snyk.sarif

	- run: mkdir bench-logs

	- uses: actions/checkout@v4
	with:
	repository: docker/docker-bench-security
	ref: 5a8d6434e6ebd70cb8bb465fce4ae5ed2a572eac
	path: bench

	# build image since dockerhub one is out of date
	- name: Build Docker Bench for Security image
	uses: docker/build-push-action@v3
	with:
	context: bench/
	push: false
	tags: docker-bench-security
	load: true # load build result into docker

	- name: Run Docker Bench for Security
	run: >
	docker run --net host --pid host --userns host --cap-add audit_control
	-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
	-v /var/lib:/var/lib
	-v /var/run/docker.sock:/var/run/docker.sock
	-v /usr/lib/systemd:/usr/lib/systemd
	-v /etc:/etc --label docker_bench_security
	-v ${{ github.workspace }}/bench-logs:/usr/local/bin/log
	docker-bench-security
	-l log/log_file
	-c container_images
	-i intellabs/kafl

	- uses: actions/upload-artifact@v3
	with:
	name: docker-bench-security
	path: bench-logs/

	push-docker-image:
	runs-on: ubuntu-latest
	needs: [docker-image]
	if: ${{ github.event_name == 'push' }}
	steps:
	- uses: actions/checkout@v4

	- name: Set up Docker Buildx
	uses: docker/[email protected]

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/[email protected]
	with:
	images: ${{ env.image_name }}
	flavor: \|
	latest=true

	- name: Login to Docker Hub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build image
	uses: docker/build-push-action@v3
	with:
	context: .
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Update Docker Hub description
	uses: Wenzel/dockerhub-description@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	repository: ${{ env.image_name }}
	readme-filepath: ./.github/DOCKER.md

	release:
	permissions:
	# required for releases
	contents: write
	# this job makes an official Github release
	needs: [ansible-lint, check-mode, local, remote, docker-image]
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.get_version.outputs.version }}
	upload_url: ${{ steps.step_upload_url.outputs.upload_url }}

	steps:
	- uses: actions/checkout@v4

	- name: Get the version
	id: get_version
	run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT

	# only create release if tag start by 'v*'
	- name: Create a Release
	id: create_release
	uses: softprops/action-gh-release@v1
	with:
	tag_name: ${{ steps.get_version.outputs.version }}
	body_path: ${{ github.workspace }}/.github/RELEASE.md
	if: startsWith(github.ref, 'refs/tags/v')

	- id: step_upload_url
	run: echo "upload_url=${{ steps.create_release.outputs.upload_url }}" >> $GITHUB_OUTPUT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #287 from IntelLabs/dependabot/pip/deploy/jinja2-3… #563

Workflow file

Merge pull request #287 from IntelLabs/dependabot/pip/deploy/jinja2-3… #563

Jobs

Run details

Workflow file for this run