Skip to content
CI

CI TEST #5

Sign in to view logs

CI TEST

CI TEST #5

Workflow file for this run

.github/workflows/CI.yml at 4f35a02
name: CI
on:
push:
branches:
- 'master'
tags:
- '*'
paths-ignore:
- '**/README.md'
- '.github/RELEASE.md'
- 'docs'
pull_request:
paths-ignore:
- '**/README.md'
- '.github/RELEASE.md'
- 'docs'
env:
image_name: intellabs/kafl
jobs:
ansible-lint:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Setup ansible venv
working-directory: deploy
run: |
make venv
- name: Install ansible-lint
working-directory: deploy
run: |
./venv/bin/pip install wheel
./venv/bin/pip install ansible-lint==6.16.0
# ignore 'meta-no-info', since we don't need to publish our roles to Ansible Galaxy
- name: Run ansible-lint
working-directory: deploy
run: |
./venv/bin/ansible-lint -x 'meta-no-info' -x galaxy -x 'yaml[octal-values]' -x no-changed-when -x risky-file-permissions --exclude venv
my_job:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Use the secret
run: echo ${{ secrets.ssh_key }}
check-mode:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Run deployment in check mode (dry-run)
run: make deploy -- --check
local:
strategy:
matrix:
os: [ubuntu-20.04]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.9'
# shallow clone for CI speed
- name: Setup ansible extra vars in JSON file
run: |
echo '{"git_clone_depth": 1}' >> parameters.json
working-directory: deploy
# skip tags related to non-existent hardware/configuration in the CI runner environment
- name: Test userspace deployment
run: >
make deploy --
--skip-tags "hardware_check,kvm_device"
--extra-vars "@parameters.json"
# remote:
# runs-on: ubuntu-20.04
# services:
# ssh:
# image: wenzel/sshd:ubuntu22.04
# ports:
# # open SSH
# - 5000:22
# env:
# ROOT_PASSWORD: toor
# steps:
# - uses: actions/checkout@v3
# - uses: actions/setup-python@v4
# with:
# python-version: '3.9'
# # shallow clone for CI speed
# - name: Setup ansible extra vars in JSON file
# run: |
# echo '{"git_clone_depth": 1}' >> parameters.json
# working-directory: deploy
# - name: Setup ansible
# run: |
# make venv
# working-directory: deploy
# # the service container runs is accessible on 127.0.0.1:5000
# - name: Setup inventory
# run: |
# venv/bin/python - << '__HERE__'
# import yaml
# with open("host_vars/localhost.yml", "w") as f:
# data = {
# "ansible_port": 5000,
# "ansible_user": "root",
# "ansible_ssh_pass": "toor",
# "ansible_ssh_common_args": "-o StrictHostKeyChecking=no"
# }
# yaml.dump(data, f)
# __HERE__
# working-directory: deploy
# - name: Install Python3 on service container
# run: |
# venv/bin/ansible all -i inventory -m raw -a "apt update"
# venv/bin/ansible all -i inventory -m raw -a "apt install -y python3"
# working-directory: deploy
# - name: Upgrade packages
# run: venv/bin/ansible all -i inventory -m ansible.builtin.apt -a "upgrade=dist"
# working-directory: deploy
# # skip tags related to non-existent hardware/configuration in the CI runner environment
# - name: Test userspace deployment
# run: >
# make deploy --
# --skip-tags "hardware_check,kvm_device,update_grub,reboot_kernel"
# --extra-vars "@parameters.json"
# docker-image:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# with:
# path: kafl
# - name: Set up Docker Buildx
# uses: docker/[email protected]
# - name: Extract metadata (tags, labels) for Docker
# id: meta
# uses: docker/[email protected]
# with:
# images: ${{ env.image_name }}
# flavor: |
# latest=true
# - name: Build image
# uses: docker/build-push-action@v3
# with:
# context: kafl/
# push: false
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# load: true
# cache-from: type=gha
# cache-to: type=gha,mode=max
# # TODO: refactor in a separate in security.yml workflow
# - name: Run Snyk to check Docker image for vulnerabilities
# uses: snyk/actions/docker@master
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# command: monitor
# image: ${{ steps.meta.outputs.tags }}
# # TODO: this action seems broken
# # https://github.com/IntelLabs/kAFL/issues/161
# continue-on-error: true
# # - name: Upload result to GitHub Code Scanning
# # uses: github/codeql-action/upload-sarif@v2
# # with:
# # sarif_file: snyk.sarif
# - run: mkdir bench-logs
# - uses: actions/checkout@v3
# with:
# repository: docker/docker-bench-security
# ref: 5a8d6434e6ebd70cb8bb465fce4ae5ed2a572eac
# path: bench
# # build image since dockerhub one is out of date
# - name: Build Docker Bench for Security image
# uses: docker/build-push-action@v3
# with:
# context: bench/
# push: false
# tags: docker-bench-security
# load: true # load build result into docker
# - name: Run Docker Bench for Security
# run: >
# docker run --net host --pid host --userns host --cap-add audit_control
# -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
# -v /var/lib:/var/lib
# -v /var/run/docker.sock:/var/run/docker.sock
# -v /usr/lib/systemd:/usr/lib/systemd
# -v /etc:/etc --label docker_bench_security
# -v ${{ github.workspace }}/bench-logs:/usr/local/bin/log
# docker-bench-security
# -l log/log_file
# -c container_images
# -i intellabs/kafl
# - uses: actions/upload-artifact@v3
# with:
# name: docker-bench-security
# path: bench-logs/
# push-docker-image:
# runs-on: ubuntu-latest
# needs: [docker-image]
# if: ${{ github.event_name == 'push' }}
# steps:
# - uses: actions/checkout@v3
# - name: Set up Docker Buildx
# uses: docker/[email protected]
# - name: Extract metadata (tags, labels) for Docker
# id: meta
# uses: docker/[email protected]
# with:
# images: ${{ env.image_name }}
# flavor: |
# latest=true
# - name: Login to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Build image
# uses: docker/build-push-action@v3
# with:
# context: .
# push: true
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
# - name: Update Docker Hub description
# uses: Wenzel/dockerhub-description@v3
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# repository: ${{ env.image_name }}
# readme-filepath: ./.github/DOCKER.md
# release:
# # this job makes an official Github release
# needs: [ansible-lint, check-mode, local, remote, docker-image]
# runs-on: ubuntu-latest
# outputs:
# version: ${{ steps.get_version.outputs.version }}
# upload_url: ${{ steps.step_upload_url.outputs.upload_url }}
# steps:
# - uses: actions/checkout@v3
# - name: Get the version
# id: get_version
# run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
# # only create release if tag start by 'v*'
# - name: Create a Release
# id: create_release
# uses: softprops/action-gh-release@v1
# with:
# tag_name: ${{ steps.get_version.outputs.version }}
# body_path: ${{ github.workspace }}/.github/RELEASE.md
# if: startsWith(github.ref, 'refs/tags/v')
# - id: step_upload_url
# run: echo "upload_url=${{ steps.create_release.outputs.upload_url }}" >> $GITHUB_OUTPUT