Skip to content

Make the osquery extension and runner separate rungroups #4548

Make the osquery extension and runner separate rungroups

Make the osquery extension and runner separate rungroups #4548

Workflow file for this run

name: ci
on:
workflow_dispatch:
push:
branches: [main, master]
tags: '*'
pull_request:
branches: '**'
merge_group:
types: [checks_requested]
jobs:
build_and_test:
name: launcher
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Consider changing this sometime
matrix:
os:
- ubuntu-20.04
- macos-12
- windows-latest
steps:
- name: Check out code
id: checkout
uses: actions/checkout@v3
with:
fetch-depth: 0 # need a full checkout for `git describe`
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: './go.mod'
check-latest: true
id: go
# use bash, because the powershell syntax is different and this is a cross platform workflow
- id: go-cache-paths
shell: bash
run: |
echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.go-build }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.go-mod }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Get dependencies
run: make deps
- name: Run govulncheck
run: go install golang.org/x/vuln/cmd/[email protected]; govulncheck ./...
- name: Set up zig
if: ${{ contains(matrix.os, 'ubuntu') }}
uses: goto-bus-stop/setup-zig@v2
- name: Build
run: make -j2 github-build
- name: Check macOS build target
if: contains(matrix.os, 'macos')
# this uses grep's exit code
run: otool -l build/launcher | grep -A1 "minos 11"
- name: Lipo
run: make github-lipo
if: ${{ contains(matrix.os, 'macos') }}
- name: App Bundle
run: make github-launcherapp
if: ${{ contains(matrix.os, 'macos') }}
- name: Test
run: make test
- name: Cache build output
uses: actions/cache@v3
with:
path: ./build
key: ${{ runner.os }}-${{ github.run_id }}
enableCrossOsArchive: true
# upload coverage here, because we don't cache it with the build
- name: Upload coverage
uses: actions/upload-artifact@v3
with:
name: ${{ runner.os }}-coverage.out
path: coverage.out
# this job captures the version of launcher on one of the runners then that version is
# compared to the version of all other runners during exec testing. This is to ensure
# that the version of launcher is the same across all runners.
version_baseline:
name: Version Baseline
runs-on: ubuntu-20.04
needs: build_and_test
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: cache restore build output
uses: actions/cache/restore@v3
with:
path: ./build
key: ${{ runner.os }}-${{ github.run_id }}
enableCrossOsArchive: true
- id: version
name: Launcher Version
working-directory: build
shell: bash
run: ./launcher --version 2>/dev/null | awk '/version /{print "version="$4}' >> "$GITHUB_OUTPUT"
exec_testing:
name: Exec Test
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
# See https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software
- ubuntu-20.04
- ubuntu-22.04
- macos-11
- macos-12
- macos-13
- windows-2019
- windows-2022
needs: version_baseline
steps:
- name: cache restore build output
uses: actions/cache/restore@v3
with:
path: ./build
key: ${{ runner.os }}-${{ github.run_id }}
enableCrossOsArchive: true
- name: Launcher Version
working-directory: build
shell: bash
run: |
./launcher --version
thisVersion=$(./launcher --version 2>/dev/null | grep "version" | awk '{print $4}')
baseVersion="${{ needs.version_baseline.outputs.version }}"
if [[ "$thisVersion" != "$baseVersion" ]]; then
printf "launcher version %s does not match baseline version %s" "$thisVersion" "$baseVersion"
exit 1
fi
- name: Download Osquery
working-directory: build
run: ./launcher download-osquery --directory .
- name: Osquery Version
working-directory: build
run: ./osqueryd --version
- name: Launcher Doctor
working-directory: build
run: ./launcher doctor
# If the prior exec tests suceeded, this grabs the cached things, and moves them to artifacts. We ought
# be able to do this entirely on ubuntu, so let's try!
store_artifacts:
name: Store Artifacts
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix:
artifactos:
# artifactos needs to match the runner.os set by the builds. (Which is not quite the same as matrix.os)
- linux
- macos
- windows
needs: exec_testing
steps:
- name: cache restore build output
uses: actions/cache/restore@v3
with:
path: ./build
key: ${{ matrix.artifactos }}-${{ github.run_id }}
enableCrossOsArchive: true
- name: Upload Build
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.artifactos }}-build
path: build/
if-no-files-found: error
package_builder_test:
name: package_builder
runs-on: ${{ matrix.os }}
strategy:
fail-fast: true
matrix:
os:
- ubuntu-20.04
- macos-12
- windows-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # need a full checkout for `git describe`
- uses: actions/setup-go@v3
with:
go-version-file: './go.mod'
check-latest: true
id: go
- id: go-cache-paths
shell: bash
run: |
echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.go-build }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.go-mod }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- run: make deps
- id: build
run: make package-builder
- name: package
id: run-package-builder
run: ${{ steps.build.outputs.binary }} make --i-am-a-kolide-customer --debug --hostname=localhost --enroll_secret=secret --launcher_version=nightly --osquery_version=nightly --output_dir=./
- name: Test install macOS
if: ${{ contains(matrix.os, 'macos') }}
run: |
# Check that we can install
sudo installer -dumplog -pkg ./launcher.darwin-launchd-pkg.pkg -target /
# Quick check that at least a couple of the files we expect now exist
if [ ! -f /Library/LaunchDaemons/com.launcher.launcher.plist ]; then echo "missing launchd entry" && exit 1; fi
if [ ! -f /usr/local/launcher/osquery.app/Contents/MacOS/osqueryd ]; then echo "missing osqueryd binary" && exit 1; fi
if [ ! -L /usr/local/launcher/bin/osqueryd ]; then echo "missing osquery symlink" && exit 1; fi
if [ ! -e /usr/local/launcher/bin/osqueryd ]; then echo "osquery symlink is present but broken" && exit 1; fi
if [ ! -f /usr/local/launcher/Kolide.app/Contents/MacOS/launcher ]; then echo "missing launcher binary" && exit 1; fi
if [ ! -L /usr/local/launcher/bin/launcher ]; then echo "missing launcher symlink" && exit 1; fi
if [ ! -e /usr/local/launcher/bin/launcher ]; then echo "launcher symlink is present but broken" && exit 1; fi
# This job is here as a github status check -- it allows us to move
# the merge dependency from being on all the jobs to this single
# one.
ci_mergeable:
runs-on: ubuntu-latest
steps:
- run: true
needs:
- build_and_test
- package_builder_test
- exec_testing