From 6ed54ace4c715253c9a058db14777420d55eca6e Mon Sep 17 00:00:00 2001 From: wqian Date: Thu, 6 Jun 2024 13:47:42 +0100 Subject: [PATCH 1/3] Add ubuntu workflow --- .github/workflows/automatus-ubt22.yaml | 179 +++++++++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 .github/workflows/automatus-ubt22.yaml diff --git a/.github/workflows/automatus-ubt22.yaml b/.github/workflows/automatus-ubt22.yaml new file mode 100644 index 00000000000..b05bc2a1be2 --- /dev/null +++ b/.github/workflows/automatus-ubt22.yaml @@ -0,0 +1,179 @@ +name: Automatus UBT22 +on: + pull_request: + branches: [ master, 'stabilization*' ] +concurrency: + group: ${{ github.workflow }}-${{ github.event.number || github.run_id }} + cancel-in-progress: true +env: + DATASTREAM: ssg-ubuntu2204-ds.xml +jobs: + build-content: + name: Build Content + runs-on: ubuntu-latest + container: + image: fedora:latest + steps: + - name: Install Deps + run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip + - name: Install deps python + run: pip install gitpython xmldiff + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Checkout (CTF) + uses: actions/checkout@v4 + with: + repository: ComplianceAsCode/content-test-filtering + path: ctf + # https://github.com/actions/checkout/issues/766 + - name: Set git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Find forking point + env: + BASE_BRANCH: ${{ github.base_ref }} + run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT + id: fork_point + - name: Detect content changes in the PR + run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json + - name: Test if there are no content changes + run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT + id: ctf + - uses: actions/upload-artifact@v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: output.json + path: output.json + - name: Print changes to content detected if any + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: cat output.json + - name: Get product attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: product + uses: notiz-dev/github-action-json-property@v0.2.0 + with: + path: 'output.json' + prop_path: 'product' + - name: Build product + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: ./build_product ubuntu2204 --derivatives + - uses: actions/upload-artifact@v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: ${{ env.DATASTREAM }} + path: build/${{ env.DATASTREAM }} + validate-ubuntu: + name: Run Tests + needs: build-content + runs-on: ubuntu-22.04 + steps: + - name: Install Deps + run: sudo apt update && sudo apt install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman + - name: Checkout + uses: actions/checkout@v4 + - name: Get cached CTF output + uses: actions/download-artifact@v4 + id: get_ctf_output + with: + name: output.json + # continue even if the file is unavailable that + # means there are no changes detected by CTF in the previous job + continue-on-error: true + - name: Test if there are no content changes + if: ${{ steps.get_ctf_output.outcome == 'success' }} + run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT + id: ctf + - name: Print changes to content detected if any + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: cat output.json + - name: Generate id_rsa key + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa + - name: Build test suite container + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubt22 + working-directory: ./Dockerfiles + - name: Get oscap-ssh + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: | + wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-ssh + sudo chmod 755 oscap-ssh + sudo mv -v oscap-ssh /usr/local/bin + sudo chown root:root /usr/local/bin/oscap-ssh + rm -f oscap-ssh + - name: Get rule ids to be tested + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: rules + uses: notiz-dev/github-action-json-property@v0.2.0 + with: + path: 'output.json' + prop_path: 'rules' + - name: Get product attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: product + uses: notiz-dev/github-action-json-property@v0.2.0 + with: + path: 'output.json' + prop_path: 'product' + - name: Get bash attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: bash + uses: notiz-dev/github-action-json-property@v0.2.0 + with: + path: 'output.json' + prop_path: 'bash' + - name: Get ansible attribute + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + id: ansible + uses: notiz-dev/github-action-json-property@v0.2.0 + with: + path: 'output.json' + prop_path: 'ansible' + - uses: actions/download-artifact@v4 + if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + with: + name: ${{ env.DATASTREAM }} + - name: Run tests in a container - Bash + if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}} + env: + ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product rhel8" + - name: Check for ERROR in logs + if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: grep -q "^ERROR" logs_bash/test_suite.log + id: check_results_bash + # when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file + # and this means tests finished successfully without errors. So the job needs to keep going. + # By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use + # it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead. + # See the step below + continue-on-error: true + - name: Upload logs in case of failure + if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + uses: actions/upload-artifact@v4 + with: + name: logs_bash + path: logs_bash/ + - name: Run tests in a container - Ansible + if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}} + env: + ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product ubuntu2204" + - name: Check for ERROR in logs + if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: grep -q "^ERROR" logs_ansible/test_suite.log + id: check_results_ansible + continue-on-error: true + - name: Upload logs in case of failure + if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + uses: actions/upload-artifact@v4 + with: + name: logs_ansible + path: logs_ansible/ + - name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log + if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} + run: | + [[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - " + [[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - " + exit 1 From 04ffcad47eb536c3f848ae314192ebb8837dcad1 Mon Sep 17 00:00:00 2001 From: wqian Date: Tue, 11 Jun 2024 14:46:45 +0100 Subject: [PATCH 2/3] Rename ubuntu workflow Build directly without container --- ...{automatus-ubt22.yaml => automatus-ubuntu2204.yaml} | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) rename .github/workflows/{automatus-ubt22.yaml => automatus-ubuntu2204.yaml} (96%) diff --git a/.github/workflows/automatus-ubt22.yaml b/.github/workflows/automatus-ubuntu2204.yaml similarity index 96% rename from .github/workflows/automatus-ubt22.yaml rename to .github/workflows/automatus-ubuntu2204.yaml index b05bc2a1be2..2dc3d9a995c 100644 --- a/.github/workflows/automatus-ubt22.yaml +++ b/.github/workflows/automatus-ubuntu2204.yaml @@ -1,4 +1,4 @@ -name: Automatus UBT22 +name: Automatus UBUNTU22 on: pull_request: branches: [ master, 'stabilization*' ] @@ -10,14 +10,12 @@ env: jobs: build-content: name: Build Content - runs-on: ubuntu-latest - container: - image: fedora:latest + runs-on: ubuntu-22.04 steps: - name: Install Deps - run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip + run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip - name: Install deps python - run: pip install gitpython xmldiff + run: pip3 install gitpython xmldiff - name: Checkout uses: actions/checkout@v4 with: From 38be00d956fb1a727753cf0a0e4a5cf63530e63d Mon Sep 17 00:00:00 2001 From: wqian Date: Tue, 18 Jun 2024 10:39:04 +0100 Subject: [PATCH 3/3] Remove unnecessary flags/options --- .github/workflows/automatus-ubuntu2204.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml index 2dc3d9a995c..cc0a5abae4f 100644 --- a/.github/workflows/automatus-ubuntu2204.yaml +++ b/.github/workflows/automatus-ubuntu2204.yaml @@ -1,4 +1,4 @@ -name: Automatus UBUNTU22 +name: Automatus Ubuntu 22.04 on: pull_request: branches: [ master, 'stabilization*' ] @@ -55,7 +55,7 @@ jobs: prop_path: 'product' - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - run: ./build_product ubuntu2204 --derivatives + run: ./build_product ubuntu2204 - uses: actions/upload-artifact@v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: @@ -136,7 +136,7 @@ jobs: if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: tests/test_rule_in_container.sh --no-remove-machine-only --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}} env: - ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product rhel8" + ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified" - name: Check for ERROR in logs if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: grep -q "^ERROR" logs_bash/test_suite.log