Skip to content

Test workflow run #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Test workflow run #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a474295
Add github workflow action to output the diff of datastreams.
ggbecker Oct 25, 2021
401bfba
Update.
ggbecker Nov 9, 2021
d70dfad
Test.
ggbecker Nov 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions .github/workflows/compare-ds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Compare DS
on:
pull_request_target:
branches: [ master ]
jobs:
build-content:
name: Generate Diff
runs-on: ubuntu-latest
container:
image: fedora:latest
steps:
- name: Install Deps
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip
- name: Install deps python
run: pip install gitpython xmldiff
- name: Checkout master
uses: actions/checkout@v2
with:
ref: master
- name: Checkout (CTF)
uses: actions/checkout@v2
with:
repository: mildas/content-test-filtering
path: ctf
- name: Detect content changes in the PR
run: python3 ./ctf/content_test_filtering.py pr --rule --output json ${{ github.event.pull_request.number }} > output.json
- name: Test if there are no content changes
run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
id: ctf
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
prop_path: 'product'
- name: Build product (master)
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only
- name: Copy built datastream stream to be compared
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cp build/ssg-${{steps.product.outputs.prop}}-ds.xml ssg-${{steps.product.outputs.prop}}-ds.xml
- name: Checkout
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/checkout@v2
with:
clean: false
- name: Build product
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only
- name: Compare datastreams
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: utils/compare_ds.py ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log
env:
PYTHONPATH: ${{ github.workspace }}
- name: Get diff.log
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: diff
run: |
body=$(cat diff.log)
body="${body//'%'/'%25'}"
body="${body//$'\n'/'%0A'}"
body="${body//$'\r'/'%0D'}"
echo ::set-output name=log::$body
- name: Find Comment
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: peter-evans/find-comment@v1
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Datastream diff output
- name: Create or update comment
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
This datastream diff is auto generated by the check `Compare DS/Generate Diff`
<details>
<summary>Click here to see the full diff</summary>

```diff
${{ steps.diff.outputs.log }}
```

</details>
edit-mode: replace
24 changes: 13 additions & 11 deletions .github/workflows/ctf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Gating
name: CTF
on:
pull_request:
branches: [ master ]
Expand All @@ -11,19 +11,21 @@ jobs:
uses: mstksg/get-package@master
with:
apt-get: git python3-jinja2 python3-yaml python3-deepdiff python3-git python3-github python3-requests xmldiff
# TODO: Use action's checkout along with --local and --repository options of ctf
# See: https://github.community/t/how-to-commit-to-two-branches-from-an-action/17713/4
#- name: Checkout
# uses: actions/checkout@v1
- name: Checkout (CTF)
uses: actions/checkout@v2
with:
repository: mildas/content-test-filtering
path: ctf
- name: Process (see the output for recommended tests)
run: python3 ./ctf/content_test_filtering.py pr --output-format markdown ${{ github.event.pull_request.number }} # > ctf.md
# TODO: We can't do this for now: github.token is incapable of writing to the PR, and we can't provide our own
# for PRs coming from forked repos
# TODO: mshick/add-pr-comment@v1 and alike won't work as well
#- name: Update the PR
# run: python3 ./ctf/utility_scripts/comment_pr.py --token ${{ github.token }} --pr ${{ github.event.pull_request.number }} --comment ctf.md
run: python3 ./ctf/content_test_filtering.py pr --remote_repo https://github.com/ggbecker/content --verbose --rule --output json ${{ github.event.pull_request.number }} > ctf.json
- name: Test if there are no content changes
run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" ctf.json)"
id: ctf
- name: Exit if there are no changes detected
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE == '0' }}
run: exit 1
- name: Upload CTF output
uses: actions/upload-artifact@v2
with:
name: ctf.json
path: ctf.json
87 changes: 30 additions & 57 deletions .github/workflows/ssgts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,57 +1,47 @@
name: SSGTS
on:
pull_request:
branches: [ master ]
workflow_run:
workflows:
- CTF
types:
- completed
- requested
jobs:
build-content:
name: Build Content
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
container:
image: fedora:latest
steps:
- name: Install Deps
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip
- name: Install deps python
run: pip install gitpython xmldiff
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2
- name: Checkout
uses: actions/checkout@v2
- name: Checkout (CTF)
uses: actions/checkout@v2
with:
repository: mildas/content-test-filtering
path: ctf
- name: Detect content changes in the PR
run: python3 ./ctf/content_test_filtering.py pr --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
- name: Test if there are no content changes
run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
id: ctf
- uses: actions/upload-artifact@v2
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
- name: Get cached CTF output
uses: actions/download-artifact@v2
id: get_ctf_output
with:
name: output.json
path: output.json
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
name: ctf.json
- name: Print changes to content detected by CTF
run: cat ctf.json
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
path: 'ctf.json'
prop_path: 'product'
- name: Build product
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product ${{steps.product.outputs.prop}} --datastream-only
- uses: actions/upload-artifact@v2
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ssg-${{steps.product.outputs.prop}}-ds.xml
path: build/ssg-${{steps.product.outputs.prop}}-ds.xml
validate-ubuntu:
name: Run Tests
needs: build-content
runs-on: ubuntu-20.04
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Install Deps
uses: mstksg/get-package@master
Expand All @@ -63,71 +53,55 @@ jobs:
uses: actions/download-artifact@v2
id: get_ctf_output
with:
name: output.json
# continue even if the file is unavailable that
# means there are no changes detected by CTF in the previous job
continue-on-error: true
- name: Test if there are no content changes
if: ${{ steps.get_ctf_output.outcome == 'success' }}
run: echo "::set-output name=CTF_OUTPUT_SIZE::$(stat --printf="%s" output.json)"
id: ctf
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
name: ctf.json
- name: Print changes to content detected by CTF
run: cat ctf.json
- name: Generate id_rsa key
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa
- name: Build test suite container
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-fedora
working-directory: ./Dockerfiles
- name: Get oscap-ssh
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: |
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh
sudo chmod 755 oscap-ssh
sudo mv -v oscap-ssh /usr/local/bin
sudo chown root:root /usr/local/bin/oscap-ssh
rm -f oscap-ssh
- name: Get rule ids to be tested
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: rules
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
path: 'ctf.json'
prop_path: 'rules'
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
path: 'ctf.json'
prop_path: 'product'
- name: Get bash attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: bash
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
path: 'ctf.json'
prop_path: 'bash'
- name: Get ansible attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: ansible
uses: notiz-dev/github-action-json-property@release
with:
path: 'output.json'
path: 'ctf.json'
prop_path: 'ansible'
- uses: actions/download-artifact@v2
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ssg-${{steps.product.outputs.prop}}-ds.xml
- name: Run tests in a container - Bash
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{steps.bash.outputs.prop == 'True'}}
run: tests/test_rule_in_container.sh --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream ssg-${{steps.product.outputs.prop}}-ds.xml ${{join(steps.rules.outputs.prop)}}
env:
ADDITIONAL_SSGTS_OPTIONS: "--duplicate-templates --add-product-to-fips-certified fedora"
- name: Check for ERROR in logs
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{steps.bash.outputs.prop == 'True'}}
run: grep -q "^ERROR" logs_bash/test_suite.log
id: check_results_bash
# when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file
Expand All @@ -137,34 +111,33 @@ jobs:
# See the step below
continue-on-error: true
- name: Upload logs in case of failure
if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success'}}
uses: actions/upload-artifact@v2
with:
name: logs_bash
path: logs_bash/
- name: Run tests in a container - Ansible
if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{ steps.ansible.outputs.prop == 'True'}}
run: tests/test_rule_in_container.sh --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream ssg-${{steps.product.outputs.prop}}-ds.xml ${{join(steps.rules.outputs.prop)}}
env:
ADDITIONAL_SSGTS_OPTIONS: "--duplicate-templates --add-product-to-fips-certified fedora"
- name: Check for ERROR in logs
if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{steps.ansible.outputs.prop == 'True'}}
run: grep -q "^ERROR" logs_ansible/test_suite.log
id: check_results_ansible
continue-on-error: true
- name: Upload logs in case of failure
if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success'}}
uses: actions/upload-artifact@v2
with:
name: logs_ansible
path: logs_ansible/
- name: Delete datastream artifact
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: geekyeggo/delete-artifact@v1
with:
name: ssg-${{steps.product.outputs.prop}}-ds.xml
- name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log
if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success')}}
run: |
[[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - "
[[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - "
Expand Down
2 changes: 1 addition & 1 deletion linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,4 @@ template:
missing_parameter_pass: 'true'
parameter: StrictModes
rule_id: sshd_enable_strictmodes
value: 'yes'
value: 'no'