qemu: pin qemu_revision to a specific tag, not branch #463
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- 'master' | |
tags: | |
- '*' | |
paths-ignore: | |
- '**/README.md' | |
- '.github/RELEASE.md' | |
pull_request: | |
paths-ignore: | |
- '**/README.md' | |
- '.github/RELEASE.md' | |
env: | |
image_name: intellabs/kafl | |
jobs: | |
ansible-lint: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
- name: Setup ansible venv | |
working-directory: deploy | |
run: | | |
make venv | |
- name: Install ansible-lint | |
working-directory: deploy | |
run: | | |
./venv/bin/pip install wheel | |
./venv/bin/pip install ansible-lint==6.16.0 | |
# ignore 'meta-no-info', since we don't need to publish our roles to Ansible Galaxy | |
- name: Run ansible-lint | |
working-directory: deploy | |
run: | | |
./venv/bin/ansible-lint -x 'meta-no-info' -x galaxy -x 'yaml[octal-values]' -x no-changed-when -x risky-file-permissions --exclude venv | |
check-mode: | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
- name: Run deployment in check mode (dry-run) | |
run: make deploy -- --check | |
local: | |
strategy: | |
matrix: | |
os: [ubuntu-20.04, ubuntu-22.04] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
# shallow clone for CI speed | |
- name: Setup ansible extra vars in JSON file | |
run: | | |
echo '{"git_clone_depth": 1}' >> parameters.json | |
working-directory: deploy | |
# skip tags related to non-existent hardware/configuration in the CI runner environment | |
- name: Test userspace deployment | |
run: > | |
make deploy -- | |
--skip-tags "hardware_check,kvm_device" | |
--extra-vars "@parameters.json" | |
remote: | |
runs-on: ubuntu-20.04 | |
services: | |
ssh: | |
image: wenzel/sshd:ubuntu22.04 | |
ports: | |
# open SSH | |
- 5000:22 | |
env: | |
ROOT_PASSWORD: toor | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
# shallow clone for CI speed | |
- name: Setup ansible extra vars in JSON file | |
run: | | |
echo '{"git_clone_depth": 1}' >> parameters.json | |
working-directory: deploy | |
- name: Setup ansible | |
run: | | |
make venv | |
working-directory: deploy | |
# the service container runs is accessible on 127.0.0.1:5000 | |
- name: Setup inventory | |
run: | | |
venv/bin/python - << '__HERE__' | |
import yaml | |
with open("host_vars/localhost.yml", "w") as f: | |
data = { | |
"ansible_port": 5000, | |
"ansible_user": "root", | |
"ansible_ssh_pass": "toor", | |
"ansible_ssh_common_args": "-o StrictHostKeyChecking=no" | |
} | |
yaml.dump(data, f) | |
__HERE__ | |
working-directory: deploy | |
- name: Install Python3 on service container | |
run: | | |
venv/bin/ansible all -i inventory -m raw -a "apt update" | |
venv/bin/ansible all -i inventory -m raw -a "apt install -y python3" | |
working-directory: deploy | |
- name: Upgrade packages | |
run: venv/bin/ansible all -i inventory -m ansible.builtin.apt -a "upgrade=dist" | |
working-directory: deploy | |
# skip tags related to non-existent hardware/configuration in the CI runner environment | |
- name: Test userspace deployment | |
run: > | |
make deploy -- | |
--skip-tags "hardware_check,kvm_device,update_grub,reboot_kernel" | |
--extra-vars "@parameters.json" | |
docker-image: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: kafl | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: ${{ env.image_name }} | |
flavor: | | |
latest=true | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: kafl/ | |
push: false | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
load: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
# TODO: refactor in a separate in security.yml workflow | |
- name: Run Snyk to check Docker image for vulnerabilities | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
command: monitor | |
image: ${{ steps.meta.outputs.tags }} | |
# TODO: this action seems broken | |
# https://github.com/IntelLabs/kAFL/issues/161 | |
continue-on-error: true | |
# - name: Upload result to GitHub Code Scanning | |
# uses: github/codeql-action/upload-sarif@v2 | |
# with: | |
# sarif_file: snyk.sarif | |
- run: mkdir bench-logs | |
- uses: actions/checkout@v3 | |
with: | |
repository: docker/docker-bench-security | |
ref: 5a8d6434e6ebd70cb8bb465fce4ae5ed2a572eac | |
path: bench | |
# build image since dockerhub one is out of date | |
- name: Build Docker Bench for Security image | |
uses: docker/build-push-action@v3 | |
with: | |
context: bench/ | |
push: false | |
tags: docker-bench-security | |
load: true # load build result into docker | |
- name: Run Docker Bench for Security | |
run: > | |
docker run --net host --pid host --userns host --cap-add audit_control | |
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST | |
-v /var/lib:/var/lib | |
-v /var/run/docker.sock:/var/run/docker.sock | |
-v /usr/lib/systemd:/usr/lib/systemd | |
-v /etc:/etc --label docker_bench_security | |
-v ${{ github.workspace }}/bench-logs:/usr/local/bin/log | |
docker-bench-security | |
-l log/log_file | |
-c container_images | |
-i intellabs/kafl | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: docker-bench-security | |
path: bench-logs/ | |
push-docker-image: | |
runs-on: ubuntu-latest | |
needs: [docker-image] | |
if: ${{ github.event_name == 'push' }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: ${{ env.image_name }} | |
flavor: | | |
latest=true | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build image | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Update Docker Hub description | |
uses: Wenzel/dockerhub-description@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
repository: ${{ env.image_name }} | |
readme-filepath: ./.github/DOCKER.md | |
release: | |
# this job makes an official Github release | |
needs: [ansible-lint, check-mode, local, remote, docker-image] | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ steps.get_version.outputs.version }} | |
upload_url: ${{ steps.step_upload_url.outputs.upload_url }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Get the version | |
id: get_version | |
run: echo "version=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT | |
# only create release if tag start by 'v*' | |
- name: Create a Release | |
id: create_release | |
uses: softprops/action-gh-release@v1 | |
with: | |
tag_name: ${{ steps.get_version.outputs.version }} | |
body_path: ${{ github.workspace }}/.github/RELEASE.md | |
if: startsWith(github.ref, 'refs/tags/v') | |
- id: step_upload_url | |
run: echo "upload_url=${{ steps.create_release.outputs.upload_url }}" >> $GITHUB_OUTPUT |