PRO security isolation: apt_news #2852
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI (integration) | |
on: | |
pull_request: | |
# Cancel any in-progress job or run | |
concurrency: | |
group: 'ci-${{ github.workflow }}-${{ github.ref }}' | |
cancel-in-progress: true | |
defaults: | |
run: | |
shell: sh -ex {0} | |
jobs: | |
check-secrets: | |
name: Check secrets | |
uses: ./.github/workflows/check-secrets-available.yaml | |
secrets: | |
SECRET_TO_CHECK: '${{ secrets.PYCLOUDLIB_CONFIG_CONTENTS }}' | |
package-builds: | |
name: Packaging | |
needs: check-secrets | |
if: ${{ needs.check-secrets.outputs.has-secrets == 'true' }} | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
release: ['xenial', 'bionic', 'focal', 'jammy', 'lunar', 'mantic'] | |
steps: | |
- name: Prepare build tools | |
env: | |
DEBFULLNAME: GitHub CI Auto Builder | |
DEBEMAIL: [email protected] | |
run: | | |
sudo DEBIAN_FRONTEND=noninteractive apt-get -qy update | |
sudo DEBIAN_FRONTEND=noninteractive apt-get -qy install --no-install-recommends sbuild schroot ubuntu-dev-tools debootstrap git-buildpackage | |
sudo sbuild-adduser $USER | |
cp /usr/share/doc/sbuild/examples/example.sbuildrc /home/$USER/.sbuildrc | |
- name: Git checkout | |
uses: actions/checkout@v3 | |
- name: Build package | |
env: | |
DEBFULLNAME: GitHub CI Auto Builder | |
DEBEMAIL: [email protected] | |
run: | | |
gbp dch --ignore-branch --snapshot --distribution=${{ matrix.release }} | |
dch --local=~${{ matrix.release }} "" | |
sg sbuild -c "mk-sbuild --skip-proposed ${{ matrix.release }}" | |
sg sbuild -c "sbuild --dist='${{ matrix.release }}' --resolve-alternatives --no-clean-source --nolog --verbose --no-run-lintian --build-dir='${{ runner.temp }}'" | |
mv ../*.deb '${{ runner.temp }}' # Workaround for Debbug: #990734, drop in Jammy | |
- name: Archive debs as artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: 'ci-debs-${{ matrix.release }}' | |
path: '${{ runner.temp }}/*.deb' | |
retention-days: 3 | |
integration-tests: | |
name: Integration | |
needs: package-builds | |
runs-on: ${{ matrix.host_os }} | |
strategy: | |
# Disable fail-fast as these jobs are slow, so we want to extract | |
# as much information as possible from them. | |
fail-fast: false | |
matrix: | |
release: ['bionic', 'focal', 'jammy', 'lunar'] | |
platform: ['lxd-container'] | |
host_os: ['ubuntu-22.04'] | |
include: | |
# xenial lxd containers dont work on hosts >20.04 | |
- release: xenial | |
platform: lxd-container | |
host_os: ubuntu-20.04 | |
- release: bionic | |
platform: aws.pro | |
host_os: ubuntu-22.04 | |
- release: bionic | |
platform: gcp.pro | |
host_os: ubuntu-22.04 | |
- release: bionic | |
platform: aws.pro-fips | |
host_os: ubuntu-22.04 | |
steps: | |
- name: Prepare test tools | |
run: | | |
sudo DEBIAN_FRONTEND=noninteractive apt-get -qy update | |
sudo DEBIAN_FRONTEND=noninteractive apt-get -qy install tox distro-info | |
sudo adduser $USER lxd | |
# Jammy GH Action runners have docker installed, which edits iptables | |
# in a way that is incompatible with lxd. | |
# https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker | |
sudo iptables -I DOCKER-USER -j ACCEPT | |
- name: Refresh LXD | |
if: matrix.platform == 'lxd-container' || matrix.platform == 'lxd-vm' | |
run: sudo snap refresh --channel latest/stable lxd | |
- name: Initialize LXD | |
if: matrix.platform == 'lxd-container' || matrix.platform == 'lxd-vm' | |
run: sudo lxd init --auto | |
- name: Git checkout | |
uses: actions/checkout@v3 | |
- name: Retrieve debs | |
uses: actions/download-artifact@v3 | |
with: | |
name: 'ci-debs-${{ matrix.release }}' | |
path: '${{ runner.temp }}' | |
- name: Canonicalize deb filenames | |
working-directory: '${{ runner.temp }}' | |
run: | | |
ln -s ubuntu-advantage-tools*.deb ubuntu-advantage-tools-${{ matrix.release }}.deb | |
ln -s ubuntu-advantage-pro*.deb ubuntu-advantage-pro-${{ matrix.release }}.deb | |
- name: Behave | |
env: | |
PYCLOUDLIB_CONFIG_CONTENTS: '${{ secrets.PYCLOUDLIB_CONFIG_CONTENTS }}' | |
GOOGLE_APPLICATION_CREDENTIALS_CONTENTS: '${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_CONTENTS }}' | |
SSH_PRIVATE_KEY: '${{ secrets.SSH_PRIVATE_KEY }}' | |
SSH_PUBLIC_KEY: '${{ secrets.SSH_PUBLIC_KEY }}' | |
UACLIENT_BEHAVE_DEBS_PATH: '${{ runner.temp }}' | |
UACLIENT_BEHAVE_ARTIFACT_DIR: '${{ runner.temp }}/artifacts/behave-${{ matrix.platform }}-${{ matrix.release }}' | |
UACLIENT_BEHAVE_SNAPSHOT_STRATEGY: '1' | |
UACLIENT_BEHAVE_INSTALL_FROM: 'prebuilt' | |
UACLIENT_BEHAVE_CONTRACT_TOKEN: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN }}' | |
UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING }}' | |
UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING_EXPIRED: '${{ secrets.UACLIENT_BEHAVE_CONTRACT_TOKEN_STAGING_EXPIRED }}' | |
UACLIENT_BEHAVE_LANDSCAPE_REGISTRATION_KEY: '${{ secrets.UACLIENT_BEHAVE_LANDSCAPE_REGISTRATION_KEY }}' | |
UACLIENT_BEHAVE_LANDSCAPE_API_ACCESS_KEY: '${{ secrets.UACLIENT_BEHAVE_LANDSCAPE_API_ACCESS_KEY }}' | |
UACLIENT_BEHAVE_LANDSCAPE_API_SECRET_KEY: '${{ secrets.UACLIENT_BEHAVE_LANDSCAPE_API_SECRET_KEY }}' | |
run: | | |
PYCLOUDLIB_CONFIG="$(mktemp --tmpdir="${{ runner.temp }}" pycloudlib.toml.XXXXXXXXXX)" | |
GCE_CREDENTIALS_PATH="$(mktemp --tmpdir="${{ runner.temp }}" gcloud.json.XXXXXXXXXX)" | |
export PYCLOUDLIB_CONFIG | |
export GCE_CREDENTIALS_PATH | |
# Dump secrets using a subshell to avoid leaks due to xtrace. | |
# Use printf as dash's echo always interpretes control sequences (e.g. \n). | |
sh -c 'printf "%s\n" "$PYCLOUDLIB_CONFIG_CONTENTS" > "$PYCLOUDLIB_CONFIG"' | |
sh -c 'printf "%s\n" "$GOOGLE_APPLICATION_CREDENTIALS_CONTENTS" > "$GCE_CREDENTIALS_PATH"' | |
# SSH keys (should match what specified in pycloudlib.toml) | |
mkdir -p ~/.ssh | |
touch ~/.ssh/cloudinit_id_rsa | |
chmod 600 ~/.ssh/cloudinit_id_rsa | |
sh -c 'printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/cloudinit_id_rsa' | |
sh -c 'printf "%s\n" "$SSH_PUBLIC_KEY" > ~/.ssh/cloudinit_id_rsa.pub' | |
sg lxd -c "tox -e behave -- -D machine_types=${{ matrix.platform }} -D releases=${{ matrix.release }} --tags=-slow --tags=-upgrade" | |
- name: Archive test artifacts | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: 'ci-behave-${{ matrix.release }}' | |
path: '${{ runner.temp }}/artifacts/behave*' | |
retention-days: 7 |