devsec.nginx_hardening #482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "devsec.nginx_hardening" | |
on: # yamllint disable-line rule:truthy | |
workflow_dispatch: | |
push: | |
branches: [master] | |
paths: | |
- 'roles/nginx_hardening/**' | |
- 'molecule/nginx_hardening/**' | |
- '.github/workflows/nginx_hardening.yml' | |
- 'requirements.txt' | |
pull_request: | |
branches: [master] | |
paths: | |
- 'roles/nginx_hardening/**' | |
- 'molecule/nginx_hardening/**' | |
- '.github/workflows/nginx_hardening.yml' | |
- 'requirements.txt' | |
schedule: | |
- cron: '0 6 * * 1' | |
concurrency: | |
group: >- | |
${{ github.workflow }}-${{ | |
github.event.pull_request.number || github.sha | |
}} | |
cancel-in-progress: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
env: | |
PY_COLORS: 1 | |
ANSIBLE_FORCE_COLOR: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
molecule_distro: | |
- centosstream9 | |
- rocky8 | |
- rocky9 | |
- ubuntu2004 | |
- ubuntu2204 | |
- ubuntu2404 | |
- debian11 | |
- debian12 | |
- amazon2023 | |
# - arch # needs to be fixed | |
# - opensuse_tumbleweed # needs to be fixed | |
# - fedora # no support from geerlingguy role | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
path: ansible_collections/devsec/hardening | |
submodules: true | |
- name: Set up Python | |
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5 | |
with: | |
python-version: 3.12 | |
- name: Install dependencies | |
run: | | |
sudo apt install git | |
python -m pip install --no-cache-dir --upgrade pip | |
pip install -r requirements.txt | |
working-directory: ansible_collections/devsec/hardening | |
- name: Downgrade Ansible for Rocky 8 tests | |
run: | | |
pip install "ansible-core<2.17" | |
working-directory: ansible_collections/devsec/hardening | |
if: matrix.molecule_distro == 'rocky8' | |
# Molecule has problems detecting the proper location for installing roles | |
# https://github.com/ansible/molecule/issues/3806 | |
# we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role | |
# see CI logs of this action "INFO Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path | |
# we have to find a proper way to configure this | |
- name: Temporary fix for roles | |
run: | | |
mkdir -p /home/runner/.ansible | |
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \ | |
/home/runner/.ansible/roles | |
- name: Test with molecule | |
run: | | |
molecule --version | |
molecule test -s nginx_hardening | |
env: | |
MOLECULE_DISTRO: ${{ matrix.molecule_distro }} | |
working-directory: ansible_collections/devsec/hardening |