feat: support Kubernetes and Azure Container Apps, always deploy all …

…challenges

Signed-off-by: Tom Plant <[email protected]>

.github/challenge-template.jinja2

@@ -1,22 +1,10 @@
-version: "0.1"
 name: {{ name }}
-category: {{ category }}
 author: {{ author }}
-description: |
+category: {{ category }}
+description: >-
   {{ description | indent(width=2) }}
-
-{% if files != '*No response*' %}
-{% set filelist = files.split(',') %}
-files:
-  - {{ filelist | join('\n  - ') }}
-{% endif %}
-
-flags:
-  - type: static
-    content: {{ flag }}
-    data: case_insensitive
-
 type: dynamic
+
 extra:
   initial: 500
   decay: 4
@@ -26,4 +14,17 @@ extra:
 {% if image != '*No response*' %}
 image: {{ image }}
 protocol: {{ 'https' if category == 'web' else 'tcp' }}
+
 {% endif %}
+flags:
+- type: static
+  data: case_insensitive
+  content: {{ flag }}
+
+{% if files != '*No response*' %}
+{% set filelist = files.split(',') %}
+files:
+  - {{ filelist | join('\n  - ') }}
+
+{% endif %}
+version: "0.1"

.github/renovate.json

@@ -1,16 +1,14 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
-    ":disableRateLimiting"
+    "config:best-practices"
   ],
   "additionalBranchPrefix": "{{parentDir}}-",
-  "rangeStrategy": "pin",
   "ignoreTests": true,
   "packageRules": [
     {
       "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
       "matchCurrentVersion": "!/^0/",
       "automerge": true
     }

.github/workflows/create-challenge.yml

@@ -1,22 +1,24 @@
-name: Create challenge from issue
+name: Create challenge from issue form
 
 on:
   issues:
     types:
       - opened
 
 jobs:
-  process:
+  main:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
       contents: write
       issues: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
       - uses: actions/[email protected]
         with:
           python-version: 3.x
+          cache: pip
 
       - uses: zentered/[email protected]
         id: form
@@ -54,7 +56,6 @@ jobs:
           jinja2 .github/challenge-template.jinja2 data.json \
           --outfile "${{ steps.chal.outputs.directory }}/challenge.yml" \
           -D name="${{ github.event.issue.title }}"
-
           rm data.json
 
       - uses: peter-evans/[email protected]

.github/workflows/deploy-challenges.yml

@@ -4,66 +4,32 @@ on:
   push:
     branches:
       - main
-    paths:
-      - "**/challenge.yml"
+    paths-ignore:
+      - .*/**
+      - .*
+      - LICENSE.txt
+      - README.md
+      - pages/**
   workflow_dispatch:
-    filter:
-      type: string
-      description: Glob pattern for target challenges
-      required: true
-      default: '**/challenge.yml'
 
 jobs:
-  get-chals:
+  main:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-    outputs:
-      challenges: ${{ github.event_name == 'workflow_dispatch' && inputs.filter || steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/[email protected]
-        with:
-          files: "**/challenge.yml"
-
-  deploy:
-    needs: get-chals
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      # https://github.com/actions/checkout/issues/165#issuecomment-1639209867
+      # pending https://github.com/nschloe/action-cached-lfs-checkout/pull/34
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Create LFS file list
-        run: git lfs ls-files --long | cut -d ' ' -f1 | sort > .lfs-assets-id
-
-      - name: Restore LFS cache
-        uses: actions/[email protected]
-        with:
-          path: .git/lfs/objects
-          key: ${{ runner.os }}-lfs-${{ hashFiles('.lfs-assets-id') }}
-          restore-keys: |
-            ${{ runner.os }}-lfs-
-
-      - run: git lfs pull
+        uses: connorjclark/action-cached-lfs-checkout@main-1
 
       - uses: actions/[email protected]
         with:
           python-version: 3.x
+          cache: pip
 
       - name: Setup ctfcli
-        run: pip install ctfcli==0.1.0
-
-      - name: Load CTFd credentials
         run: |
+          pip install ctfcli==0.1.2
           mkdir .ctf
           cat <<EOF > .ctf/config
           [config]
@@ -79,6 +45,6 @@ jobs:
       - name: Deploy challenges
         run: |
           shopt -s globstar
-          for chal in ${{ needs.get-chals.outputs.challenges }}; do
-            ctf challenge install $chal --force
+          for chal in **/challenge.yml; do
+            ctf challenge install $(dirname $chal) --force
           done

.github/workflows/deploy-containers-azure.yml

@@ -0,0 +1,96 @@
+name: Deploy containers to Azure
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - pwn/**
+      - web/**
+  workflow_dispatch:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: actions/[email protected]
+        with:
+          python-version: 3.x
+          cache: pip
+
+      - name: Setup ctfcli
+        run: |
+          pip install ctfcli==0.1.2
+          ctf plugins install https://github.com/pl4nty/ctfcli-deploy-azure.git
+
+          mkdir .ctf
+          cat <<EOF > .ctf/config
+          [config]
+          url = https://${{ vars.CTFD_DOMAIN }}
+          access_token = ${{ secrets.CTFD_TOKEN }}
+
+          [cookies]
+          site_password = ${{ secrets.CTFD_SITE_PASSWORD }}
+
+          [challenges]
+          EOF
+
+      # azure-identity doesn't support GitHub WIF
+      - uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1
+        with:
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          allow-no-subscriptions: true
+
+      - name: Setup Azure Container Registry
+        run: az acr login --name $REGISTRY
+        env:
+          REGISTRY: ${{ vars.REGISTRY }}
+
+      # TODO add buildx support to ctfcli
+      # https://github.com/jpribyl/action-docker-layer-caching/issues/38
+      - name: Setup Docker cache
+        uses: jpribyl/[email protected]
+        with:
+          key: docker-layer-cache-{hash}
+          restore-keys: |
+            docker-layer-cache-
+            layer-docker-layer-cache-
+
+      # ignore errors in case a challenge isn't deployable
+      - name: Deploy containers
+        run: |
+          shopt -s extglob
+          for chal in ?(pwn|web)/*/; do
+            ctf challenge deploy $chal --skip-login --host "azure://management.azure.com$AZURE_CONTAINER_ENV?registry=$REGISTRY&identity=$AZURE_CONTAINER_IDENTITY&suffix=$AZURE_CONTAINER_SUFFIX" || true
+          done
+        env:
+          REGISTRY: ${{ vars.REGISTRY }}
+          AZURE_CONTAINER_ENV: ${{ vars.AZURE_CONTAINER_ENV }}
+          AZURE_CONTAINER_IDENTITY: ${{ vars.AZURE_CONTAINER_IDENTITY }}
+          AZURE_CONTAINER_SUFFIX: ${{ vars.AZURE_CONTAINER_SUFFIX }}
+
+      - name: Setup GitHub container registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Push container images to GitHub
+        run: |-
+          images=$(docker images $REGISTRY/*:latest --format "{{.Repository}}")
+          for image in $images; do
+            lowercase=${GITHUB_REPOSITORY_OWNER,,}
+            newtag=${image//$REGISTRY/ghcr\.io\/$lowercase}:latest
+            docker tag $image:latest $newtag
+            docker push $newtag
+          done
+        env:
+          REGISTRY: ${{ vars.REGISTRY }}

.github/workflows/deploy-containers-ctfd.yml

@@ -0,0 +1,77 @@
+name: Deploy containers to Hosted CTFd
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - pwn/**
+      - web/**
+  workflow_dispatch:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: actions/[email protected]
+        with:
+          python-version: 3.x
+          cache: pip
+
+      - name: Setup ctfcli
+        run: |
+          pip install ctfcli==0.1.2
+
+          mkdir .ctf
+          cat <<EOF > .ctf/config
+          [config]
+          url = https://${{ vars.CTFD_DOMAIN }}
+          access_token = ${{ secrets.CTFD_TOKEN }}
+
+          [cookies]
+          site_password = ${{ secrets.CTFD_SITE_PASSWORD }}
+
+          [challenges]
+          EOF
+
+      # TODO add buildx support to ctfcli
+      # https://github.com/jpribyl/action-docker-layer-caching/issues/38
+      - name: Setup Docker cache
+        uses: jpribyl/[email protected]
+        with:
+          key: docker-layer-cache-{hash}
+          restore-keys: |
+            docker-layer-cache-
+            layer-docker-layer-cache-
+
+      # ignore errors in case a challenge isn't deployable
+      - name: Deploy containers
+        run: |
+          shopt -s extglob
+          for chal in ?(pwn|web)/*/; do
+            ctf challenge deploy $chal || true
+          done
+
+      - name: Setup GitHub container registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Push container images to GitHub
+        run: |-
+          images=$(docker images $REGISTRY/*:latest --format "{{.Repository}}")
+          for image in $images; do
+            lowercase=${GITHUB_REPOSITORY_OWNER,,}
+            newtag=${image//$REGISTRY/ghcr\.io\/$lowercase}:latest
+            docker tag $image:latest $newtag
+            docker push $newtag
+          done
+        env:
+          REGISTRY: ${{ vars.REGISTRY }}