Disable IMDSv1 #333

Workflow file for this run

.github/workflows/continuous-build.yml at fc23ca5

	name: Continuous Build and Publish
	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- master
	workflow_dispatch:
	inputs:
	region:
	description: The region to test the daemon binaries in.
	required: true
	default: us-west-2
	permissions:
	id-token: write
	contents: read
	jobs:
	build:
	name: Build on ${{ matrix.os }}
	strategy:
	matrix:
	os:
	- macos-latest
	- ubuntu-latest
	- windows-latest
	runs-on: ${{ matrix.os }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v2

	- name: Setup Go
	uses: actions/setup-go@v2
	with:
	go-version: '^1.21.5'

	- uses: actions/cache@v2
	with:
	path: ~/go/pkg/mod
	key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
	restore-keys: \|
	${{ runner.os }}-go-

	- name: Build archives and test
	run: make build test
	env:
	VERSION: 0.${{ github.sha }} # debian package requires version to start with a digit

	- name: Build linux archives
	if: ${{ runner.os == 'Linux' }}
	run: make packaging
	env:
	VERSION: 0.${{ github.sha }} # debian package requires version to start with a digit

	- name: Configure AWS Credentials
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	uses: aws-actions/configure-aws-credentials@v1
	with:
	role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
	aws-region: us-east-1

	- name: Verify Daemon binary
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: \|
	build/xray-linux-amd64/xray -o -l dev &
	sleep 10
	echo -e '{"format":"json","version":1}\nx' \| nc -w 1 -u 127.0.0.1 2000
	sleep 10
	ProcNumber=$(ps -ef \|grep -w xray\|grep -v grep\|wc -l)
	echo $ProcNumber
	if [[ $ProcNumber == 0 ]]; then
	exit 1
	fi

	- name: Download package signing GPG secret key
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: \|
	aws secretsmanager get-secret-value --region us-east-1 --secret-id "XRayDaemonSecrets" \| jq -r ".SecretString" > aws-xray-secret.gpg
	md5sum aws-xray-secret.gpg

	- name: Import signing GPG key
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: \|
	gpg --import aws-xray-secret.gpg
	gpg --list-keys
	gpg --armor --export -a "[email protected]" > aws-xray-public.gpg
	rpm --import aws-xray-public.gpg
	shred -fuvz aws-xray-secret.gpg
	shred -fuvz aws-xray-public.gpg

	- name: Sign daemon packages
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: ./Tool/src/packaging/sign-packages.sh

	- name: Remove Package Signing GPG Key from local GPG Key Ring
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: \|
	gpg --fingerprint --with-colons [email protected] \| grep -m 1 "fpr" \| sed -n 's/^fpr:::::::::$[[:alnum:]]\+$:/\1/p' \| xargs gpg --batch --yes --delete-secret-keys
	gpg --list-secret-keys

	- name: Upload archives as actions artifact
	if: ${{ runner.os == 'Linux' }}
	uses: actions/upload-artifact@v2
	with:
	name: distributions
	path: build/dist/

	- name: Login to Public ECR
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	run: aws ecr-public get-login-password \| docker login --username AWS --password-stdin public.ecr.aws

	- name: Login to DockerHub
	if: ${{ runner.os == 'Linux' && github.event_name == 'push' }}
	uses: docker/login-action@v1
	with:
	username: ${{ secrets.DOCKER_USER }}
	password: ${{ secrets.DOCKER_PASS }}

	- name: Set up Docker Buildx
	if: ${{ runner.os == 'Linux' }}
	uses: docker/setup-buildx-action@v1

	- name: Cache Docker layers
	uses: actions/cache@v2
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-buildx-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-buildx-

	- name: Build docker image for public ECR
	if: ${{ runner.os == 'Linux' }}
	uses: docker/build-push-action@v2
	with:
	context: .
	file: ./Dockerfile
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64,linux/arm64
	tags: \|
	public.ecr.aws/xray/aws-xray-daemon:alpha
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache

	- name: Build docker image for DockerHub
	if: ${{ runner.os == 'Linux' }}
	uses: docker/build-push-action@v2
	with:
	context: .
	file: ./Dockerfile.amazonlinux
	push: ${{ github.event_name == 'push' }}
	platforms: linux/amd64,linux/arm64
	tags: \|
	amazon/aws-xray-daemon:alpha
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache

	test:
	name: Integration testing
	if: ${{ github.event_name != 'pull_request' }} #Cannot run integration tests on PR as there is no access to the IAM Role via GH secrets.
	needs: [build]
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	testcases:
	- linux_deb
	- linux_rpm
	- linux_zip
	- linux_zip_cn
	- linux_zip_us_gov

	steps:
	- name: Checkout repo
	uses: actions/checkout@v2

	- name: Download build artifacts
	uses: actions/download-artifact@v3
	with:
	name: distributions
	path: distributions

	- name: Display structure of downloaded files
	run: ls -R

	- name: Set up terraform
	uses: hashicorp/setup-terraform@v2

	# workaround for handling input value for auto-triggered workflows
	# https://dev.to/mrmike/github-action-handling-input-default-value-5f2g
	- name: Set AWS region and partition values
	id: setRegion
	run: \|
	if [[ ${{ matrix.testcases }} == "linux_zip_cn" ]]; then
	echo "::set-output name=region::cn-north-1"
	echo "::set-output name=partition::aws-cn"
	elif [[ ${{ matrix.testcases }} == "linux_zip_us_gov" ]]; then
	echo "::set-output name=region::us-gov-west-1"
	echo "::set-output name=partition::aws-us-gov"
	else
	USER_INPUT=${{ github.event.inputs.region }}
	# Use user input region or fall back to "us-west-2"
	REGION=${USER_INPUT:-"us-west-2"}
	echo "::set-output name=region::$REGION"
	echo "::set-output name=partition::aws"
	fi

	- name: Configure AWS Credentials
	if: ${{ steps.setRegion.outputs.partition == 'aws' }}
	uses: aws-actions/configure-aws-credentials@v1
	with:
	role-to-assume: ${{ secrets.TESTING_ROLE_ARN }}
	aws-region: ${{ steps.setRegion.outputs.region }}

	- name: Configure AWS Credentials - China
	if: ${{ steps.setRegion.outputs.partition == 'aws-cn' }}
	uses: aws-actions/configure-aws-credentials@v1
	with:
	role-to-assume: ${{ secrets.TESTING_ROLE_ARN_CN }}
	aws-region: cn-north-1

	- name: Configure AWS Credentials - US Gov
	if: ${{ steps.setRegion.outputs.partition == 'aws-us-gov' }}
	uses: aws-actions/configure-aws-credentials@v1
	with:
	role-to-assume: ${{ secrets.TESTING_ROLE_ARN_US_GOV }}
	aws-region: us-gov-west-1

	- name: Generate trace data
	id: traceData
	run: \|
	sudo chmod +x ./testing/generate_trace_data.sh
	./testing/generate_trace_data.sh

	- name: Run terraform and send trace data
	id: terraformSendData
	run: \|
	cd testing/terraform
	terraform init
	terraform validate
	terraform apply -auto-approve -var-file=./testcases/${{ matrix.testcases }}.tfvars -var=aws_region=${{ steps.setRegion.outputs.region }}

	- name: Validate trace data
	if: steps.terraformSendData.outcome == 'success'
	run: \|
	echo "trace-id: ${{ env.TRACE_ID }}"
	echo "sleeping for 60 seconds"
	for i in {1..60}; do echo 'Sleeping...'$i && sleep 1; done
	var=$(aws xray batch-get-traces --trace-ids ${{ env.TRACE_ID }} --region ${{ steps.setRegion.outputs.region }} \| jq -r '.Traces[0].Id')

	if [[ $var == ${{ env.TRACE_ID }} ]]; then
	echo "Found matching trace."
	else
	echo "Trace not found"
	exit 1
	fi

	- name: Terraform destroy
	if: always()
	run: \|
	cd testing/terraform
	terraform destroy -auto-approve -var=aws_region=${{ steps.setRegion.outputs.region }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable IMDSv1 #333

Workflow file

Disable IMDSv1 #333

Jobs

Run details

Workflow file for this run