Update docs for cis hardening #3717
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration Tests | |
on: | |
push: | |
paths-ignore: | |
- 'docs/**' | |
branches: | |
- main | |
- autoupdate/strict | |
- autoupdate/moonray | |
- 'release-[0-9]+.[0-9]+' | |
- 'autoupdate/release-[0-9]+.[0-9]+-strict' | |
- 'autoupdate/sync/**' | |
pull_request: | |
paths-ignore: | |
- 'docs/**' | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: audit | |
- name: Checking out repo | |
uses: actions/checkout@v4 | |
- name: Install lxd | |
run: | | |
sudo snap refresh lxd --channel 5.21/stable | |
sudo lxd init --auto | |
sudo usermod --append --groups lxd $USER | |
sg lxd -c 'lxc version' | |
- name: Install snapcraft | |
run: | | |
sudo snap install snapcraft --classic | |
- name: Build snap | |
run: | | |
sg lxd -c 'snapcraft --use-lxd' | |
mv k8s_*.snap k8s.snap | |
- name: Uploading snap | |
uses: actions/upload-artifact@v4 | |
with: | |
name: k8s.snap | |
path: k8s.snap | |
test-branches: | |
name: Test Branch Management | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.8' | |
- name: Install tox | |
run: pip install tox | |
- name: Run branch_management tests | |
run: | | |
tox -c tests/branch_management -e test | |
test-integration: | |
name: Test ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: ["ubuntu:20.04", "ubuntu:22.04", "ubuntu:24.04"] | |
runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"] | |
needs: build | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Setup Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Install tox | |
run: pip install tox | |
- name: Install lxd | |
run: | | |
sudo snap refresh lxd --channel 5.21/stable | |
sudo lxd init --auto | |
sudo usermod --append --groups lxd $USER | |
sg lxd -c 'lxc version' | |
sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT | |
sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
- name: Download snap | |
uses: actions/download-artifact@v4 | |
with: | |
name: k8s.snap | |
path: ${{ github.workspace }}/build | |
- name: Run end to end tests | |
env: | |
TEST_SNAP: ${{ github.workspace }}/build/k8s.snap | |
TEST_SUBSTRATE: lxd | |
TEST_LXD_IMAGE: ${{ matrix.os }} | |
TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports | |
# Test the latest (up to) 6 releases for the flavour | |
# TODO(ben): upgrade nightly to run all flavours | |
TEST_VERSION_UPGRADE_CHANNELS: "recent 6 classic" | |
# Upgrading from 1.30 is not supported. | |
TEST_VERSION_UPGRADE_MIN_RELEASE: "1.31" | |
TEST_MIRROR_LIST: '[{"name": "ghcr.io", "port": 5000, "remote": "https://ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}, {"name": "docker.io", "port": 5001, "remote": "https://registry-1.docker.io", "username": "", "password": ""}]' | |
run: | | |
cd tests/integration && sg lxd -c 'tox -e integration' | |
- name: Prepare inspection reports | |
if: failure() | |
run: | | |
tar -czvf inspection-reports.tar.gz -C ${{ github.workspace }} inspection-reports | |
echo "artifact_name=inspection-reports-${{ matrix.os }}" | sed 's/:/-/g' >> $GITHUB_ENV | |
- name: Upload inspection report artifact | |
if: failure() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.artifact_name }} | |
path: ${{ github.workspace }}/inspection-reports.tar.gz | |
security-scan: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
name: Security scan | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: audit | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
# We run into rate limiting issues if we don't authenticate | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Checking out repo | |
uses: actions/checkout@v4 | |
- name: Fetch snap | |
uses: actions/download-artifact@v4 | |
with: | |
name: k8s.snap | |
path: build | |
- name: Setup Trivy vulnerability scanner | |
run: | | |
mkdir -p manual-trivy/sarifs | |
pushd manual-trivy | |
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | |
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | |
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | |
popd | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "fs" | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-k8s-repo-scan--results.sarif" | |
severity: "MEDIUM,HIGH,CRITICAL" | |
env: | |
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" | |
- name: Gather Trivy repo scan results | |
run: | | |
cp trivy-k8s-repo-scan--results.sarif ./manual-trivy/sarifs/ | |
- name: Run Trivy vulnerability scanner on the snap | |
run: | | |
for var in $(env | grep -o '^TRIVY_[^=]*'); do | |
unset "$var" | |
done | |
cp build/k8s.snap . | |
unsquashfs k8s.snap | |
./manual-trivy/trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > ./manual-trivy/sarifs/snap.sarif | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "./manual-trivy/sarifs" |