feat: Implements CIS Benchmark - 2.1.2 Ensure chrony is configured #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run integration tests in Testing Farm | |
on: | |
issue_comment: | |
types: | |
- created | |
permissions: | |
contents: read | |
# This is required for the ability to create/update the Pull request status | |
statuses: write | |
# The concurrency key is used to prevent multiple workflows from running at the same time | |
concurrency: | |
# group name contains reponame-pr_num to allow simualteneous runs in different PRs | |
group: testing-farm-${{ github.event.repository.name }}-${{ github.event.issue.number }} | |
cancel-in-progress: true | |
jobs: | |
prepare_vars: | |
name: Get info from role and PR to determine if and how to test | |
# Let's schedule tests only on user request. NOT automatically. | |
# Only repository owner or member can schedule tests | |
if: | | |
github.event.issue.pull_request | |
&& (contains(github.event.comment.body, '[citest]') || contains(github.event.comment.body, '[citest-all]')) | |
runs-on: ubuntu-latest | |
outputs: | |
supported_platforms: ${{ steps.supported_platforms.outputs.supported_platforms }} | |
head_sha: ${{ steps.head_sha.outputs.head_sha }} | |
datetime: ${{ steps.datetime.outputs.datetime }} | |
memory: ${{ steps.memory.outputs.memory }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
- name: Get head sha of the PR | |
id: head_sha | |
run: | | |
head_sha=$(gh api "repos/$REPO/pulls/$PR_NO" --jq '.head.sha') | |
echo "head_sha=$head_sha" >> $GITHUB_OUTPUT | |
env: | |
REPO: ${{ github.repository }} | |
PR_NO: ${{ github.event.issue.number }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Get cuurent datetime | |
id: datetime | |
run: | | |
printf -v datetime '%(%Y%m%d-%H%M%S)T' -1 | |
echo "datetime=$datetime" >> $GITHUB_OUTPUT | |
- name: Get memory | |
id: memory | |
run: | | |
if [ -d tests/provision.fmf ]; then | |
memory=$(grep -rPo ' m: \K(.*)' tests/provision.fmf) | |
fi | |
if [ -n "$memory" ]; then | |
echo "memory=$memory" >> $GITHUB_OUTPUT | |
else | |
echo "memory=2048" >> $GITHUB_OUTPUT | |
fi | |
- name: Get supported platforms | |
id: supported_platforms | |
run: | | |
supported_platforms="" | |
meta_main=meta/main.yml | |
# All Fedora are supported, add latest Fedora versions to supported_platforms | |
if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi fedora$; then | |
supported_platforms+=" Fedora-39" | |
supported_platforms+=" Fedora-40" | |
fi | |
# Specific Fedora versions supported | |
if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qiP 'fedora\d+$'; then | |
for fedora_ver in $(yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -iPo 'fedora\K(\d+$)'); do | |
supported_platforms+=" Fedora-$fedora_ver" | |
done | |
fi | |
if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi el7; then | |
supported_platforms+=" CentOS-7-latest" | |
fi | |
for ver in 8 9 10; do | |
if yq '.galaxy_info.galaxy_tags[]' "$meta_main" | grep -qi el"$ver"; then | |
supported_platforms+=" CentOS-Stream-$ver" | |
fi | |
done | |
echo "supported_platforms=$supported_platforms" >> $GITHUB_OUTPUT | |
testing-farm: | |
name: ${{ matrix.platform }}/ansible-${{ matrix.ansible_version }} | |
needs: prepare_vars | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- platform: Fedora-39 | |
ansible_version: 2.17 | |
- platform: Fedora-40 | |
ansible_version: 2.17 | |
- platform: CentOS-7-latest | |
ansible_version: 2.9 | |
- platform: CentOS-Stream-8 | |
ansible_version: 2.9 | |
# On CentOS-Stream-8, latest supported Ansible is 2.16 | |
- platform: CentOS-Stream-8 | |
ansible_version: 2.16 | |
- platform: CentOS-Stream-9 | |
ansible_version: 2.17 | |
- platform: CentOS-Stream-10 | |
ansible_version: 2.17 | |
runs-on: ubuntu-latest | |
env: | |
ARTIFACTS_DIR_NAME: "tf_${{ github.event.repository.name }}-${{ github.event.issue.number }}_\ | |
${{ matrix.platform }}-${{ matrix.ansible_version }}_\ | |
${{ needs.prepare_vars.outputs.datetime }}/artifacts" | |
ARTIFACT_TARGET_DIR: /srv/pub/alt/linuxsystemroles/logs | |
steps: | |
- name: Set commit status as pending | |
if: contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) | |
uses: myrotvorets/set-commit-status-action@master | |
with: | |
sha: ${{ needs.prepare_vars.outputs.head_sha }} | |
status: pending | |
context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} | |
description: Test started | |
targetUrl: "" | |
- name: Set commit status as success with a description that platform is skipped | |
if: "!contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform)" | |
uses: myrotvorets/set-commit-status-action@master | |
with: | |
sha: ${{ needs.prepare_vars.outputs.head_sha }} | |
status: success | |
context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} | |
description: The role does not support this platform. Skipping. | |
targetUrl: "" | |
- name: Run test in testing farm | |
uses: sclorg/testing-farm-as-github-action@v3 | |
if: contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) | |
env: | |
ARTIFACTS_DIR: ${{ env.ARTIFACT_TARGET_DIR }}/${{ env.ARTIFACTS_DIR_NAME }} | |
ARTIFACTS_URL: https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs/${{ env.ARTIFACTS_DIR_NAME }} | |
with: | |
git_url: ${{ github.server_url }}/${{ github.repository }} | |
git_ref: ${{ needs.prepare_vars.outputs.head_sha }} | |
pipeline_settings: '{ "type": "tmt-multihost" }' | |
variables: "ANSIBLE_VER=${{ matrix.ansible_version }};\ | |
REPO_NAME=${{ github.event.repository.name }};\ | |
GITHUB_ORG=linux-system-roles;\ | |
PR_NUM=${{ github.event.issue.number }};\ | |
ARTIFACTS_DIR=${{ env.ARTIFACTS_DIR }};\ | |
ARTIFACTS_URL=${{ env.ARTIFACTS_URL }};\ | |
TEST_LOCAL_CHANGES=false" | |
# Note that LINUXSYSTEMROLES_SSH_KEY must be single-line, TF doesn't read multi-line variables fine. | |
secrets: "LINUXSYSTEMROLES_USER=${{ secrets.LINUXSYSTEMROLES_USER }};\ | |
LINUXSYSTEMROLES_DOMAIN=${{ secrets.LINUXSYSTEMROLES_DOMAIN }};\ | |
LINUXSYSTEMROLES_SSH_KEY=${{ secrets.LINUXSYSTEMROLES_SSH_KEY }}" | |
compose: ${{ matrix.platform }} | |
# There are two blockers for using public ranch: | |
# 1. multihost is not supported in public https://github.com/teemtee/tmt/issues/2620 | |
# 2. Security issue that leaks long secrets - Jira TFT-2698 | |
tf_scope: private | |
api_key: ${{ secrets.TF_API_KEY_RH }} | |
update_pull_request_status: false | |
tmt_hardware: '{ "memory": ">= ${{ needs.prepare_vars.outputs.memory }} MB" }' | |
- name: Set final commit status | |
uses: myrotvorets/set-commit-status-action@master | |
if: always() && contains(needs.prepare_vars.outputs.supported_platforms, matrix.platform) | |
env: | |
ARTIFACTS_URL: https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs/${{ env.ARTIFACTS_DIR_NAME }} | |
with: | |
sha: ${{ needs.prepare_vars.outputs.head_sha }} | |
status: ${{ job.status }} | |
context: ${{ matrix.platform }}|ansible-${{ matrix.ansible_version }} | |
description: Test finished | |
targetUrl: ${{ env.ARTIFACTS_URL }} |