Skip to content

Harden StdinService configs #1872

Harden StdinService configs

Harden StdinService configs #1872

Workflow file for this run

name: Build installers
on: [push, pull_request]
jobs:
build-test-linux:
runs-on: ubuntu-latest
timeout-minutes: 30
env:
MYSQL_TEST_USER: root
MYSQL_TEST_PASS: root
MYSQL_TEST_ADDR: 127.0.0.1:3306
MYSQL_TEST_E2E_DB: e2e_test_db
steps:
- uses: actions/checkout@v3
- name: Set up MySQL
run: |
sudo /etc/init.d/mysql start
mysql -e 'CREATE DATABASE ${{ env.MYSQL_TEST_E2E_DB }};' -u${{ env.MYSQL_TEST_USER }} -p${{ env.MYSQL_TEST_PASS }}
- uses: actions/setup-go@v3
with:
go-version: '1.22'
- name: Set up Go
run: |
go get -u golang.org/x/lint/golint
go install google.golang.org/protobuf/cmd/[email protected]
go install google.golang.org/grpc/cmd/[email protected]
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- uses: actions/cache@v3
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('*_python/**') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Set up Python
run: |
pip install wheel pytest
pip install -e ./fleetspeak_python[test]
pip install -e ./frr_python
- name: Lint
# We want to address all golint warnings, except for
# https://github.com/golang/go/wiki/CodeReviewComments#doc-comments
# TODO(mbushkov): make golint and go vet checks actionable.
run: |
golint ./... | grep -v 'should have comment or be unexported' || true
go vet ./... || true
- name: Check generated protos
run: |
fleetspeak/generate_go_py_protos.sh
if [[ "$(git status --porcelain | grep .pb.go)" != "" ]]; then
echo "At least one generated proto file is not in sync with the committed generated proto files."
echo "Please run \`PATH=~/go/bin:\$PATH fleetspeak/generate_go_py_protos.sh\`."
echo "pip packages:"
pip freeze
echo "git diff:"
git diff
exit 1;
fi;
echo "git status is clean; generated protos are consistent"
- name: Build
run: |
CGO_ENABLED=0 go build ./cmd/...
- name: Test
run: |
fleetspeak/test.sh
- name: Check DEB installation
# Install the built package and check that the fleetspeak-config program
# doesn't error out.
timeout-minutes: 10
run: |
mysql -e 'DROP DATABASE ${{ env.MYSQL_TEST_E2E_DB }}; CREATE DATABASE ${{ env.MYSQL_TEST_E2E_DB }};' -u${{ env.MYSQL_TEST_USER }} -p${{ env.MYSQL_TEST_PASS }}
sudo apt-get update
sudo apt install debhelper devscripts fakeroot libparse-debcontrol-perl
cd fleetspeak
./build-pkgs.sh
# Pass through MySQL config environment variables to sudo.
sudo -E ./test-package.sh ./fleetspeak-server_$(cat ../VERSION)_amd64.deb ./fleetspeak-client_$(cat ../VERSION)_amd64.deb
- name: Build installers
run: |
DEPLOY_PATH=$GITHUB_WORKSPACE/deploy/
mkdir -p $DEPLOY_PATH
cd fleetspeak
cp ./fleetspeak-client_$(cat ../VERSION)_amd64.deb $DEPLOY_PATH
cp ./fleetspeak-server_$(cat ../VERSION)_amd64.deb $DEPLOY_PATH
# pypi doesn't support linux_x86_64, which is the plafrom name targeted by default.
# We generate manylinux1_x86_64 manylinux2010_x86_64 packages, which are supported.
# Create client wheel
dpkg --extract ./fleetspeak-client_$(cat ../VERSION)_amd64.deb client-package-root
python client-wheel/setup.py --package-root=client-package-root --version=$(cat ../VERSION) -- bdist_wheel --platform-name=manylinux1_x86_64
python client-wheel/setup.py --package-root=client-package-root --version=$(cat ../VERSION) -- bdist_wheel --platform-name=manylinux2010_x86_64
# Create server wheel
dpkg --extract ./fleetspeak-server_$(cat ../VERSION)_amd64.deb server-package-root
python server-wheel/setup.py --package-root=server-package-root --version=$(cat ../VERSION) -- bdist_wheel --platform-name=manylinux1_x86_64
python server-wheel/setup.py --package-root=server-package-root --version=$(cat ../VERSION) -- bdist_wheel --platform-name=manylinux2010_x86_64
# Copy wheels
cp dist/*.whl $DEPLOY_PATH
- if: ${{ github.event_name == 'push' }}
name: Upload installers to GitHub artifacts
uses: actions/upload-artifact@v4
with:
name: linux-installers
path: deploy/
retention-days: 1
build-windows:
runs-on: windows-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: '1.22'
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
powershell Install-WindowsFeature Net-Framework-Core
pip install wheel
- name: Build installers
shell: bash
run: |
go build -v -x -o fleetspeak-client.exe ./cmd/fleetspeak_client/fleetspeak_client.go
cd fleetspeak/client-win
powershell -ExecutionPolicy Bypass -File ./build.ps1
cd ../..
DEPLOY_PATH=$GITHUB_WORKSPACE/deploy/
mkdir -p $DEPLOY_PATH
cp ${TMP}/fleetspeak-build-*/fleetspeak-pkg/fleetspeak-client-*.msi $DEPLOY_PATH
# Build client wheel
mkdir pkg-root
cp fleetspeak-client.exe pkg-root
cp fleetspeak/client-win/fleetspeak_lib.wxs pkg-root
python fleetspeak/client-wheel/setup.py --package-root pkg-root --version=$(cat VERSION) bdist_wheel
cp dist/*.whl $DEPLOY_PATH
ls -la $DEPLOY_PATH
- if: ${{ github.event_name == 'push' }}
name: Upload installers to GitHub artifacts
uses: actions/upload-artifact@v4
with:
name: windows-installers
path: deploy/
retention-days: 1
build-osx:
runs-on: macos-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: '1.22'
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install wheel
- name: Build installers
run: |
go build -o fleetspeak-client ./cmd/fleetspeak_client/fleetspeak_client.go
DEPLOY_PATH=$GITHUB_WORKSPACE/deploy/
mkdir -p $DEPLOY_PATH
cd fleetspeak/client-mac
./build.sh ../../fleetspeak-client
sudo installer -pkg ./work/fleetspeak-client-*.pkg -target / -verbose
cd ../..
cp ./fleetspeak/client-mac/work/fleetspeak-client-*.pkg $DEPLOY_PATH
# Build client wheel
python fleetspeak/client-wheel/setup.py --package-root=fleetspeak/client-mac/work/pkg_root --version=$(cat VERSION) bdist_wheel
cp dist/*.whl $DEPLOY_PATH
ls -la $DEPLOY_PATH
- if: ${{ github.event_name == 'push' }}
name: Upload installers to GitHub artifacts
uses: actions/upload-artifact@v4
with:
name: osx-installers
path: deploy/
retention-days: 1
test-osx:
runs-on: macos-latest
env:
MYSQL_TEST_USER: root
MYSQL_TEST_ADDR: 127.0.0.1:3306
MYSQL_TEST_E2E_DB: e2e_test_db
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: '1.22'
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install wheel pytest
- name: Build Python
run: |
pip install -e ./fleetspeak_python[test]
pip install -e ./frr_python
- name: Build Go
run: |
CGO_ENABLED=0 go build ./cmd/...
- uses: ankane/setup-mysql@v1
with:
database: ${{ env.MYSQL_TEST_E2E_DB }}
- name: Test
run: |
cd fleetspeak
./test.sh
test-windows:
runs-on: windows-latest
defaults:
run:
working-directory: ${{ github.workspace }}/src/github.com/google/fleetspeak
steps:
- uses: actions/setup-go@v3
with:
go-version: '1.22'
- uses: actions/checkout@v3
with:
path: ${{ github.workspace }}/src/github.com/google/fleetspeak
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
shell: bash
run: |
# TODO: The dependency installation fails, but good enough to make the tests pass.
# Ideally, required dependencies should be installed in a non-hacky, proper way.
# go get -v -t ./... || echo "Dependency installation failed, continuing anyway ¯\_(ツ)_/¯"
pip install wheel
- name: Build
shell: bash
run: |
go build -o fleetspeak/src/client/socketservice/testclient/testclient.exe github.com/google/fleetspeak/fleetspeak/src/client/socketservice/testclient
go build -o fleetspeak/src/client/daemonservice/testclient/testclient.exe github.com/google/fleetspeak/fleetspeak/src/client/daemonservice/testclient
pip install -e ./fleetspeak_python
- name: Test
shell: bash
run: |
go test -race github.com/google/fleetspeak/fleetspeak/src/common/... --timeout 180s
go test -race github.com/google/fleetspeak/fleetspeak/src/client/... --timeout 180s
# TODO: Move src/windows to src/client.
go test -race github.com/google/fleetspeak/fleetspeak/src/windows/... --timeout 180s
upload-installers:
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
runs-on: ubuntu-latest
env:
GCS_BUCKET: autobuilds-fleetspeak
needs:
- build-test-linux
- build-windows
- build-osx
- test-osx
- test-windows
steps:
- uses: actions/checkout@v3
- name: Download installers from GitHub artifacts
id: download
uses: actions/download-artifact@v3
with:
path: ~/_artifacts
- name: Merge artifacts
run: |
BUILD_TIMESTAMP=$(git show -s --format=%ci ${GITHUB_SHA} | sed -e "s/[ :\\+]/_/g")
DEPLOY_PATH=$HOME/deploy/${BUILD_TIMESTAMP}_${GITHUB_SHA}/
echo "DEPLOY_PATH=$DEPLOY_PATH" >> $GITHUB_ENV
mkdir -p $DEPLOY_PATH
ls -la ${{ steps.download.outputs.download-path }}/*
mv -v ${{ steps.download.outputs.download-path }}/*/* $DEPLOY_PATH
ls -la $DEPLOY_PATH
echo "BUILD_TIMESTAMP=${BUILD_TIMESTAMP}" >> $GITHUB_ENV
- name: Authenticate
uses: 'google-github-actions/auth@v1'
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
export_environment_variables: true
- name: Upload installers to GCS
uses: google-github-actions/[email protected]
with:
path: ${{ env.DEPLOY_PATH }}
destination: ${{ env.GCS_BUCKET }}/${{ env.BUILD_TIMESTAMP }}_${{ github.sha }}
# Omit `path` (e.g. /home/runner/deploy/) in final GCS path.
parent: false
build-push-docker:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Login to GitHub Container registry
if: ${{ github.event_name == 'push' }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
if: ${{ github.event_name == 'push' }}
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
if: ${{ github.event_name == 'push' }}
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}