Skip to content

Commit

Permalink
Merge branch 'ComplianceAsCode:master' into sys-1-1
Browse files Browse the repository at this point in the history
  • Loading branch information
@sluetze
sluetze authored Jan 27, 2025
2 parents ffb555d + 02af5e0 commit acaf313
Show file tree
Hide file tree
Showing 1,534 changed files with 60,232 additions and 3,590 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/automatus-sanity.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
- name: Check One Rule
run: ./tests/automatus.py rule --remove-platforms --make-applicable-in-containers --logdir log_rule --datastream ssg-fedora-ds.xml --container ssg_test_suite package_sudo_installed
- name: Check One Rule - Ansible
run: ./tests/automatus.py rule --remove-platforms --make-applicable-in-containers --logdir log_rule_ansible --remediate-using ansible --datastream ssg-fedora-ds.xml --container ssg_test_suite package_sudo_installed
run: ./tests/automatus.py rule --remove-platforms --make-applicable-in-containers --logdir log_rule_ansible --remediate-using ansible --datastream ssg-fedora-ds.xml --container ssg_test_suite file_owner_etc_passwd
- name: Check Profile Mode
run: ./tests/automatus.py profile --remove-platforms --make-applicable-in-containers --logdir log_profile --datastream ssg-fedora-ds.xml --container ssg_test_suite test
- name: Check Combined Mode
Expand Down
171 changes: 171 additions & 0 deletions .github/workflows/automatus-ubuntu2404.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
name: Automatus Ubuntu 24.04
on:
pull_request:
branches: [ master, 'stabilization*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
cancel-in-progress: true
env:
DATASTREAM: ssg-ubuntu2404-ds.xml
jobs:
build-content:
name: Build Content
runs-on: ubuntu-24.04
steps:
- name: Install build deps
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build xsltproc libxml2-utils python3-yaml python3-jinja2 openscap-utils
- name: Install workflow deps
run: sudo apt install -y git python3-deepdiff python3-requests jq python3-pip
- name: Install deps python
run: pip3 install gitpython xmldiff
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
fetch-depth: 0
- name: Checkout (CTF)
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
repository: ComplianceAsCode/content-test-filtering
path: ctf
# https://github.com/actions/checkout/issues/766
- name: Set git safe directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Find forking point
env:
BASE_BRANCH: ${{ github.base_ref }}
run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
id: fork_point
- name: Detect content changes in the PR
run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
- name: Test if there are no content changes
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
id: ctf
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: output.json
path: output.json
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'product'
- name: Build product
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ./build_product ubuntu2404 --datastream-only
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ${{ env.DATASTREAM }}
path: build/${{ env.DATASTREAM }}
validate-ubuntu:
name: Run Tests
needs: build-content
runs-on: ubuntu-24.04
steps:
- name: Install test deps
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build xsltproc libxml2-utils python3-yaml python3-jinja2 openscap-utils podman
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Get cached CTF output
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
id: get_ctf_output
with:
name: output.json
# continue even if the file is unavailable that
# means there are no changes detected by CTF in the previous job
continue-on-error: true
- name: Test if there are no content changes
if: ${{ steps.get_ctf_output.outcome == 'success' }}
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
id: ctf
- name: Print changes to content detected if any
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: cat output.json
- name: Generate id_rsa key
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa
- name: Build test suite container
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-ubuntu2404
working-directory: ./Dockerfiles
- name: Get rule ids to be tested
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: rules
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'rules'
- name: Get product attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: product
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'product'
- name: Get bash attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: bash
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'bash'
- name: Get ansible attribute
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
id: ansible
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
with:
path: 'output.json'
prop_path: 'ansible'
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
with:
name: ${{ env.DATASTREAM }}
- name: Run tests in a container - Bash
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream ${{ env.DATASTREAM }} ${{join(fromJSON(steps.rules.outputs.prop))}}
env:
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified"
- name: Check for ERROR in logs
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: grep -q "^ERROR" logs_bash/test_suite.log
id: check_results_bash
# when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file
# and this means tests finished successfully without errors. So the job needs to keep going.
# By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use
# it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead.
# See the step below
continue-on-error: true
- name: Upload logs in case of failure
if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
with:
name: logs_bash
path: logs_bash/
- name: Run tests in a container - Ansible
if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream ${{ env.DATASTREAM }} ${{join(fromJSON(steps.rules.outputs.prop))}}
env:
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified"
- name: Check for ERROR in logs
if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: grep -q "^ERROR" logs_ansible/test_suite.log
id: check_results_ansible
continue-on-error: true
- name: Upload logs in case of failure
if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
with:
name: logs_ansible
path: logs_ansible/
- name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log
if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
run: |
[[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - "
[[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - "
exit 1
42 changes: 0 additions & 42 deletions .github/workflows/ctf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,45 +47,3 @@ jobs:
with:
path: 'output.json'
prop_path: 'product'
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Start a new ephemeral environment with changes proposed in this pull request
- name: Create or update comment
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Start a new ephemeral environment with changes proposed in this pull request:
${{steps.product.outputs.prop}} (from CTF) Environment (using Fedora as testing environment)
[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#PRODUCT=${{steps.product.outputs.prop}},CONTAINER=fedora/${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }})
Fedora Testing Environment
[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }})
Oracle Linux 8 Environment
[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#PRODUCT=ol8/${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }})
edit-mode: replace
- name: Create or update a trimmed comment
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE == '0' }}
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }})
Oracle Linux 8 Environment
[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#PRODUCT=ol8/${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }})
edit-mode: replace
29 changes: 24 additions & 5 deletions .github/workflows/gate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
runs-on: ubuntu-20.04
steps:
- name: Install Deps
run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install deps python
Expand All @@ -97,7 +97,7 @@ jobs:
env:
ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
run: |-
./build_product ubuntu1604 ubuntu1804 ubuntu2004
./build_product ubuntu1604 ubuntu1804 ubuntu2004 ubuntu2404
- name: Test
run: ctest -j2 --output-on-failure -E unique-stigids
working-directory: ./build
Expand All @@ -107,7 +107,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Install Deps
run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install deps python
Expand All @@ -121,6 +121,25 @@ jobs:
run: ctest -j2 --output-on-failure -E unique-stigids
working-directory: ./build

validate-ubuntu-24-04:
name: Build, Test on Ubuntu 24.04
runs-on: ubuntu-24.04
steps:
- name: Install Deps
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install deps python
run: pip3 install -r requirements.txt -r test-requirements.txt
- name: Build
env:
ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF"
run: |-
./build_product ubuntu2404
- name: Test
run: ctest -j2 --output-on-failure -E unique-stigids
working-directory: ./build

validate-fedora-rawhide:
name: Build, Test on Fedora Rawhide (Container)
runs-on: ubuntu-latest
Expand Down Expand Up @@ -161,8 +180,8 @@ jobs:
name: Build on Windows
runs-on: windows-latest
env:
OPENSCAP_VERSION: "1.4.1"
OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.1"
OPENSCAP_VERSION: "1.4.2"
OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.2"
steps:
- name: Install Deps
run: choco install xsltproc
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/gate_fedora.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,14 @@ jobs:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install deps python
run: pip install pcre2 -r requirements.txt -r test-requirements.txt
run: pip install pcre2==0.4.0 -r requirements.txt -r test-requirements.txt
- name: Build
run: |-
./build_product -j2 \
al2023 \
alinux2 \
alinux3 \
almalinux9 \
anolis23 \
anolis8 \
chromium \
Expand Down
30 changes: 0 additions & 30 deletions .github/workflows/gate_ol7.yml
View file

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/gate_thin_ds.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Install deps python
# pytest-xdist is used for parallel execution of thin ds test
run: pip install pcre2 pytest-xdist -r requirements.txt -r test-requirements.txt
run: pip install pcre2==0.4.0 pytest-xdist -r requirements.txt -r test-requirements.txt
- name: Build
run: ./build_product rhel9 --thin
- name: Test
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gh-pages.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Deploy
if: ${{ github.event_name == 'push' && github.repository == 'ComplianceAsCode/content' && github.ref == 'refs/heads/master' }}
uses: JamesIves/github-pages-deploy-action@881db5376404c5c8d621010bcbec0310b58d5e29 # v4.6.8
uses: JamesIves/github-pages-deploy-action@15de0f09300eea763baee31dff6c6184995c5f6a # v4.7.2
with:
branch: main # The branch the action should deploy to.
folder: ${{ env.PAGES_DIR }} # The folder the action should deploy.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/k8s-content-pr-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
id: save-go-version
run: |
echo "go-version=$(cat compliance-operator/go-version)" > compliance-operator/go-version
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
with:
go-version: ${{ steps.save-go-version.outputs.go-version }}
- name: Run ginkgo tests and check if each XCCDF file is parsed correctly
Expand Down
Loading

0 comments on commit acaf313

Please sign in to comment.