Union #818 #821 #822 #1031
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Universal NRP Test | |
on: | |
workflow_dispatch: | |
inputs: | |
policy_packages: | |
description: 'List of policy packages to test' | |
required: true | |
default: '[]' | |
pull_request: | |
schedule: | |
- cron: '0 20 * * *' # Every day at 12pm PST (UTC-8) | |
jobs: | |
package: | |
name: Package | |
if: ${{ inputs.policy_packages == '[]' || inputs.policy_packages == '' }} | |
uses: ./.github/workflows/package-build.yml | |
needs: [setup-matrix] | |
with: | |
target: ubuntu-14.04 | |
arch: amd64 | |
artifact: nrp-test | |
package-type: DEB | |
test: true | |
machine-config: true | |
release: ${{ github.event_name == 'pull_request' && false || true }} | |
setup-matrix: | |
name: Setup Matrix | |
runs-on: ubuntu-latest | |
outputs: | |
targets: ${{ steps.matrix.outputs.targets }} | |
custom_download: ${{ steps.matrix.outputs.custom_download }} | |
policy_packages: ${{ steps.matrix.outputs.policy_packages }} | |
steps: | |
- name: Generate Matrix | |
id: matrix | |
env: | |
DEFAULT_POLICYPACKAGES: | | |
[ | |
{ "name": "LinuxSshServerSecurityBaseline", "short-name": "SSH", "resource-count": 20 }, | |
{ "name": "AzureLinuxBaseline", "short-name": "ASB", "resource-count": 168 } | |
] | |
TARGETS: | | |
[ | |
{ "os": "centos", "version": "8" }, | |
{ "os": "debian", "version": "10" }, | |
{ "os": "debian", "version": "11" }, | |
{ "os": "debian", "version": "12" }, | |
{ "os": "mariner", "version": "2" }, | |
{ "os": "oraclelinux", "version": "8" }, | |
{ "os": "rhel", "version": "8" }, | |
{ "os": "rhel", "version": "9" }, | |
{ "os": "rockylinux", "version": "9" }, | |
{ "os": "sles", "version": "15" }, | |
{ "os": "ubuntu", "version": "20.04" }, | |
{ "os": "ubuntu", "version": "22.04" } | |
] | |
# { "os": "almalinux", "version": "9" }, | |
# { "os": "amazonlinux", "version": "2" }, | |
# { "os": "centos", "version": "7" }, | |
# { "os": "oraclelinux", "version": "7" }, | |
# { "os": "rhel", "version": "7" }, | |
# { "os": "sles", "version": "12" }, | |
# { "os": "ubuntu", "version": "16.04" }, | |
# { "os": "ubuntu", "version": "18.04" }, | |
run: | | |
# If no explicit packages defined, use the default packages | |
if [[ '${{ inputs.policy_packages }}' == '[]' || '${{ inputs.policy_packages }}' == '' ]]; then | |
custom_download="false" | |
policy_packages="$DEFAULT_POLICYPACKAGES" | |
else | |
custom_download="true" | |
policy_packages="${{ inputs.policy_packages }}" | |
fi | |
echo $custom_download | |
echo $policy_packages | |
echo targets=$(echo $TARGETS | jq -r 'tostring') >> $GITHUB_OUTPUT | |
echo custom_download=$custom_download >> $GITHUB_OUTPUT | |
echo policy_packages=$(echo $policy_packages | jq -r 'tostring') >> $GITHUB_OUTPUT | |
mc-test: | |
name: MC Test | |
needs: [setup-matrix, package] | |
runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ matrix.target.os }}-${{ matrix.target.version }}'] | |
strategy: | |
fail-fast: false | |
matrix: | |
target: ${{ fromJSON(needs.setup-matrix.outputs.targets) }} | |
arch: [amd64] | |
mode: [Audit, Remediate] | |
policy-package: ${{ fromJSON(needs.setup-matrix.outputs.policy_packages) }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@v4 | |
if: ${{ needs.setup-matrix.outputs.custom_download == 'false' }} | |
id: download | |
with: | |
name: nrp-test | |
- name: Custom Download | |
if: ${{ needs.setup-matrix.outputs.custom_download == 'true' }} | |
id: custom-download | |
run: | | |
wget -O PolicyPackage.zip ${{ matrix.policy-package.policy-package-url }} | |
echo path=$(pwd)/PolicyPackage.zip >> $GITHUB_OUTPUT | |
- name: Normalize variables | |
id: normalize | |
run: | | |
echo name="${{ matrix.target.os }}-${{ matrix.target.version }}_${{ matrix.policy-package.short-name }}-${{ matrix.mode }}" >> $GITHUB_OUTPUT | |
if [[ ${{ needs.setup-matrix.outputs.custom_download }} == 'true' ]]; then | |
echo dir=$(pwd) >> $GITHUB_OUTPUT | |
echo path=$(pwd)/PolicyPackage.zip >> $GITHUB_OUTPUT | |
else | |
echo dir="${{ steps.download.outputs.download-path }}" >> $GITHUB_OUTPUT | |
echo path="${{ steps.download.outputs.download-path }}/${{ matrix.policy-package.name }}.zip" >> $GITHUB_OUTPUT | |
fi | |
- name: Run Guest Configuration Test | |
working-directory: ${{ steps.normalize.outputs.PolicyPackageDir }} | |
run: | | |
script="./universalNRPTest.ps1" | |
cat >$script <<EOL | |
Install-Module -Name GuestConfiguration -Force | |
Install-Module Pester -Force -SkipPublisherCheck | |
Import-Module Pester -Passthru | |
\$params = @{ | |
PolicyPackage = '${{ steps.normalize.outputs.path }}' | |
SkipRemediation = if ('${{ matrix.mode }}' -eq 'Audit') { \$true } else { \$false } | |
ResourceCount = ${{ matrix.policy-package.resource-count }} | |
} | |
\$container = New-PesterContainer -Path ./src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 -Data \$params | |
\$pesterConfig = [PesterConfiguration]@{ | |
Run = @{ | |
Exit = \$true | |
Container = \$container | |
} | |
Output = @{ | |
Verbosity = 'Detailed' | |
} | |
TestResult = @{ | |
Enabled = \$true | |
OutputFormat = 'JUnitXml' | |
OutputPath = '${{ steps.normalize.outputs.name }}-testResults.xml' | |
} | |
Should = @{ | |
ErrorAction = 'Continue' | |
} | |
}; | |
Invoke-Pester -Configuration \$pesterConfig | |
EOL | |
sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/omi/lib/ pwsh -Command $script | |
ls -l | |
# if command -v lsb_release &>/dev/null; then | |
# [[ $(lsb_release -is) == "Ubuntu" ]] && sudo chmod 644 *testResults.xml | |
# else | |
# echo "lsb_release not found" | |
# fi | |
stat *testResults.xml | |
- name: Stage OSConfig Logs | |
if: success() || failure() | |
run: | | |
mkdir osconfig-logs | |
stat /var/log/osconfig_nrp.log | |
cp -r /var/log/osconfig* osconfig-logs/ | |
- uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: ${{ steps.normalize.outputs.name }}_report | |
path: '${{ steps.normalize.outputs.dir }}/*testResults.xml' | |
- uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: ${{ steps.normalize.outputs.name }}_logs | |
path: osconfig-logs/osconfig* | |
module-test: | |
name: Module Test | |
needs: [setup-matrix, package] | |
runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ matrix.target.os }}-${{ matrix.target.version }}'] | |
strategy: | |
fail-fast: false | |
matrix: | |
target: ${{ fromJSON(needs.setup-matrix.outputs.targets) }} | |
arch: [amd64] | |
steps: | |
- uses: actions/checkout@v4 | |
- run: ldd --version | |
- uses: actions/download-artifact@v4 | |
id: download | |
with: | |
name: nrp-test | |
- name: Create osconfig.json | |
run: | | |
sudo mkdir -p /etc/osconfig | |
sudo cp -r ${{ steps.download.outputs.download-path }}/modules/test/osconfig.json /etc/osconfig/osconfig.json | |
- name: Run moduletest | |
working-directory: ${{ steps.download.outputs.download-path }}/modules/test | |
run: | | |
sudo chmod +x ./moduletest | |
result=0 | |
recipe="./recipes/SecurityBaselineTests.json" | |
name=$(basename $recipe | tr '[:upper:]' '[:lower:]' | sed 's/\.[^.]*$//' | sed 's/\(test\|tests\)$//') | |
echo -n "testing $name ... " | |
if output=$(sudo ./moduletest $recipe --bin ../bin); then | |
echo passed | |
else | |
echo failed | |
result=1 | |
echo "::warning file=$name.log::Error(s) in module-test for '$name'" | |
fi | |
echo "$output" | |
echo "$output" > ../../$name.log | |
exit $result | |
- uses: actions/upload-artifact@v4 | |
if: success() || failure() | |
with: | |
name: ${{ matrix.target.os }}-${{ matrix.target.version }}_logs | |
path: '*.log' | |
# See for more details: https://github.com/marketplace/actions/publish-test-results | |
report: | |
name: Report | |
needs: mc-test | |
runs-on: ubuntu-latest | |
permissions: | |
checks: write | |
pull-requests: write | |
if: always() | |
steps: | |
- name: Download Test Report Artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: universal-nrp-test | |
pattern: '*_report' | |
merge-multiple: true | |
- name: Publish Test Results | |
uses: EnricoMi/publish-unit-test-result-action@v2 | |
with: | |
files: 'universal-nrp-test/*testResults.xml' |