[#52] Fix CVE-2023-40217. #288
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# GitHub actions for building and testing on bare hardware. | |
# Typically, Windows and macOS builds are done this way. | |
# Look for the Linux builds in the "docker" workflow. | |
name: Bare | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
concurrency: | |
group: bare-${{ github.ref }} | |
cancel-in-progress: true | |
# Set to 'yes' to open a tunnel to GitHub's VMs through ngrok/tmate on failures. | |
# Also increase timeout-minutes for the relevant OS when debugging remotely. | |
# Version 3 of mxschmitt/action-tmate should also work on Windows. | |
env: | |
TMATE_DEBUG: 'no' | |
NGROK_DEBUG: 'no' | |
jobs: | |
windows: | |
# The type of runner that the job will run on | |
runs-on: windows-latest | |
timeout-minutes: 15 | |
# Steps represent a sequence of tasks that will be executed as part of the job | |
steps: | |
# Checks-out the repository under $GITHUB_WORKSPACE, so the job can access it | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 2 | |
# Explicitly run our scripts with Bash, not PowerShell (GitHub's default). | |
- name: Build Pythia | |
run: bash ./build.sh build | |
- name: Test Pythia | |
run: bash ./build.sh test | |
# To use an RSA key with SFTPPlus, install upstream OpenSSH package, | |
# which is more finicky in regards to file permissions. | |
# Beware the commands in this step run under PowerShell. | |
- name: Prepare SFTP upload | |
run: | | |
mkdir -p ~/.ssh/ | |
touch priv_key | |
icacls .\priv_key /inheritance:r | |
icacls .\priv_key /grant:r runneradmin:"(F)" | |
echo "${{ secrets.SFTPPLUS_BIN_PRIV_KEY }}" > priv_key | |
echo "${{ secrets.SFTPPLUS_BIN_HOST_KEY }}" > ~/.ssh/known_hosts | |
choco install --yes --no-progress openssh | |
# Upload using a (per-OS selected) sftp command, then show final links. | |
# Remove key in same step to avoid leaving it on disk if publishing fails. | |
- name: Upload testing package | |
run: bash -c './publish_dist.sh ; rm priv_key' | |
# Command line debugging through Tmate. v3 works on Windows too. | |
- name: Tmate debug on failure | |
if: failure() && env.TMATE_DEBUG == 'yes' | |
uses: chevah/action-tmate@v3 | |
with: | |
limit-access-to-actor: true | |
# To access the Windows desktop for advanced debugging, as per | |
# https://github.com/nelsonjchen/reverse-rdp-windows-github-actions, | |
# but using the ngrok token as password for the runnneradmin user. | |
# Basically use the ngrok token and the ngrok URL (from ngrok's dashboard). | |
- name: Ngrok debugging on failure | |
if: failure() && env.NGROK_DEBUG == 'yes' | |
env: | |
NGROK_TOKEN: ${{ secrets.NGROK_AUTH_TOKEN }} | |
run: | | |
choco install --yes --no-progress ngrok | |
ngrok.exe authtoken $env:NGROK_TOKEN | |
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0 | |
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" | |
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1 | |
Set-LocalUser -Name "runneradmin" -Password (ConvertTo-SecureString -AsPlainText "$env:NGROK_TOKEN" -Force) | |
ngrok.exe tcp 3389 | |
macos: | |
runs-on: macos-latest | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 2 | |
# Some Homebrew libs pollute the build. | |
# Also make sure binaries depending on these libs are out of the way. | |
- name: Hack Homebrew | |
run: | | |
sudo mv -v /usr/local/bin/git{,.saved} | |
sudo chmod -v a-r /usr/local/include/libintl.h | |
sudo chmod -v a-r /usr/local/opt/gettext/lib/libintl.* | |
- name: Build Pythia | |
run: ./build.sh build | |
# Fix back Homebrew, for working Shellcheck tests and tmate debugging. | |
- name: Unhack Homebrew | |
run: | | |
sudo chmod -v a+r /usr/local/opt/gettext/lib/libintl* | |
sudo chmod -v a+r /usr/local/include/libintl.h | |
sudo mv -v /usr/local/bin/git{.saved,} | |
- name: Test Pythia | |
run: ./build.sh test | |
- name: Upload testing package | |
run: | | |
mkdir -pv ~/.ssh/ | |
touch priv_key | |
chmod 600 priv_key | |
echo "${{ secrets.SFTPPLUS_BIN_PRIV_KEY }}" > priv_key | |
echo "${{ secrets.SFTPPLUS_BIN_HOST_KEY }}" > ~/.ssh/known_hosts | |
./publish_dist.sh ; rm priv_key | |
- name: Tmate debug on failure | |
if: failure() && env.TMATE_DEBUG == 'yes' | |
uses: chevah/action-tmate@v3 | |
with: | |
limit-access-to-actor: true | |
macos-m1: | |
runs-on: m1 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 2 | |
- name: Build Pythia | |
run: ./build.sh build | |
- name: Test Pythia | |
run: ./build.sh test | |
- name: Upload testing package | |
run: | | |
mkdir -pv ~/.ssh/ | |
touch priv_key | |
chmod 600 priv_key | |
echo "${{ secrets.SFTPPLUS_BIN_PRIV_KEY }}" > priv_key | |
echo "${{ secrets.SFTPPLUS_BIN_HOST_KEY }}" > ~/.ssh/known_hosts | |
./publish_dist.sh ; rm priv_key |