Skip to content

chore(deps): bump the gha-minor-patch group with 2 updates #382

chore(deps): bump the gha-minor-patch group with 2 updates

chore(deps): bump the gha-minor-patch group with 2 updates #382

Workflow file for this run

name: Build, test and release
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
contents: read
jobs:
check-diff:
runs-on: ubuntu-22.04
outputs:
diff: ${{ steps.changes.outputs.src }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: fallard84/paths-filter@dfb4213208eb30382ee3e27b8a810fc3fb8cc911 # v3.0.3
id: changes
with:
predicate-quantifier: "every"
filters: |
src:
- '**/*'
- '!**/*.md'
build:
runs-on: ubuntu-22.04
timeout-minutes: 5
needs: check-diff
if: ${{ needs.check-diff.outputs.diff == 'true' }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
allowed-domains: |
*.blob.core.windows.net
*.docker.io
*.golang.org
*.github.com
deb.debian.org
production.cloudflare.docker.com
registry.npmjs.org
storage.googleapis.com
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Build
run: |
make bootstrap
make build
- name: Run Unit Tests
run: |
make test.unit
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: build-artifacts
path: |
agent/agent
action/dist
check-artifacts:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
allowed-domains: |
*.github.com
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Check Artifact Build
run: |
make test.artifacts
test-audit:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
env:
_LOCAL_AGENT: true
with:
allowed-domains: |
*.google.com
- name: Make HTTP requests
run: |
timeout 5 curl https://www.google.com --output /dev/null
timeout 5 curl https://www.bing.com --output /dev/null
test-block:
needs: build
runs-on: ${{ matrix.os }}
timeout-minutes: 5
strategy:
fail-fast: false
matrix:
os: [ubuntu-22.04, ubuntu-24.04]
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
env:
_LOCAL_AGENT: true
with:
allowed-domains: |
*.google.com
egress-policy: block
enable-sudo: false
- name: Make HTTP requests
run: source test/make_http_requests.sh
- name: Make DNS requests
run: source test/make_dns_requests.sh
- name: Run sudo commands
run: source test/run_sudo_commands.sh
test-block-but-allow-any-dns-requests:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
env:
_LOCAL_AGENT: true
with:
allowed-domains: |
*.google.com
dns-policy: any
egress-policy: block
- name: Make HTTP requests
run: source test/make_http_requests.sh
- name: Make DNS requests
run: |
timeout 5 dig example.com
timeout 5 dig www.wikipedia.org
test-docker:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
env:
_LOCAL_AGENT: true
with:
allowed-ips: |
172.17.0.0/16
allowed-domains: |
*.docker.io
production.cloudflare.docker.com
www.google.com
egress-policy: block
- name: Test curl calls within Docker
run: |
docker run --rm --entrypoint sh alpine/curl:8.7.1 -c "
if ! timeout 5 curl https://www.google.com --output /dev/null; then
echo 'Expected curl to www.google.com to succeed, but it failed';
exit 1;
fi;
if timeout 5 curl https://www.bing.com --output /dev/null; then
echo 'Expected curl to www.bing.com to fail, but it succeeded';
exit 1;
fi;
"
- name: Nginx
run: source test/docker_nginx.sh
- name: Nginx with port forwarding
run: source test/docker_nginx_port_forwarding.sh
test-integration:
needs: build
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
allowed-domains: |
*.canonical.com
*.github.com
*.ubuntu.com
archivist.vagrantup.com
deb.nodesource.com
dl.google.com
download.docker.com
go.dev
objects.githubusercontent.com
packages.microsoft.com
vagrantcloud-files-production.s3-accelerate.amazonaws.com
vagrantcloud.com
www.google.com
*.hashicorp.com
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- name: Install Dependencies
run: |
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update
sudo apt-get install --yes vagrant virtualbox
- name: Start VM
run: make vagrant.up
- name: Run Tests
run: make test.integration
# TODO: Rename to something else since it runs test.lint and test.types
test-lint:
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
allowed-domains: |
*.golang.org
registry.npmjs.org
storage.googleapis.com
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Bootstrap
run: |
make bootstrap
- name: Lint
run: |
make test.lint
- name: Types
run: |
make test.types
pre-release:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-22.04
permissions:
contents: write
pull-requests: write
needs:
[
build,
check-artifacts,
test-audit,
test-block,
test-block-but-allow-any-dns-requests,
test-docker,
test-integration,
test-lint,
]
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
major: ${{ steps.release.outputs.major }}
minor: ${{ steps.release.outputs.minor }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
allowed-domains: |
uploads.github.com
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
- uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
if: github.event_name == 'push'
id: release
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
token: ${{ secrets.BULLFROG_BOT_PAT }}
- name: Upload Release Artifact
if: ${{ steps.release.outputs.release_created }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Upload"
tar -czf agent.tar.gz agent/agent
gh release upload ${{ steps.release.outputs.tag_name }} agent.tar.gz
pre-release-validation:
needs: pre-release
if: ${{ needs.pre-release.outputs.release_created }}
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow. Refer to https://github.com/bullfrogsec/bullfrog/commit/3a3e5e03112ef726b3079d402415760c9021fa39 for details.
- uses: jenseng/dynamic-uses@02f544690a931f3967153cd5f14679cfeb61f830
with:
uses: ${{ github.repository }}@${{ needs.pre-release.outputs.tag_name }}
with: '{"allowed-domains": "www.google.com", "egress-policy": "block", "agent-download-base-url": "https://github.com/${{ github.repository }}/releases/download/"}'
- name: Make HTTP requests
run: |
if ! curl https://www.google.com --output /dev/null; then
echo 'Expected curl to www.google.com to succeed, but it failed';
exit 1;
fi;
if curl https://www.bing.com --max-time 5 --output /dev/null; then
echo 'Expected curl to www.bing.com to fail, but it succeeded';
exit 1;
fi;
release:
runs-on: ubuntu-22.04
permissions:
contents: write
needs: [pre-release, pre-release-validation]
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1
with:
egress-policy: block
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Promote to a release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release edit ${{ needs.pre-release.outputs.tag_name }} --prerelease=false --latest
git config user.name github-actions[bot]
git config user.email 41898282+github-actions[bot]@users.noreply.github.com
git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
git tag -d v${{ needs.pre-release.outputs.major }} || true
git tag -d v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true
git push origin :v${{ needs.pre-release.outputs.major }} || true
git push origin :v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true
git tag -a v${{ needs.pre-release.outputs.major }} -m "Release v${{ needs.pre-release.outputs.major }}"
git tag -a v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} -m "Release v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}"
git push origin v${{ needs.pre-release.outputs.major }}
git push origin v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}