chore(deps): bump the gha-minor-patch group with 2 updates #382
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build, test and release | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
permissions: | |
contents: read | |
jobs: | |
check-diff: | |
runs-on: ubuntu-22.04 | |
outputs: | |
diff: ${{ steps.changes.outputs.src }} | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: fallard84/paths-filter@dfb4213208eb30382ee3e27b8a810fc3fb8cc911 # v3.0.3 | |
id: changes | |
with: | |
predicate-quantifier: "every" | |
filters: | | |
src: | |
- '**/*' | |
- '!**/*.md' | |
build: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
needs: check-diff | |
if: ${{ needs.check-diff.outputs.diff == 'true' }} | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
allowed-domains: | | |
*.blob.core.windows.net | |
*.docker.io | |
*.golang.org | |
*.github.com | |
deb.debian.org | |
production.cloudflare.docker.com | |
registry.npmjs.org | |
storage.googleapis.com | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: Build | |
run: | | |
make bootstrap | |
make build | |
- name: Run Unit Tests | |
run: | | |
make test.unit | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: build-artifacts | |
path: | | |
agent/agent | |
action/dist | |
check-artifacts: | |
needs: build | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
allowed-domains: | | |
*.github.com | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Check Artifact Build | |
run: | | |
make test.artifacts | |
test-audit: | |
needs: build | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Enable egress filtering | |
uses: ./ | |
env: | |
_LOCAL_AGENT: true | |
with: | |
allowed-domains: | | |
*.google.com | |
- name: Make HTTP requests | |
run: | | |
timeout 5 curl https://www.google.com --output /dev/null | |
timeout 5 curl https://www.bing.com --output /dev/null | |
test-block: | |
needs: build | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 5 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Enable egress filtering | |
uses: ./ | |
env: | |
_LOCAL_AGENT: true | |
with: | |
allowed-domains: | | |
*.google.com | |
egress-policy: block | |
enable-sudo: false | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: source test/make_dns_requests.sh | |
- name: Run sudo commands | |
run: source test/run_sudo_commands.sh | |
test-block-but-allow-any-dns-requests: | |
needs: build | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Enable egress filtering | |
uses: ./ | |
env: | |
_LOCAL_AGENT: true | |
with: | |
allowed-domains: | | |
*.google.com | |
dns-policy: any | |
egress-policy: block | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: | | |
timeout 5 dig example.com | |
timeout 5 dig www.wikipedia.org | |
test-docker: | |
needs: build | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Enable egress filtering | |
uses: ./ | |
env: | |
_LOCAL_AGENT: true | |
with: | |
allowed-ips: | | |
172.17.0.0/16 | |
allowed-domains: | | |
*.docker.io | |
production.cloudflare.docker.com | |
www.google.com | |
egress-policy: block | |
- name: Test curl calls within Docker | |
run: | | |
docker run --rm --entrypoint sh alpine/curl:8.7.1 -c " | |
if ! timeout 5 curl https://www.google.com --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if timeout 5 curl https://www.bing.com --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; | |
" | |
- name: Nginx | |
run: source test/docker_nginx.sh | |
- name: Nginx with port forwarding | |
run: source test/docker_nginx_port_forwarding.sh | |
test-integration: | |
needs: build | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 10 | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
allowed-domains: | | |
*.canonical.com | |
*.github.com | |
*.ubuntu.com | |
archivist.vagrantup.com | |
deb.nodesource.com | |
dl.google.com | |
download.docker.com | |
go.dev | |
objects.githubusercontent.com | |
packages.microsoft.com | |
vagrantcloud-files-production.s3-accelerate.amazonaws.com | |
vagrantcloud.com | |
www.google.com | |
*.hashicorp.com | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- name: Install Dependencies | |
run: | | |
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install --yes vagrant virtualbox | |
- name: Start VM | |
run: make vagrant.up | |
- name: Run Tests | |
run: make test.integration | |
# TODO: Rename to something else since it runs test.lint and test.types | |
test-lint: | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
allowed-domains: | | |
*.golang.org | |
registry.npmjs.org | |
storage.googleapis.com | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: Bootstrap | |
run: | | |
make bootstrap | |
- name: Lint | |
run: | | |
make test.lint | |
- name: Types | |
run: | | |
make test.types | |
pre-release: | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
pull-requests: write | |
needs: | |
[ | |
build, | |
check-artifacts, | |
test-audit, | |
test-block, | |
test-block-but-allow-any-dns-requests, | |
test-docker, | |
test-integration, | |
test-lint, | |
] | |
outputs: | |
release_created: ${{ steps.release.outputs.release_created }} | |
tag_name: ${{ steps.release.outputs.tag_name }} | |
major: ${{ steps.release.outputs.major }} | |
minor: ${{ steps.release.outputs.minor }} | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
allowed-domains: | | |
uploads.github.com | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
- uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 | |
if: github.event_name == 'push' | |
id: release | |
with: | |
config-file: release-please-config.json | |
manifest-file: .release-please-manifest.json | |
token: ${{ secrets.BULLFROG_BOT_PAT }} | |
- name: Upload Release Artifact | |
if: ${{ steps.release.outputs.release_created }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
echo "Upload" | |
tar -czf agent.tar.gz agent/agent | |
gh release upload ${{ steps.release.outputs.tag_name }} agent.tar.gz | |
pre-release-validation: | |
needs: pre-release | |
if: ${{ needs.pre-release.outputs.release_created }} | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 2 | |
steps: | |
# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow. Refer to https://github.com/bullfrogsec/bullfrog/commit/3a3e5e03112ef726b3079d402415760c9021fa39 for details. | |
- uses: jenseng/dynamic-uses@02f544690a931f3967153cd5f14679cfeb61f830 | |
with: | |
uses: ${{ github.repository }}@${{ needs.pre-release.outputs.tag_name }} | |
with: '{"allowed-domains": "www.google.com", "egress-policy": "block", "agent-download-base-url": "https://github.com/${{ github.repository }}/releases/download/"}' | |
- name: Make HTTP requests | |
run: | | |
if ! curl https://www.google.com --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if curl https://www.bing.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; | |
release: | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
needs: [pre-release, pre-release-validation] | |
steps: | |
- name: Enable egress filtering | |
uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 | |
with: | |
egress-policy: block | |
- name: Checkout | |
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
- name: Promote to a release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
gh release edit ${{ needs.pre-release.outputs.tag_name }} --prerelease=false --latest | |
git config user.name github-actions[bot] | |
git config user.email 41898282+github-actions[bot]@users.noreply.github.com | |
git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" | |
git tag -d v${{ needs.pre-release.outputs.major }} || true | |
git tag -d v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true | |
git push origin :v${{ needs.pre-release.outputs.major }} || true | |
git push origin :v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true | |
git tag -a v${{ needs.pre-release.outputs.major }} -m "Release v${{ needs.pre-release.outputs.major }}" | |
git tag -a v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} -m "Release v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}" | |
git push origin v${{ needs.pre-release.outputs.major }} | |
git push origin v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} |