-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (143 loc) · 5.54 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
name: release
on:
release:
types: [released]
env:
AWS_DEFAULT_REGION: us-east-1
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis,
# us-west-1:alias/cool-amis,
# us-west-2:alias/cool-amis"
PIP_CACHE_DIR: ~/.cache/pip
RUN_TMATE: ${{ secrets.RUN_TMATE }}
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
release:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
# The CDM Nessus Agent does not support ARM64 on Fedora.
# - arm64
- x86_64
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v4
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade \
--requirement requirements.txt
- name: Install ansible roles
run: ansible-galaxy install --force --role-file ansible/requirements.yml
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# - name: Add copy regions to packer configuration
# run: |
# echo $COPY_REGIONS_KMS_MAP | \
# ./patch_packer_config.py variables.pkr.hcl
- name: Assume AWS build role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_PRODUCTION }}
role-duration-seconds: 3600
# When called by Packer, Ansible will find /usr/bin/python3 and
# use it; therefore, we must ensure that /usr/bin/python3 points
# to the version of Python that we installed in the
# actions/setup-python step above. This can hose other tasks
# that are expecting to find the system Python at that location,
# though, so we undo this change after running Packer.
- name: Create a /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3 /usr/bin/python3-default
sudo ln -s ${{ env.pythonLocation }}/bin/python3 \
/usr/bin/python3
- name: Install Packer plugins
run: packer init .
- name: Create machine image
run: |
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
-var release_url=${{ github.event.release.html_url }} \
.
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE