Update docs for cis hardening #1806
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Informing Integration Tests | |
| on: | |
| push: | |
| paths-ignore: | |
| - 'docs/**' | |
| branches: | |
| - main | |
| - 'release-[0-9]+.[0-9]+' | |
| - 'autoupdate/sync/**' | |
| pull_request: | |
| paths-ignore: | |
| - 'docs/**' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build ${{ matrix.patch }} | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| matrix: | |
| patch: ["moonray"] | |
| fail-fast: false | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@v2 | |
| with: | |
| egress-policy: audit | |
| - name: Checking out repo | |
| uses: actions/checkout@v4 | |
| - name: Install lxd | |
| run: | | |
| sudo snap refresh lxd --channel 5.21/stable | |
| sudo lxd init --auto | |
| sudo usermod --append --groups lxd $USER | |
| sg lxd -c 'lxc version' | |
| - name: Install snapcraft | |
| run: | | |
| sudo snap install snapcraft --classic | |
| - name: Apply ${{ matrix.patch }} patch | |
| run: | | |
| ./build-scripts/patches/${{ matrix.patch }}/apply | |
| - name: Build snap | |
| run: | | |
| sg lxd -c 'snapcraft --use-lxd' | |
| mv k8s_*.snap k8s-${{ matrix.patch }}.snap | |
| - name: Uploading snap | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: k8s-${{ matrix.patch }}.snap | |
| path: k8s-${{ matrix.patch }}.snap | |
| test-integration: | |
| needs: [ build ] | |
| name: Test ${{ matrix.patch }} ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: ["ubuntu:20.04"] | |
| patch: ["moonray"] | |
| fail-fast: false | |
| runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"] | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Install tox | |
| run: pip install tox | |
| - name: Install lxd | |
| run: | | |
| sudo snap refresh lxd --channel 5.21/stable | |
| sudo lxd init --auto | |
| sudo usermod --append --groups lxd $USER | |
| sg lxd -c 'lxc version' | |
| sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT | |
| sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| - name: Download snap | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: k8s-${{ matrix.patch }}.snap | |
| path: ${{ github.workspace }}/build | |
| - name: Apply ${{ matrix.patch }} patch | |
| run: | | |
| ./build-scripts/patches/${{ matrix.patch }}/apply | |
| - name: Run end to end tests | |
| env: | |
| TEST_SNAP: ${{ github.workspace }}/build/k8s-${{ matrix.patch }}.snap | |
| TEST_SUBSTRATE: lxd | |
| TEST_LXD_IMAGE: ${{ matrix.os }} | |
| TEST_FLAVOR: ${{ matrix.patch }} | |
| TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports | |
| run: | | |
| cd tests/integration && sg lxd -c 'tox -e integration' | |
| - name: Prepare inspection reports | |
| if: failure() | |
| run: | | |
| tar -czvf inspection-reports.tar.gz -C ${{ github.workspace }} inspection-reports | |
| echo "artifact_name=inspection-reports-${{ matrix.os }}-${{ matrix.patch }}" | sed 's/:/-/g' >> $GITHUB_ENV | |
| - name: Upload inspection report artifact | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.artifact_name }} | |
| path: ${{ github.workspace }}/inspection-reports.tar.gz |