-
Notifications
You must be signed in to change notification settings - Fork 6
156 lines (153 loc) · 6 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
---
name: release
on:
release:
types: [released]
env:
AWS_DEFAULT_REGION: us-east-1
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis,
# us-west-1:alias/cool-amis,
# us-west-2:alias/cool-amis"
PIP_CACHE_DIR: ~/.cache/pip
RUN_TMATE: ${{ secrets.RUN_TMATE }}
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
release:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
# There is no ARM-based official Kali AMI in the AWS AMI
# Catalog.
# - arm64
- x86_64
steps:
# If we use this proxy then the calls to the AWS API on
# localhost fail.
# - uses: GitHubSecurityLab/actions-permissions/monitor@v1
# with:
# # Uses the organization variable unless overridden
# config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v5
with:
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v4
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
packer${{ steps.setup-env.outputs.packer-version }}-\
tf-${{ steps.setup-env.outputs.terraform-version }}-"
with:
path: |
${{ env.PIP_CACHE_DIR }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements.txt') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install --upgrade \
--requirement requirements.txt
- name: Install ansible roles
run: ansible-galaxy install --force --role-file ansible/requirements.yml
# Do not copy the AMI to other regions until we have figured out a
# workable mechanism for creating and managing AMI KMS keys in other
# regions.
# See https://github.com/cisagov/cool-system/issues/18 for details.
# - name: Add copy regions to packer configuration
# run: |
# echo $COPY_REGIONS_KMS_MAP | \
# ./patch_packer_config.py variables.pkr.hcl
- name: Assume AWS build role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME_PRODUCTION }}
role-duration-seconds: 7200 # 2 hours
# When called by Packer, Ansible will find /usr/bin/python3 and
# use it; therefore, we must ensure that /usr/bin/python3 points
# to the version of Python that we installed in the
# actions/setup-python step above. This can hose other tasks
# that are expecting to find the system Python at that location,
# though, so we undo this change after running Packer.
- name: Create a /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3 /usr/bin/python3-default
sudo ln -s ${{ env.pythonLocation }}/bin/python3 \
/usr/bin/python3
- name: Install Packer plugins
run: packer init .
- name: Create machine image
env:
# Since we are using the default value of 15 seconds for
# AWS_POLL_DELAY_SECONDS, this corresponds to a timeout of
# two hours. We need such a long timeout because it can
# take well over an hour to copy this AMI from one region to
# another.
AWS_MAX_ATTEMPTS: 480
run: |
packer build -only amazon-ebs.${{ matrix.architecture }} \
-timestamp-ui \
-var build_bucket=${{ secrets.THIRD_PARTY_BUCKET_PRODUCTION }} \
-var is_prerelease=${{ github.event.release.prerelease }} \
-var release_tag=${{ github.event.release.tag_name }} \
-var release_url=${{ github.event.release.html_url }} \
.
- name: Remove /usr/bin/python3 symlink to the installed python
run: |
sudo mv /usr/bin/python3-default /usr/bin/python3
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE