sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-20 14:08:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #445 from philwhineray/master

Browse Source 
Replace Travis with Github actions
This commit is contained in:
philwhineray 2020-12-31 17:15:13 +00:00 committed by GitHub
commit 5059a1316a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 226 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
.github/workflows/publish.yml vendored Normal file
View File

@ -0,0 +1,169 @@
on: [ push, pull_request, workflow_dispatch ]
jobs:
prep:
runs-on: ubuntu-latest
name: Prepare build
steps:
- name: Extract tag/branch variables
shell: bash
run: |
echo "##[set-output name=tag;]$(echo ${GITHUB_REF#refs/tags/}|grep -v '/')"
echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/}|grep -v '/')"
id: extract
outputs:
tag: ${{ steps.extract.outputs.tag }}
branch: ${{ steps.extract.outputs.branch }}
build:
runs-on: ubuntu-latest
name: Build package
needs: prep
steps:
- uses: actions/checkout@v2
- name: Set up build tools
run: ./.github/workflows/setup.sh
- name: Server-side run of commit hooks in case developer skipped them
run: git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
env:
TRAVIS_TAG: ${{ needs.prep.outputs.tag }}
- name: Obtain GPG keys to validate tag signature
if: ${{ needs.prep.outputs.tag != '' }}
run: |
./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237"
./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863"
git fetch --tags -f
env:
KEYSERVER: pool.sks-keyservers.net
- name: Run build
run: |
fakeroot ./packaging/git-build
test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check
env:
TRAVIS_TAG: ${{ needs.prep.outputs.tag }}
- name: Create checksums
run: |
for i in *.tar.*
do
md5sum -b $i > $i.md5
sha512sum -b $i > $i.sha
done
- name: Upload build artifacts
uses: actions/upload-artifact@v2
with:
name: build-artifacts
path: |
*.tar.*
publish_branch:
runs-on: ubuntu-latest
name: Publish to website if branch
needs: [ prep, build ]
env:
DEPLOY_ARTIFACTS: "*.tar.*"
DEPLOY_SERVER: travis@firehol.org
DEPLOY_DIR: uploads/firehol/${{needs.prep.outputs.branch}}
SERVER_DEPLOY_LOG: https://firehol.org/travis-project.log
SERVER_DEPLOY_TIMEOUT: 300
if: >-
${{ ( needs.prep.outputs.branch == 'main'
|| needs.prep.outputs.branch == 'master'
|| startsWith( needs.prep.outputs.branch, 'stable-' ) ) }}
steps:
- name: Download artifacts
uses: actions/download-artifact@v2
with:
name: build-artifacts
- name: Setup SSH
id: ssh
run: |
echo "$FIREHOL_ORG_PUBLISH_SSH" > firehol_org_publish_key
chmod 600 firehol_org_publish_key
eval "$(ssh-agent)"
if ssh-add firehol_org_publish_key; then
echo "Key added: setting agent environment"
echo "##[set-output name=ssh_agent_pid;]$SSH_AGENT_PID"
echo "##[set-output name=ssh_auth_sock;]$SSH_AUTH_SOCK"
mkdir -p $HOME/.ssh
chmod 700 $HOME/.ssh
echo PasswordAuthentication=no >> $HOME/.ssh/config
chmod 644 $HOME/.ssh/config
else
echo "Key not added: skipping ssh-agent environment"
fi
rm -f firehol_org_publish_key
env:
FIREHOL_ORG_PUBLISH_SSH: ${{secrets.FIREHOL_ORG_PUBLISH_SSH}}
- name: Prepare deployment check
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
run: curl -s -oresult.orig $SERVER_DEPLOY_LOG
- name: Deploy to website ${{needs.prep.outputs.branch}}
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
run: |
ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
ssh $DEPLOY_SERVER mkdir -p "$DEPLOY_DIR"
rsync -a $DEPLOY_ARTIFACTS "$DEPLOY_SERVER:$DEPLOY_DIR/"
ssh $DEPLOY_SERVER touch "$DEPLOY_DIR/complete.txt"
env:
SSH_AGENT_PID: ${{ steps.ssh.outputs.ssh_agent_pid }}
SSH_AUTH_SOCK: ${{ steps.ssh.outputs.ssh_auth_sock }}
- name: Check deployment
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
run: |
pause=10
attempts=$(( $SERVER_DEPLOY_TIMEOUT / $pause ))
while [ $attempts -gt 0 ]
do
sleep $pause
attempts=$((attempts - 1))
curl -s -o result $SERVER_DEPLOY_LOG
if ! cmp -s result result.orig
then
cat result
if grep -q "not deploying" result
then
exit 2
else
exit 0
fi
fi
done
exit 1
publish_tag:
runs-on: ubuntu-latest
name: Publish to github if tag
needs: [ prep, build ]
if: ${{ needs.prep.outputs.tag != '' }}
steps:
- name: Download artifacts
uses: actions/download-artifact@v2
with:
name: build-artifacts
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
draft: true
- name: Upload
uses: actions/github-script@v3
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const path = require('path');
const fs = require('fs');
const release_id = '${{ steps.create_release.outputs.id }}';
for (let file of await fs.readdirSync('./')) {
console.log('uploadReleaseAsset', file);
await github.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: release_id,
name: file,
data: await fs.readFileSync(`./${file}`)
});
}

53
.github/workflows/setup.sh vendored Executable file
View File

@ -0,0 +1,53 @@
#!/bin/sh
set -e
set -x
sudo apt install gnupg pandoc fakeroot
sudo apt install texlive-base texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-latex-recommended
sudo apt install lmodern libxml2-utils traceroute ipset
#
# Set up to ensure tests run:
# - Ensure unprivileged user namespaces enabled
# - Install required kernel modules
# - Get latest version of iprange from firehol project
sudo sysctl kernel.unprivileged_userns_clone=1
sudo modprobe iptable_mangle
sudo modprobe ip6table_mangle
sudo modprobe iptable_raw
sudo modprobe ip6table_raw
sudo modprobe iptable_nat
sudo modprobe ip6table_nat
sudo modprobe iptable_filter
sudo modprobe ip6table_filter
orig=`pwd`
mkdir iprange
cd iprange
curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest
dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json)
if [ "$dl" = "" ]
then
echo "Could not find download for latest iprange"
exit 1
fi
curl -s -L -o iprange.tar.gz "$dl"
if [ $? -ne 0 ]
then
echo "Could not download $dl"
exit 1
else
echo "Building $dl"
fi
mkdir build
tar xfzC iprange.tar.gz build
cd build/iprange*
./configure --disable-man
sudo make install
cd $orig
rm -rf iprange

74
.travis.yml
View File

@ -1,74 +0,0 @@
# Use trusty (for recent pandoc)
# https://docs.travis-ci.com/user/trusty-ci-environment/
dist: trusty
#
# Use full virtualisation to allow use of user namespaces
sudo: true
#
# C includes autotools and make by default
language: c
#
# Extra packages
addons:
apt:
packages:
- gnupg
- pandoc
- texlive-base
- texlive-latex-base
- texlive-latex-extra
- texlive-fonts-recommended
- texlive-latex-recommended
- lmodern
- libxml2-utils
- traceroute
- ipset
- fakeroot
#
# Setup environment
before_install:
# Decrypt our private files for CI use only
- eval "$(ssh-agent -s)"
- ./.travis/decrypt-if-have-key 45263037bf08
- export KEYSERVER=pool.sks-keyservers.net
#
# Set up to ensure tests run:
# - Ensure unprivileged user namespaces enabled
# - Get latest version of iprange from firehol project
# - Get a version of util-linux which has the user namespace options
# - Install required kernel modules
- sudo sysctl kernel.unprivileged_userns_clone=1
- sudo .travis/install-iprange
- sudo .travis/replace-unshare
- sudo modprobe iptable_mangle
- sudo modprobe ip6table_mangle
- sudo modprobe iptable_raw
- sudo modprobe ip6table_raw
- sudo modprobe ip6table_nat
#
# Run
before_script:
# Download keys - builds of tags check for a recognised signature
- ./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237"
- ./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863"
# Run the commit hooks in case the developer didn't
- git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
script:
- fakeroot ./packaging/git-build
- (test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check)
#
# Deploy as required
after_success:
- for i in *.tar.*; do md5sum -b $i > $i.md5; sha512sum -b $i > $i.sha; done
- ./.travis/deploy-if-have-key firehol
deploy:
# Upload results to GitHub (tag only)
- provider: releases
api_key:
secure: S5EMYcFY70JpCBgZHqWbcwAXg5jbKd+X1rdA8FMX3c0+mJQ0LaHgqjyIrjZVV3AMdFToZDMD9VmIJARXUU9UY7SH7kp0Txf1g7WetLLN4X53InTFdx4O2Khtnj8osM51R3lyrZw2FPB6af4/ZhNkv/mZgHUg7jQ3Gags6L2NzeGyEZzUVoZEz+qxLXQACKDgEWL1v7D+5vn+v2JjtW1i5LlbWS37u+SXufxvlVcAXSTNWGf3Q1pv2vnjxUkjZcz9A2Zk+DADE9RpdKyUN2279Kx5rpUc4qzET3HZP79Lwp8Cj6Gfd1GOsagM2TXHo5fg38K/mTCUrJ97wdg2uzgvsOZBhLysZVwkikGWnkuM2xQW3NpYmWGpeDRhUnEotZeQ4N1R4dpbQ79oxVEb0wkFAXUUU0qCDPpjA0YUb1c9pRuomCsB7a/SxwNrldCK8XvNFyiCF28yetnjp5O2dytRMQPn7+SU9YdoKe+3k78J/YSdmAFFKvfEwwtz/jAlFjwt6NmV2byAUWOt4k5FTyEsz+Y+P7lkbOJGYpAz7nNvLtp4AcdS30QT7+qW6Hl2y2XeQkTMQS5/k5opVNOrn9oSfRV863tJDFplujtPbYC89Y16vD9MjzYpY7oCJ8njU5vaIx3PcGNeVDO68cqddE/YqqsuHOP8fBdKGbOrLIKZgys=
skip_cleanup: true
file_glob: true
file: "firehol*.tar.*"
on:
repo: firehol/firehol
tags: true

33
.travis/decrypt-if-have-key
View File

@ -1,33 +0,0 @@
#!/bin/bash
set -e
# Decrypt our private files; changes to this file should be inspected
# closely to ensure they do not create information leaks
eval key="\${encrypted_${1}_key}"
eval iv="\${encrypted_${1}_iv}"
if [ ! "$key" ]
then
echo "No aes key present - skipping decryption"
exit 0
fi
for i in .travis/*.enc
do
u=$(echo $i | sed -e 's/.enc$//')
openssl aes-256-cbc -K "$key" -iv "$iv" -in $i -out $u -d
done
if [ -f .travis/travis_rsa ]
then
echo "ssh key present - loading to agent"
# add key, then remove to prevent leaks
chmod 600 .travis/travis_rsa
ssh-add .travis/travis_rsa
rm -f .travis/travis_rsa
touch /tmp/ssh-key-loaded
else
echo "No ssh key present - skipping agent start"
fi

39
.travis/deploy-if-have-key
View File

@ -1,39 +0,0 @@
#!/bin/bash
set -e
# Deploy tar-files and checksums to the firehol website
if [ ! -f /tmp/ssh-key-loaded ]
then
echo "No ssh key decrypted - skipping deployment to website"
exit 0
fi
case "$TRAVIS_BRANCH" in
master|stable-*)
:
;;
*)
echo "Not on master or stable-* branch - skipping deployment to website"
exit 0
;;
esac
if [ "$TRAVIS_PULL_REQUEST" = "true" ]
then
echo "Building pull request - skipping deployment to website"
exit 0
fi
if [ "$TRAVIS_TAG" != "" ]
then
echo "Building tag - skipping deployment to website"
exit 0
fi
ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
ssh travis@firehol.org mkdir -p uploads/$1/$TRAVIS_BRANCH/
scp -p *.tar.* travis@firehol.org:uploads/$1/$TRAVIS_BRANCH/
ssh travis@firehol.org touch uploads/$1/$TRAVIS_BRANCH/complete.txt
echo "Visit https://firehol.org/travis-project.log check deployment"

53
.travis/install-iprange
View File

@ -1,53 +0,0 @@
#!/bin/sh
if ! MYTMP="`mktemp -d -t install-iprange-XXXXXX`"
then
echo >&2
echo >&2
echo >&2 "Cannot create temporary directory."
echo >&2
exit 1
fi
export MYTMP
myexit() {
rm -rf $MYTMP
exit 0
}
trap myexit INT
trap myexit HUP
trap myexit 0
DIR=`pwd`/
export DIR
cd $MYTMP
set -e
curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest
dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json)
dl=https://github.com/firehol/iprange/releases/download/v1.0.4/iprange-1.0.4.tar.gz
if [ "$dl" = "" ]
then
echo "Could not find download for latest iprange"
exit 1
fi
curl -s -L -o iprange.tar.gz "$dl"
if [ $? -ne 0 ]
then
echo "Could not download $dl"
exit 1
else
echo "Building $dl"
fi
mkdir build
tar xfzC iprange.tar.gz build
cd build/iprange*
./configure --disable-man
make install

40
.travis/replace-unshare
View File

@ -1,40 +0,0 @@
#!/bin/sh
if ! MYTMP="`mktemp -d -t replace-unshare-XXXXXX`"
then
echo >&2
echo >&2
echo >&2 "Cannot create temporary directory."
echo >&2
exit 1
fi
export MYTMP
myexit() {
rm -rf $MYTMP
exit 0
}
trap myexit INT
trap myexit HUP
trap myexit 0
DIR=`pwd`/
export DIR
cd $MYTMP
set -e
dl=https://launchpad.net/ubuntu/+archive/primary/+files/util-linux_2.27.1.orig.tar.xz
echo $dl
curl -s -L -o util-linux.tar.xz "$dl"
mkdir build
tar xfJC util-linux.tar.xz build
cd build/util-*
./configure --disable-all-programs --enable-unshare
make
make install

BIN
.travis/travis_rsa.enc
View File

Binary file not shown.

1
packaging/tar-compare
View File

@ -39,6 +39,7 @@ diff -r "$1" $MYTMP/unpack/* | grep "^Only" | sed \
-e '/: \.deps$/d' \
-e '/: \.git$/d' \
-e '/: \.gitattributes$/d' \
-e '/: \.github$/d' \
-e '/: \.gitignore$/d' \
-e '/: \.travis$/d' \
-e '/: \.travis.yml$/d' \

1
tests/tools/clean-qdisc
View File

@ -4,6 +4,7 @@ my @lines;
while (<>) {
s/ memory_limit [^ ]*//g;
s/ default 32768 / default 8000 /g;
s/ default 0x8000 / default 8000 /g;
push @lines, $_;
}

2
tests/unittest
View File

@ -308,6 +308,8 @@ do
if [ $verbose -eq 1 ]
then
echo "$conf: setup"
else
echo "Test: $conf"
fi
if [ -x "$pre_sh" ]
then