mirror of
https://github.com/firehol/firehol.git
synced 2024-06-20 14:08:24 +00:00
Merge pull request #445 from philwhineray/master
Replace Travis with Github actions
This commit is contained in:
commit
5059a1316a
169
.github/workflows/publish.yml
vendored
Normal file
169
.github/workflows/publish.yml
vendored
Normal file
@ -0,0 +1,169 @@
|
||||
on: [ push, pull_request, workflow_dispatch ]
|
||||
|
||||
jobs:
|
||||
prep:
|
||||
runs-on: ubuntu-latest
|
||||
name: Prepare build
|
||||
steps:
|
||||
- name: Extract tag/branch variables
|
||||
shell: bash
|
||||
run: |
|
||||
echo "##[set-output name=tag;]$(echo ${GITHUB_REF#refs/tags/}|grep -v '/')"
|
||||
echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/}|grep -v '/')"
|
||||
id: extract
|
||||
outputs:
|
||||
tag: ${{ steps.extract.outputs.tag }}
|
||||
branch: ${{ steps.extract.outputs.branch }}
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
name: Build package
|
||||
needs: prep
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Set up build tools
|
||||
run: ./.github/workflows/setup.sh
|
||||
- name: Server-side run of commit hooks in case developer skipped them
|
||||
run: git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
|
||||
env:
|
||||
TRAVIS_TAG: ${{ needs.prep.outputs.tag }}
|
||||
- name: Obtain GPG keys to validate tag signature
|
||||
if: ${{ needs.prep.outputs.tag != '' }}
|
||||
run: |
|
||||
./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237"
|
||||
./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863"
|
||||
git fetch --tags -f
|
||||
env:
|
||||
KEYSERVER: pool.sks-keyservers.net
|
||||
- name: Run build
|
||||
run: |
|
||||
fakeroot ./packaging/git-build
|
||||
test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check
|
||||
env:
|
||||
TRAVIS_TAG: ${{ needs.prep.outputs.tag }}
|
||||
- name: Create checksums
|
||||
run: |
|
||||
for i in *.tar.*
|
||||
do
|
||||
md5sum -b $i > $i.md5
|
||||
sha512sum -b $i > $i.sha
|
||||
done
|
||||
- name: Upload build artifacts
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: build-artifacts
|
||||
path: |
|
||||
*.tar.*
|
||||
|
||||
publish_branch:
|
||||
runs-on: ubuntu-latest
|
||||
name: Publish to website if branch
|
||||
needs: [ prep, build ]
|
||||
env:
|
||||
DEPLOY_ARTIFACTS: "*.tar.*"
|
||||
DEPLOY_SERVER: travis@firehol.org
|
||||
DEPLOY_DIR: uploads/firehol/${{needs.prep.outputs.branch}}
|
||||
SERVER_DEPLOY_LOG: https://firehol.org/travis-project.log
|
||||
SERVER_DEPLOY_TIMEOUT: 300
|
||||
if: >-
|
||||
${{ ( needs.prep.outputs.branch == 'main'
|
||||
|| needs.prep.outputs.branch == 'master'
|
||||
|| startsWith( needs.prep.outputs.branch, 'stable-' ) ) }}
|
||||
steps:
|
||||
- name: Download artifacts
|
||||
uses: actions/download-artifact@v2
|
||||
with:
|
||||
name: build-artifacts
|
||||
- name: Setup SSH
|
||||
id: ssh
|
||||
run: |
|
||||
echo "$FIREHOL_ORG_PUBLISH_SSH" > firehol_org_publish_key
|
||||
chmod 600 firehol_org_publish_key
|
||||
eval "$(ssh-agent)"
|
||||
if ssh-add firehol_org_publish_key; then
|
||||
echo "Key added: setting agent environment"
|
||||
echo "##[set-output name=ssh_agent_pid;]$SSH_AGENT_PID"
|
||||
echo "##[set-output name=ssh_auth_sock;]$SSH_AUTH_SOCK"
|
||||
mkdir -p $HOME/.ssh
|
||||
chmod 700 $HOME/.ssh
|
||||
echo PasswordAuthentication=no >> $HOME/.ssh/config
|
||||
chmod 644 $HOME/.ssh/config
|
||||
else
|
||||
echo "Key not added: skipping ssh-agent environment"
|
||||
fi
|
||||
rm -f firehol_org_publish_key
|
||||
env:
|
||||
FIREHOL_ORG_PUBLISH_SSH: ${{secrets.FIREHOL_ORG_PUBLISH_SSH}}
|
||||
- name: Prepare deployment check
|
||||
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
|
||||
run: curl -s -oresult.orig $SERVER_DEPLOY_LOG
|
||||
- name: Deploy to website ${{needs.prep.outputs.branch}}
|
||||
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
|
||||
run: |
|
||||
ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
|
||||
ssh $DEPLOY_SERVER mkdir -p "$DEPLOY_DIR"
|
||||
rsync -a $DEPLOY_ARTIFACTS "$DEPLOY_SERVER:$DEPLOY_DIR/"
|
||||
ssh $DEPLOY_SERVER touch "$DEPLOY_DIR/complete.txt"
|
||||
env:
|
||||
SSH_AGENT_PID: ${{ steps.ssh.outputs.ssh_agent_pid }}
|
||||
SSH_AUTH_SOCK: ${{ steps.ssh.outputs.ssh_auth_sock }}
|
||||
- name: Check deployment
|
||||
if: ${{ steps.ssh.outputs.ssh_agent_pid != '' }}
|
||||
run: |
|
||||
pause=10
|
||||
attempts=$(( $SERVER_DEPLOY_TIMEOUT / $pause ))
|
||||
while [ $attempts -gt 0 ]
|
||||
do
|
||||
sleep $pause
|
||||
attempts=$((attempts - 1))
|
||||
curl -s -o result $SERVER_DEPLOY_LOG
|
||||
if ! cmp -s result result.orig
|
||||
then
|
||||
cat result
|
||||
if grep -q "not deploying" result
|
||||
then
|
||||
exit 2
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
done
|
||||
exit 1
|
||||
|
||||
publish_tag:
|
||||
runs-on: ubuntu-latest
|
||||
name: Publish to github if tag
|
||||
needs: [ prep, build ]
|
||||
if: ${{ needs.prep.outputs.tag != '' }}
|
||||
steps:
|
||||
- name: Download artifacts
|
||||
uses: actions/download-artifact@v2
|
||||
with:
|
||||
name: build-artifacts
|
||||
- name: Create Release
|
||||
id: create_release
|
||||
uses: actions/create-release@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
tag_name: ${{ github.ref }}
|
||||
release_name: Release ${{ github.ref }}
|
||||
draft: true
|
||||
- name: Upload
|
||||
uses: actions/github-script@v3
|
||||
with:
|
||||
github-token: ${{secrets.GITHUB_TOKEN}}
|
||||
script: |
|
||||
const path = require('path');
|
||||
const fs = require('fs');
|
||||
const release_id = '${{ steps.create_release.outputs.id }}';
|
||||
for (let file of await fs.readdirSync('./')) {
|
||||
console.log('uploadReleaseAsset', file);
|
||||
await github.repos.uploadReleaseAsset({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
release_id: release_id,
|
||||
name: file,
|
||||
data: await fs.readFileSync(`./${file}`)
|
||||
});
|
||||
}
|
53
.github/workflows/setup.sh
vendored
Executable file
53
.github/workflows/setup.sh
vendored
Executable file
@ -0,0 +1,53 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
set -x
|
||||
|
||||
sudo apt install gnupg pandoc fakeroot
|
||||
sudo apt install texlive-base texlive-latex-base texlive-latex-extra texlive-fonts-recommended texlive-latex-recommended
|
||||
sudo apt install lmodern libxml2-utils traceroute ipset
|
||||
|
||||
#
|
||||
# Set up to ensure tests run:
|
||||
# - Ensure unprivileged user namespaces enabled
|
||||
# - Install required kernel modules
|
||||
# - Get latest version of iprange from firehol project
|
||||
sudo sysctl kernel.unprivileged_userns_clone=1
|
||||
sudo modprobe iptable_mangle
|
||||
sudo modprobe ip6table_mangle
|
||||
sudo modprobe iptable_raw
|
||||
sudo modprobe ip6table_raw
|
||||
sudo modprobe iptable_nat
|
||||
sudo modprobe ip6table_nat
|
||||
sudo modprobe iptable_filter
|
||||
sudo modprobe ip6table_filter
|
||||
|
||||
orig=`pwd`
|
||||
mkdir iprange
|
||||
cd iprange
|
||||
curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest
|
||||
dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json)
|
||||
|
||||
if [ "$dl" = "" ]
|
||||
then
|
||||
echo "Could not find download for latest iprange"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
curl -s -L -o iprange.tar.gz "$dl"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo "Could not download $dl"
|
||||
exit 1
|
||||
else
|
||||
echo "Building $dl"
|
||||
fi
|
||||
|
||||
mkdir build
|
||||
tar xfzC iprange.tar.gz build
|
||||
|
||||
cd build/iprange*
|
||||
./configure --disable-man
|
||||
sudo make install
|
||||
cd $orig
|
||||
rm -rf iprange
|
74
.travis.yml
74
.travis.yml
@ -1,74 +0,0 @@
|
||||
# Use trusty (for recent pandoc)
|
||||
# https://docs.travis-ci.com/user/trusty-ci-environment/
|
||||
dist: trusty
|
||||
#
|
||||
# Use full virtualisation to allow use of user namespaces
|
||||
sudo: true
|
||||
#
|
||||
# C includes autotools and make by default
|
||||
language: c
|
||||
#
|
||||
# Extra packages
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- gnupg
|
||||
- pandoc
|
||||
- texlive-base
|
||||
- texlive-latex-base
|
||||
- texlive-latex-extra
|
||||
- texlive-fonts-recommended
|
||||
- texlive-latex-recommended
|
||||
- lmodern
|
||||
- libxml2-utils
|
||||
- traceroute
|
||||
- ipset
|
||||
- fakeroot
|
||||
#
|
||||
# Setup environment
|
||||
before_install:
|
||||
# Decrypt our private files for CI use only
|
||||
- eval "$(ssh-agent -s)"
|
||||
- ./.travis/decrypt-if-have-key 45263037bf08
|
||||
- export KEYSERVER=pool.sks-keyservers.net
|
||||
#
|
||||
# Set up to ensure tests run:
|
||||
# - Ensure unprivileged user namespaces enabled
|
||||
# - Get latest version of iprange from firehol project
|
||||
# - Get a version of util-linux which has the user namespace options
|
||||
# - Install required kernel modules
|
||||
- sudo sysctl kernel.unprivileged_userns_clone=1
|
||||
- sudo .travis/install-iprange
|
||||
- sudo .travis/replace-unshare
|
||||
- sudo modprobe iptable_mangle
|
||||
- sudo modprobe ip6table_mangle
|
||||
- sudo modprobe iptable_raw
|
||||
- sudo modprobe ip6table_raw
|
||||
- sudo modprobe ip6table_nat
|
||||
#
|
||||
# Run
|
||||
before_script:
|
||||
# Download keys - builds of tags check for a recognised signature
|
||||
- ./packaging/gpg-recv-key phil@firehol.org "0762 9FF7 89EA 6156 012F 9F50 C406 9602 1359 9237"
|
||||
- ./packaging/gpg-recv-key costa@tsaousis.gr "4DFF 624A E564 3B51 2872 1F40 29CA 3358 89B9 A863"
|
||||
# Run the commit hooks in case the developer didn't
|
||||
- git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
|
||||
script:
|
||||
- fakeroot ./packaging/git-build
|
||||
- (test -f firehol*.tar.gz && mkdir -p build && tar xfzC firehol*.tar.gz build && cd build/firehol* && mkdir out-of-tree && cd out-of-tree && ../configure && make check)
|
||||
#
|
||||
# Deploy as required
|
||||
after_success:
|
||||
- for i in *.tar.*; do md5sum -b $i > $i.md5; sha512sum -b $i > $i.sha; done
|
||||
- ./.travis/deploy-if-have-key firehol
|
||||
deploy:
|
||||
# Upload results to GitHub (tag only)
|
||||
- provider: releases
|
||||
api_key:
|
||||
secure: S5EMYcFY70JpCBgZHqWbcwAXg5jbKd+X1rdA8FMX3c0+mJQ0LaHgqjyIrjZVV3AMdFToZDMD9VmIJARXUU9UY7SH7kp0Txf1g7WetLLN4X53InTFdx4O2Khtnj8osM51R3lyrZw2FPB6af4/ZhNkv/mZgHUg7jQ3Gags6L2NzeGyEZzUVoZEz+qxLXQACKDgEWL1v7D+5vn+v2JjtW1i5LlbWS37u+SXufxvlVcAXSTNWGf3Q1pv2vnjxUkjZcz9A2Zk+DADE9RpdKyUN2279Kx5rpUc4qzET3HZP79Lwp8Cj6Gfd1GOsagM2TXHo5fg38K/mTCUrJ97wdg2uzgvsOZBhLysZVwkikGWnkuM2xQW3NpYmWGpeDRhUnEotZeQ4N1R4dpbQ79oxVEb0wkFAXUUU0qCDPpjA0YUb1c9pRuomCsB7a/SxwNrldCK8XvNFyiCF28yetnjp5O2dytRMQPn7+SU9YdoKe+3k78J/YSdmAFFKvfEwwtz/jAlFjwt6NmV2byAUWOt4k5FTyEsz+Y+P7lkbOJGYpAz7nNvLtp4AcdS30QT7+qW6Hl2y2XeQkTMQS5/k5opVNOrn9oSfRV863tJDFplujtPbYC89Y16vD9MjzYpY7oCJ8njU5vaIx3PcGNeVDO68cqddE/YqqsuHOP8fBdKGbOrLIKZgys=
|
||||
skip_cleanup: true
|
||||
file_glob: true
|
||||
file: "firehol*.tar.*"
|
||||
on:
|
||||
repo: firehol/firehol
|
||||
tags: true
|
@ -1,33 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
# Decrypt our private files; changes to this file should be inspected
|
||||
# closely to ensure they do not create information leaks
|
||||
|
||||
eval key="\${encrypted_${1}_key}"
|
||||
eval iv="\${encrypted_${1}_iv}"
|
||||
|
||||
if [ ! "$key" ]
|
||||
then
|
||||
echo "No aes key present - skipping decryption"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for i in .travis/*.enc
|
||||
do
|
||||
u=$(echo $i | sed -e 's/.enc$//')
|
||||
openssl aes-256-cbc -K "$key" -iv "$iv" -in $i -out $u -d
|
||||
done
|
||||
|
||||
if [ -f .travis/travis_rsa ]
|
||||
then
|
||||
echo "ssh key present - loading to agent"
|
||||
# add key, then remove to prevent leaks
|
||||
chmod 600 .travis/travis_rsa
|
||||
ssh-add .travis/travis_rsa
|
||||
rm -f .travis/travis_rsa
|
||||
touch /tmp/ssh-key-loaded
|
||||
else
|
||||
echo "No ssh key present - skipping agent start"
|
||||
fi
|
@ -1,39 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
# Deploy tar-files and checksums to the firehol website
|
||||
|
||||
if [ ! -f /tmp/ssh-key-loaded ]
|
||||
then
|
||||
echo "No ssh key decrypted - skipping deployment to website"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
case "$TRAVIS_BRANCH" in
|
||||
master|stable-*)
|
||||
:
|
||||
;;
|
||||
*)
|
||||
echo "Not on master or stable-* branch - skipping deployment to website"
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$TRAVIS_PULL_REQUEST" = "true" ]
|
||||
then
|
||||
echo "Building pull request - skipping deployment to website"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$TRAVIS_TAG" != "" ]
|
||||
then
|
||||
echo "Building tag - skipping deployment to website"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
ssh-keyscan -H firehol.org >> ~/.ssh/known_hosts
|
||||
ssh travis@firehol.org mkdir -p uploads/$1/$TRAVIS_BRANCH/
|
||||
scp -p *.tar.* travis@firehol.org:uploads/$1/$TRAVIS_BRANCH/
|
||||
ssh travis@firehol.org touch uploads/$1/$TRAVIS_BRANCH/complete.txt
|
||||
echo "Visit https://firehol.org/travis-project.log check deployment"
|
@ -1,53 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if ! MYTMP="`mktemp -d -t install-iprange-XXXXXX`"
|
||||
then
|
||||
echo >&2
|
||||
echo >&2
|
||||
echo >&2 "Cannot create temporary directory."
|
||||
echo >&2
|
||||
exit 1
|
||||
fi
|
||||
export MYTMP
|
||||
|
||||
myexit() {
|
||||
rm -rf $MYTMP
|
||||
exit 0
|
||||
}
|
||||
|
||||
trap myexit INT
|
||||
trap myexit HUP
|
||||
trap myexit 0
|
||||
|
||||
DIR=`pwd`/
|
||||
export DIR
|
||||
|
||||
cd $MYTMP
|
||||
|
||||
set -e
|
||||
|
||||
curl -s -o json https://api.github.com/repos/firehol/iprange/releases/latest
|
||||
dl=$(sed -ne '/"browser_download_url":.*.tar.gz"/{s/.*"browser_download_url": *//;s/{.*//;s/",*//g;p;q}' json)
|
||||
dl=https://github.com/firehol/iprange/releases/download/v1.0.4/iprange-1.0.4.tar.gz
|
||||
|
||||
if [ "$dl" = "" ]
|
||||
then
|
||||
echo "Could not find download for latest iprange"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
curl -s -L -o iprange.tar.gz "$dl"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo "Could not download $dl"
|
||||
exit 1
|
||||
else
|
||||
echo "Building $dl"
|
||||
fi
|
||||
|
||||
mkdir build
|
||||
tar xfzC iprange.tar.gz build
|
||||
|
||||
cd build/iprange*
|
||||
./configure --disable-man
|
||||
make install
|
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
if ! MYTMP="`mktemp -d -t replace-unshare-XXXXXX`"
|
||||
then
|
||||
echo >&2
|
||||
echo >&2
|
||||
echo >&2 "Cannot create temporary directory."
|
||||
echo >&2
|
||||
exit 1
|
||||
fi
|
||||
export MYTMP
|
||||
|
||||
myexit() {
|
||||
rm -rf $MYTMP
|
||||
exit 0
|
||||
}
|
||||
|
||||
trap myexit INT
|
||||
trap myexit HUP
|
||||
trap myexit 0
|
||||
|
||||
DIR=`pwd`/
|
||||
export DIR
|
||||
|
||||
cd $MYTMP
|
||||
|
||||
set -e
|
||||
|
||||
dl=https://launchpad.net/ubuntu/+archive/primary/+files/util-linux_2.27.1.orig.tar.xz
|
||||
|
||||
echo $dl
|
||||
curl -s -L -o util-linux.tar.xz "$dl"
|
||||
|
||||
mkdir build
|
||||
tar xfJC util-linux.tar.xz build
|
||||
|
||||
cd build/util-*
|
||||
./configure --disable-all-programs --enable-unshare
|
||||
make
|
||||
make install
|
Binary file not shown.
@ -39,6 +39,7 @@ diff -r "$1" $MYTMP/unpack/* | grep "^Only" | sed \
|
||||
-e '/: \.deps$/d' \
|
||||
-e '/: \.git$/d' \
|
||||
-e '/: \.gitattributes$/d' \
|
||||
-e '/: \.github$/d' \
|
||||
-e '/: \.gitignore$/d' \
|
||||
-e '/: \.travis$/d' \
|
||||
-e '/: \.travis.yml$/d' \
|
||||
|
@ -4,6 +4,7 @@ my @lines;
|
||||
while (<>) {
|
||||
s/ memory_limit [^ ]*//g;
|
||||
s/ default 32768 / default 8000 /g;
|
||||
s/ default 0x8000 / default 8000 /g;
|
||||
push @lines, $_;
|
||||
}
|
||||
|
||||
|
@ -308,6 +308,8 @@ do
|
||||
if [ $verbose -eq 1 ]
|
||||
then
|
||||
echo "$conf: setup"
|
||||
else
|
||||
echo "Test: $conf"
|
||||
fi
|
||||
if [ -x "$pre_sh" ]
|
||||
then
|
||||
|
Loading…
Reference in New Issue
Block a user