From 65d6f6e4ee070283fc8739e8d8295eb6c554029a Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 15 Feb 2025 12:11:05 -0800 Subject: [PATCH] Add workflows --- .../workflows/publish-immutable-actions.yml | 28 +++ .github/workflows/runs-on.yml | 176 ++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 .github/workflows/publish-immutable-actions.yml create mode 100644 .github/workflows/runs-on.yml diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml new file mode 100644 index 0000000..a863ff8 --- /dev/null +++ b/.github/workflows/publish-immutable-actions.yml @@ -0,0 +1,28 @@ +name: 'Publish Immutable Action Version' + +on: + release: + types: [published] + +permissions: + contents: read + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + with: + egress-policy: audit + + - name: Checking out + uses: actions/checkout@v4 + - name: Publish + id: publish + uses: actions/publish-immutable-action@0.0.4 \ No newline at end of file diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml new file mode 100644 index 0000000..0aa984d --- /dev/null +++ b/.github/workflows/runs-on.yml @@ -0,0 +1,176 @@ +name: RunsOn Tests + +on: + workflow_dispatch: + +jobs: + test-host-outbound: + runs-on: + - runs-on=${{ github.run_id }} + - runner=2cpu-linux-x64 + - image=ubuntu22-stepsecurity-x64 + steps: + - name: Harden Runner + uses: step-security/harden-runner@rc + with: + egress-policy: audit + allowed-endpoints: > + github.com:443 + goreleaser.com:443 + + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run outbound calls from host + run: | + start_time=$(date +%s) + end_time=$((start_time + 90)) # 5 minutes = 300 seconds + + while [ $(date +%s) -lt $end_time ]; do + curl -I https://www.google.com + curl -I https://goreleaser.com + sleep 10 # wait 10 seconds between calls + done + + test-docker-outbound: + runs-on: + - runs-on=${{ github.run_id }} + - runner=2cpu-linux-x64 + - image=ubuntu22-stepsecurity-x64 + steps: + - name: Harden Runner + uses: step-security/harden-runner@rc + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + github.com:443 + goreleaser.com:443 + production.cloudflare.docker.com:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 + *.docker.io:443 + security.ubuntu.com:80 + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run outbound calls from within Docker container + continue-on-error: true + run: | + # Start the container + docker run --rm -d --name test-container ubuntu:latest sleep 90 + + # Install curl in the container + docker exec test-container apt-get update + docker exec test-container apt-get install -y curl + + # Print /etc/resolv.conf from the container + docker exec test-container cat /etc/resolv.conf + + # Make outbound calls + for i in {1..9}; do + docker exec test-container curl -I https://www.google.com + docker exec test-container curl -I https://goreleaser.com + sleep 10 # wait 10 seconds between calls + done + + # Stop the container + docker stop test-container + + + test-docker-build-outbound: + runs-on: + - runs-on=${{ github.run_id }} + - runner=2cpu-linux-x64 + - image=ubuntu22-stepsecurity-x64 + steps: + - name: Harden Runner + uses: step-security/harden-runner@rc + with: + egress-policy: audit + allowed-endpoints: > + archive.ubuntu.com:80 + auth.docker.io:443 + github.com:443 + goreleaser.com:443 + production.cloudflare.docker.com:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 + registry-1.docker.io:443 + security.ubuntu.com:80 + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build Docker image and test outbound calls during build + continue-on-error: true + run: | + # Create a Dockerfile that installs curl and makes outbound calls + cat < Dockerfile + FROM ubuntu:latest + RUN apt-get update && apt-get install -y curl + RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done + EOF + + # Build the Docker image + docker build -t test-image . + + # Print /etc/resolv.conf from the build container (temporary container used during build) + container_id=$(docker create test-image) + docker start $container_id + docker exec $container_id cat /etc/resolv.conf + docker stop $container_id + docker rm $container_id + + - name: Print Docker logs with journalctl + run: | + sudo journalctl -u docker.service --no-pager + shell: bash + + test-long-running-docker: + runs-on: + - runs-on=${{ github.run_id }} + - runner=2cpu-linux-x64 + - image=ubuntu22-stepsecurity-x64 + steps: + - name: Harden Runner + uses: step-security/harden-runner@rc + with: + egress-policy: block + allowed-endpoints: > + archive.ubuntu.com:80 + auth.docker.io:443 + github.com:443 + goreleaser.com:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 + security.ubuntu.com:80 + + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run long-running Docker container with outbound calls + continue-on-error: true + run: | + # Start the long-running container + docker run --rm -d --name long-running-container ubuntu:latest bash -c " + apt-get update && apt-get install -y curl && + while true; do + curl -I https://www.google.com; + curl -I https://goreleaser.com; + sleep 10; + done + " + + # Print /etc/resolv.conf from the container + docker exec long-running-container cat /etc/resolv.conf + + # Let the container run for 5 minutes + sleep 90 + + # Stop the container + docker stop long-running-container + + \ No newline at end of file