From f1a5bb7fd3bfbfb5eb44820e47deeb9d9e3c6165 Mon Sep 17 00:00:00 2001 From: iadgovuser58 <124906646+iadgovuser58@users.noreply.github.com> Date: Tue, 15 Aug 2023 17:10:34 -0400 Subject: [PATCH] updated github actions unit test yml, added Rocky 8.8 Dockerfile --- .ci/docker/Dockerfile.rocky88ci | 63 ++++++++ .github/workflows/hirs_unit_tests.yml | 209 ++++++++++---------------- 2 files changed, 143 insertions(+), 129 deletions(-) create mode 100644 .ci/docker/Dockerfile.rocky88ci diff --git a/.ci/docker/Dockerfile.rocky88ci b/.ci/docker/Dockerfile.rocky88ci new file mode 100644 index 000000000..23ed08a8f --- /dev/null +++ b/.ci/docker/Dockerfile.rocky88ci @@ -0,0 +1,63 @@ +FROM rockylinux:8.8 + +# Purpose: This image is designed for HIRS ci testing on Rocky Linux +# Date Modified: 8/10/23 +# Notes: +# * This image installs java, installs project dependencies, and runs gradlew to download gradlew +# dependencies. This saves time during a docker run. This also means the image should be +# re-built and re-posted to github each time the following occurs: +# 1) add/update a dependency +# 2) update gradle +# If not re-built, the docker run will still work, but will take longer as it downloads updates +# * Steps to login to registry, build image, tag image with ghcr.io registry, and push to registry: +# $ cat pat.txt | docker login ghcr.io -u iadgovuser## --password-stdin +# Note: pat requires permissions "upload packages from GitHub Package Registry" and possibly "repo" +# $ docker build . -f Dockerfile.rocky88ci -t hirs-rocky8-ci:latest +# Note: may need to use --no-cache when building, if 'git clone HIRS' or 'gradlew' is cached +# (bc need any updated dependencies) +# $ docker image tag hirs-rocky8-ci:latest ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest +# $ docker push ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest + +# Update package installer +RUN dnf -y update + +# Install Java 17 +RUN dnf -y install java-17-openjdk-devel + +# Set Environment Variables +#ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk +#ENV PATH="$JAVA_HOME/bin:$PATH" + +# Ports needed for system-level tests +EXPOSE 8080 +EXPOSE 8443 + +# Install HIRS dependencies +RUN dnf -y install mariadb-server initscripts firewalld policycoreutils net-tools git && dnf clean all +# maybe: libtool cmake make gcc-c++ sudo vim wget openssl openssl-devel protobuf tpm2-tools libcurl-devel libssh-devel +# prob not: rpmdevtools tpm2-tss-devel tpm2-abrmd protobuf-compiler protobuf-devel python36 log4cplus-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel + +# Install PACCOR for Device Info Gathering +# RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r6/paccor-1.1.4-6.noarch.rpm && yum -y install paccor-*.rpm && popd + +# Install TPM Emulator for Provisioning +# RUN mkdir ibmtpm && pushd ibmtpm && wget --no-check-certificate https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz && tar -zxvf ibmtpm1332.tar.gz && cd src && make -j5 && popd + +# Install Microsoft dotnet and rpm package tool +# RUN wget https://dot.net/v1/dotnet-install.sh +# RUN sh dotnet-install.sh --os linux --channel LTS +# ENV PATH="/root/.dotnet:${PATH}" +# RUN wget https://packages.microsoft.com/rhel/8/prod/packages-microsoft-prod.rpm +# RUN dnf -y install packages-microsoft-prod.rpm +# RUN dnf makecache +# RUN dnf -y install dotnet-sdk-6.0 +# RUN dotnet tool install --global dotnet-rpm +# ?? need this?: RUN PATH="~/.dotnet/tools:${PATH}" + +# Checkout HIRS main branch and run gradlew to install gradlew dependencies, then delete HIRS +# Use '--depth=1' so as to not download the history of all commits +RUN git clone -b main --depth=1 https://github.com/nsacyber/HIRS.git /hirsTemp +WORKDIR "/hirsTemp" +RUN /bin/bash -c './gradlew clean build' +WORKDIR "/" +RUN rm -rf /hirsTemp diff --git a/.github/workflows/hirs_unit_tests.yml b/.github/workflows/hirs_unit_tests.yml index 0c59ff429..88f047fed 100644 --- a/.github/workflows/hirs_unit_tests.yml +++ b/.github/workflows/hirs_unit_tests.yml @@ -1,147 +1,98 @@ # This workflow will build HIRS, run unit tests, and create HIRS artifacts +# Updated: 8/15/23 name: HIRS Build and Unit Test on: + # Runs this workflow whenever there is a push to main from a branch annotated with "v3" push: branches: - - '*v2*' - - 'master' - # allows you to run this workflow manually from the Actions tab + - '*v3*' + - 'main' + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - # run the unit tests and package HIRS ACA, provisoner, and tools - ACA_Provisioner_unit_tests: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - + # Run the unit tests and package HIRS ACA, provisoner, and tools + ACA_Provisioner_Unit_Tests: + runs-on: ubuntu-latest # Configures the job to run on the latest version of an Ubuntu Linux runner steps: - - uses: actions/checkout@v2 - - name: Set up JDK 11 - uses: actions/setup-java@v2 - with: - java-version: '8' - distribution: 'adopt' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - # Build will either archive war files if the build is successful, otherwise a set of build report will be archived - - name: directory setup + - uses: actions/checkout@v3 # run v3 of actions/checkout action, which checks out your repository onto the runner + # Build will archive build reports and will create a failedFile if build is not successful + - name: Directory setup run: | - mkdir -p artifacts/wars - mkdir -p artifacts/reports/HIRS_AttestationCA - mkdir -p artifacts/reports/HIRS_AttestationCAPortal - mkdir -p artifacts/reports/HIRS_Provisioner - mkdir -p artifacts/reports/HIRS_ProvisionerTPM2 - mkdir -p artifacts/reports/HIRS_Structs - mkdir -p artifacts/reports/HIRS_Utils - mkdir -p artifacts/reports/tcg_rim_tool - mkdir -p artifacts/reports/tcg_eventlog_tool - # Run the provisioner and ACA unit tests via gradle build in an Centos 7 Docker container - - name: Build HIRS and run Unit tests + mkdir -p artifacts/githubActionsResults + mkdir -p artifacts/reports/HIRS_AttestationCA + mkdir -p artifacts/reports/HIRS_AttestationCAPortal + mkdir -p artifacts/reports/HIRS_Provisioner + mkdir -p artifacts/reports/HIRS_ProvisionerTPM2 + mkdir -p artifacts/reports/HIRS_Structs + mkdir -p artifacts/reports/HIRS_Utils + mkdir -p artifacts/reports/tcg_rim_tool + mkdir -p artifacts/reports/tcg_eventlog_tool + # Run the provisioner and ACA unit tests via gradle build in a Rocky Docker container + - name: Build HIRS and run unit tests run: | - echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin - docker run --rm \ - -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \ - -c 'pushd /HIRS; \ - gradle_status=0; \ - - ./gradlew :HIRS_AttestationCA:clean :HIRS_AttestationCA:build :HIRS_AttestationCA:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCA/.; \ - ./gradlew :HIRS_AttestationCAPortal:clean :HIRS_AttestationCAPortal:build :HIRS_AttestationCAPortal:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCAPortal/.; \ - ./gradlew :HIRS_Provisioner:clean :HIRS_Provisioner:build :HIRS_Provisioner:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_Provisioner/build/reports/ /HIRS/artifacts/reports/HIRS_Provisioner/.; \ - ./gradlew :HIRS_ProvisionerTPM2:clean :HIRS_ProvisionerTPM2:build :HIRS_ProvisionerTPM2:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_ProvisionerTPM2/docs/ /HIRS/artifacts/reports/HIRS_ProvisionerTPM2/.; \ - ./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/reports/HIRS_Structs/.; \ - ./gradlew :HIRS_Utils:clean :HIRS_Utils:build :HIRS_Utils:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - cp -r /HIRS/HIRS_Utils/build/reports/ /HIRS/artifacts/reports/HIRS_Utils/.; \ - ./gradlew :TPM_Utils:clean :TPM_Utils:build :TPM_Utils:test; \ - if (( $? != "0" )) ; then gradle_status=1; fi; \ - - # Use the war file archive to fail the Build ACA tests by not placing them in the artifacts folder - if (( $gradle_status == "0" )) ; then \ - cp /HIRS/HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war /HIRS/artifacts/wars/.; \ - cp /HIRS/HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war /HIRS/artifacts/wars/.; \ - echo "Build Worked"; \ - else \ - echo "Build Failed"; \ - fi; popd;' \ - - name: Archive Report files - uses: actions/upload-artifact@v2 + + # log into and run docker (note: must set up secrets in github for ghcr username and access_token) + echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $ --password-stdin + + # docker run options: + # create a mount between curr directory on the runner and the HIRS folder created by the cloning of HIRS repo + # -v $(pwd):/HIRS + # image used for the container, given by : + # rocky8: ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest [repo: https://github.com/orgs/nsacyber/packages] + # bash commands to clean/build/test each subproject + # /bin/bash -c '' + docker run --rm \ + -v $(pwd):/HIRS \ + ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest /bin/bash -c \ + 'pushd /HIRS + gradle_status=0 + + # git added a feature that gives error if user is not owner of the top-level directory; need to override this + git config --global --add safe.directory /HIRS + + # clean, build and run unit tests on all sub-projects; copy build reports to an artifacts directory + ./gradlew :HIRS_AttestationCA:clean :HIRS_AttestationCA:build :HIRS_AttestationCA:test + if (( $? != "0" )) ; then gradle_status=1; fi + #cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCA/. + ./gradlew :HIRS_AttestationCAPortal:clean :HIRS_AttestationCAPortal:build :HIRS_AttestationCAPortal:test + if (( $? != "0" )) ; then gradle_status=1; fi + #cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCAPortal/. + #./gradlew :HIRS_Provisioner:clean :HIRS_Provisioner:build :HIRS_Provisioner:test + #if (( $? != "0" )) ; then gradle_status=1; fi + #cp -r /HIRS/HIRS_Provisioner/build/reports/ /HIRS/artifacts/reports/HIRS_Provisioner/. + #./gradlew :HIRS_ProvisionerTPM2:clean :HIRS_ProvisionerTPM2:build :HIRS_ProvisionerTPM2:test + #if (( $? != "0" )) ; then gradle_status=1; fi + #cp -r /HIRS/HIRS_ProvisionerTPM2/docs/ /HIRS/artifacts/reports/HIRS_ProvisionerTPM2/. + #./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test + #if (( $? != "0" )) ; then gradle_status=1; fi + #cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/reports/HIRS_Structs/. + ./gradlew :HIRS_Utils:clean :HIRS_Utils:build :HIRS_Utils:test + if (( $? != "0" )) ; then gradle_status=1; fi + cp -r /HIRS/HIRS_Utils/build/reports/ /HIRS/artifacts/reports/HIRS_Utils/. + #./gradlew :TPM_Utils:clean :TPM_Utils:build :TPM_Utils:test + #if (( $? != "0" )) ; then gradle_status=1; fi + + # Create "fail file" to fail the Build ACA tests if gradle exited with anything other than 0 + if (( $gradle_status == "0" )) ; then + echo "In docker: Build Passed" + else + echo "In docker: Build Failed" + touch /HIRS/artifacts/githubActionsResults/buildFailed.txt + fi; popd;' + # Upload build report files + - name: Archive report files + uses: actions/upload-artifact@v3 with: name: HIRS_Build_Reports path: artifacts/reports/* if-no-files-found: ignore - # if-no-files-found used to fail the ACA unti tests - - name: Archive WAR files - uses: actions/upload-artifact@v2 + # If buildFailed file exists, use that to fail the ACA unit tests + - name: Fail if build or unit test failed + if: ${{ hashFiles('artifacts/githubActionsResults/buildFailed.txt') != '' }} + uses: actions/github-script@v6 with: - name: WAR_Files - path: artifacts/wars/* - if-no-files-found: error - # Process eventlog and rim tool seperately to save time building - tcg_eventlog_tool_tests: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 8 - uses: actions/setup-java@v2 - with: - java-version: '8' - distribution: 'adopt' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - - name: build and test event log tool - run: | - mkdir -p artifacts/reports/tcg_eventlog_tool; - ./gradlew :tools/tcg_eventlog_tool:build :tools/tcg_eventlog_tool:test; - if (( $? != "0" )) ; then - cp -r tools/tcg_eventlog_tool/build/reports/ artifacts/reports/tcg_eventlog_tool/.; - fi - - name: Archive Report files - uses: actions/upload-artifact@v2 - with: - name: tcg_eventlog_tool_reports - path: artifacts/reports/* - if-no-files-found: ignore - tcg_rim_tool_tests: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - name: Set up JDK 8 - uses: actions/setup-java@v2 - with: - java-version: '8' - distribution: 'adopt' - server-id: github # Value of the distributionManagement/repository/id field of the pom.xml - settings-path: ${{ github.workspace }} # location for the settings.xml file - - name: build and test event log tool - run: | - mkdir -p artifacts/reports/tcg_rim_tool; - ./gradlew :tools/tcg_rim_tool:build :tools/tcg_rim_tool:test; - if (( $? != "0" )) ; then - cp -r tools/tcg_rim_tool/build/reports/ artifacts/reports/tcg_rim_tool/.; - fi - - name: Archive Report files - uses: actions/upload-artifact@v2 - with: - name: tcg_rim_tool_reports - path: artifacts/reports/* - if-no-files-found: ignore + script: | + core.setFailed('Build or Unit Test Failed') \ No newline at end of file