feat: profiles and integration tests improvments. #2142
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ubuntu | |
| on: [push, pull_request, workflow_dispatch] | |
| jobs: | |
| check: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Run basic profile linter check | |
| run: | | |
| make check | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| needs: check | |
| strategy: | |
| matrix: | |
| os: | |
| - ubuntu-24.04 | |
| - ubuntu-22.04 | |
| mode: | |
| - default | |
| - full-system-policy | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Install Build dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| devscripts debhelper config-package-dev \ | |
| auditd apparmor-profiles apparmor-utils | |
| sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real | |
| - name: Build the apparmor.d package | |
| run: | | |
| if [[ ${{ matrix.mode }} == full-system-policy ]]; then | |
| echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules | |
| fi | |
| bash dists/build.sh dpkg | |
| - name: Install apparmor.d | |
| run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true | |
| - name: Reload AppArmor | |
| run: | | |
| sudo systemctl restart apparmor.service || true | |
| sudo systemctl status apparmor.service | |
| - name: Ensure compatibility with some AppArmor userspace tools | |
| if: matrix.os != 'ubuntu-24.04' | |
| run: | | |
| sudo aa-enforce /etc/apparmor.d/aa-notify | |
| - name: Show AppArmor log and rules | |
| run: | | |
| sudo aa-log | |
| sudo aa-log -s | |
| sudo aa-log -r | |
| - name: Show Number of loaded profile | |
| run: sudo aa-status --profiled | |
| - name: Cache the build package | |
| if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' | |
| uses: actions/cache/save@v4 | |
| with: | |
| path: .pkg/apparmor.d_*_amd64.deb | |
| key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} | |
| tests: | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Restore the cached build package | |
| uses: actions/cache/restore@v4 | |
| with: | |
| fail-on-cache-miss: true | |
| path: .pkg/apparmor.d_*_amd64.deb | |
| key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} | |
| restore-keys: | | |
| ubuntu-24.04-default- | |
| - name: Install Tests dependencies | |
| run: | | |
| sudo apt-get update -q | |
| sudo apt-get install -y \ | |
| apparmor-profiles apparmor-utils \ | |
| bats bats-support | |
| - name: Install apparmor.d | |
| run: | | |
| sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local | |
| sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true | |
| sudo systemctl restart apparmor.service | |
| - name: Github Action specific requirements | |
| run: | | |
| bash tests/requirements.sh | |
| sudo systemctl restart snapd | |
| sudo systemctl restart systemd-hostnamed | |
| sudo systemctl restart systemd-logind | |
| - name: Run the bats integration tests | |
| run: | | |
| make bats | |
| - name: Show final AppArmor logs | |
| if: always() | |
| run: | | |
| sudo aa-log -s --raw |