-
-
Notifications
You must be signed in to change notification settings - Fork 46
117 lines (98 loc) · 3.29 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: Ubuntu
on: [push, pull_request, workflow_dispatch]
jobs:
check:
runs-on: ubuntu-24.04
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Run basic profile linter check
run: |
make check
build:
runs-on: ${{ matrix.os }}
needs: check
strategy:
matrix:
os:
- ubuntu-24.04
- ubuntu-22.04
mode:
- default
- full-system-policy
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install Build dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
devscripts debhelper config-package-dev \
auditd apparmor-profiles apparmor-utils
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
- name: Build the apparmor.d package
run: |
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
fi
bash dists/build.sh dpkg
- name: Install apparmor.d
run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
- name: Reload AppArmor
run: |
sudo systemctl restart apparmor.service || true
sudo systemctl status apparmor.service
- name: Ensure compatibility with some AppArmor userspace tools
if: matrix.os != 'ubuntu-24.04'
run: |
sudo aa-enforce /etc/apparmor.d/aa-notify
- name: Show AppArmor log and rules
run: |
sudo aa-log
sudo aa-log -s
sudo aa-log -r
- name: Show Number of loaded profile
run: sudo aa-status --profiled
- name: Cache the build package
if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04'
uses: actions/cache/save@v4
with:
path: .pkg/apparmor.d_*_amd64.deb
key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
tests:
runs-on: ubuntu-24.04
needs: build
steps:
- name: Check out repository code
uses: actions/checkout@v4
- name: Restore the cached build package
uses: actions/cache/restore@v4
with:
fail-on-cache-miss: true
path: .pkg/apparmor.d_*_amd64.deb
key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
restore-keys: |
ubuntu-24.04-default-
- name: Install Tests dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
apparmor-profiles apparmor-utils \
bats bats-support
- name: Install apparmor.d
run: |
sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
sudo systemctl restart apparmor.service
- name: Github Action specific requirements
run: |
bash tests/requirements.sh
sudo systemctl restart systemd-hostnamed
sudo systemctl restart snapd
- name: Run the bats integration tests
run: |
make bats
- name: Show final AppArmor logs
if: always()
run: |
sudo aa-log -s --raw