diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..98ee80a --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# CODEOWNERS file for falcon-scripts repository +# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default owners for everything in the repo +* @CrowdStrike/falcon-scripts-cs-maintainers diff --git a/.github/workflows/bash_install.yml b/.github/workflows/bash_install.yml index 03294f0..bb9c36c 100644 --- a/.github/workflows/bash_install.yml +++ b/.github/workflows/bash_install.yml @@ -9,150 +9,47 @@ on: - 'bash/install/**' - '.github/workflows/bash_install.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install/**' - 'bash/install/**' - '.github/workflows/bash_install.yml' +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_decrement.yml b/.github/workflows/bash_install_decrement.yml index 3accdc7..7fb4d1f 100644 --- a/.github/workflows/bash_install_decrement.yml +++ b/.github/workflows/bash_install_decrement.yml @@ -9,150 +9,47 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_decrement.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_decrement/**' - 'bash/install/**' - '.github/workflows/bash_install_decrement.yml' +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_decrement - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_decrement.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_decrement + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_only.yml b/.github/workflows/bash_install_only.yml index 6206c83..42142a9 100644 --- a/.github/workflows/bash_install_only.yml +++ b/.github/workflows/bash_install_only.yml @@ -9,150 +9,47 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_only.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_only/**' - 'bash/install/**' - '.github/workflows/bash_install_only.yml' +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_only - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_only.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_only + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_policy.yml b/.github/workflows/bash_install_policy.yml index 67acb65..c3a4257 100644 --- a/.github/workflows/bash_install_policy.yml +++ b/.github/workflows/bash_install_policy.yml @@ -9,150 +9,47 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_policy.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_policy/**' - 'bash/install/**' - '.github/workflows/bash_install_policy.yml' +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_policy - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_policy.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_policy + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_migrate.yml b/.github/workflows/bash_migrate.yml index 7fb18c5..bb01084 100644 --- a/.github/workflows/bash_migrate.yml +++ b/.github/workflows/bash_migrate.yml @@ -9,150 +9,47 @@ on: - 'bash/migrate/**.sh' - '.github/workflows/bash_migrate.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_migrate/**' - 'bash/migrate/**.sh' - '.github/workflows/bash_migrate.yml' +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_migrate - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/migrate/cs-migrate.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_migrate + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/container_sensor_pull.yml b/.github/workflows/container_sensor_pull.yml index 662156b..7ec5b36 100644 --- a/.github/workflows/container_sensor_pull.yml +++ b/.github/workflows/container_sensor_pull.yml @@ -8,49 +8,40 @@ on: - 'bash/containers/falcon-container-sensor-pull/**' - '.github/workflows/container_sensor_pull.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'bash/containers/falcon-container-sensor-pull/**' - '.github/workflows/container_sensor_pull.yml' +permissions: + contents: read + jobs: - container_sensor_pull: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.sensortype.type }} + validate: + name: Validate runs-on: ubuntu-latest - env: - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - sensortype: - - type: falcon-container - cli_arg: '' - - type: falcon-sensor - cli_arg: '-n' - - type: falcon-kac - cli_arg: '--kubernetes-admission-controller' - steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' + persist-credentials: false - - name: Run script to pull ${{ matrix.sensortype.type }} image + - name: Shellcheck run: | - bash bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh ${{ matrix.sensortype.cli_arg }} + shellcheck --version + shellcheck bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh + + container-test: + name: Container Test + needs: validate + uses: ./.github/workflows/reusable-container-sensor-pull.yml + with: + sensor_types: | + [ + {"type": "falcon-container", "cli_arg": ""}, + {"type": "falcon-sensor", "cli_arg": "-n"}, + {"type": "falcon-kac", "cli_arg": "--kubernetes-admission-controller"} + ] + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index dd00426..4e8f347 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,17 +7,22 @@ on: branches: [ main ] paths: - '**.md' + +permissions: + contents: read + jobs: markdown-link-check: name: Broken Links runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: submodules: recursive - name: Run link check - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@4a1af151f4d7cf4d8f8ac5780597672a3671b88b # 1.0.17 with: use-quiet-mode: 'no' use-verbose-mode: 'yes' diff --git a/.github/workflows/psscriptanalyzer.yml b/.github/workflows/psscriptanalyzer.yml index 64bef30..0689ae9 100644 --- a/.github/workflows/psscriptanalyzer.yml +++ b/.github/workflows/psscriptanalyzer.yml @@ -11,20 +11,25 @@ on: - 'powershell/**' - '.github/workflows/psscriptanalyzer.yml' +permissions: + contents: read + security-events: write + jobs: powershell: runs-on: windows-latest + timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@main + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f # v1.1 with: path: .\powershell recurse: true excludeRule: '"PSUseShouldProcessForStateChangingFunctions"' output: 'results.sarif' - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@fbcef3fba75224ed6476919775448de80b23cb15 # v3.32.0 with: sarif_file: results.sarif diff --git a/.github/workflows/pwsh_install_ccid.yml b/.github/workflows/pwsh_install_ccid.yml index f40fbf6..02799a2 100644 --- a/.github/workflows/pwsh_install_ccid.yml +++ b/.github/workflows/pwsh_install_ccid.yml @@ -9,116 +9,49 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_install_ccid.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_install_ccid/**' - 'powershell/install/**' - '.github/workflows/pwsh_install_ccid.yml' + +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_install_ccid steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_install_ccid.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_install_ccid + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_install_policy.yml b/.github/workflows/pwsh_install_policy.yml index 0803323..7713f90 100644 --- a/.github/workflows/pwsh_install_policy.yml +++ b/.github/workflows/pwsh_install_policy.yml @@ -9,116 +9,49 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_install_policy.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_install_policy/**' - 'powershell/install/**' - '.github/workflows/pwsh_install_policy.yml' + +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_install_policy steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_install_policy.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_install_policy + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_migrate.yml b/.github/workflows/pwsh_migrate.yml index 7bb260e..a432484 100644 --- a/.github/workflows/pwsh_migrate.yml +++ b/.github/workflows/pwsh_migrate.yml @@ -9,116 +9,49 @@ on: - 'powershell/migrate/**' - '.github/workflows/pwsh_migrate.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_migrate/**' - 'powershell/migrate/**' - '.github/workflows/pwsh_migrate.yml' + +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_migrate steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_migrate.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/migrate -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_migrate + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_uninstall.yml b/.github/workflows/pwsh_uninstall.yml index 15e8cfc..a3a1189 100644 --- a/.github/workflows/pwsh_uninstall.yml +++ b/.github/workflows/pwsh_uninstall.yml @@ -9,116 +9,49 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_uninstall.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_uninstall/**' - 'powershell/install/**' - '.github/workflows/pwsh_uninstall.yml' + +permissions: + contents: read + jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_uninstall steps: - name: Check out code - uses: actions/checkout@v4 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_uninstall.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_uninstall + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 603076a..75a16dc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,14 +5,16 @@ on: types: - created +permissions: + contents: write + jobs: release: runs-on: ubuntu-latest - permissions: - contents: write + timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Release artifacts to GitHub run: | # Create powershell install zip diff --git a/.github/workflows/reusable-container-sensor-pull.yml b/.github/workflows/reusable-container-sensor-pull.yml new file mode 100644 index 0000000..f3be8e4 --- /dev/null +++ b/.github/workflows/reusable-container-sensor-pull.yml @@ -0,0 +1,58 @@ +# Reusable workflow for container sensor pull tests +# Centralizes test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Container Sensor Pull Test" + +on: + workflow_call: + inputs: + sensor_types: + description: 'JSON array of sensor type configurations' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + container_sensor_pull: + name: ${{ matrix.sensortype.type }} + runs-on: ubuntu-latest + timeout-minutes: 30 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + sensortype: ${{ fromJSON(inputs.sensor_types) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Run script to pull ${{ matrix.sensortype.type }} image + run: | + bash bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh "${{ matrix.sensortype.cli_arg }}" diff --git a/.github/workflows/reusable-molecule-test-linux.yml b/.github/workflows/reusable-molecule-test-linux.yml new file mode 100644 index 0000000..bdd3556 --- /dev/null +++ b/.github/workflows/reusable-molecule-test-linux.yml @@ -0,0 +1,126 @@ +# Reusable workflow for Linux Molecule tests +# Centralizes all Molecule test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Molecule Test (Linux)" + +on: + workflow_call: + inputs: + distros: + description: 'JSON array of distro configurations' + required: true + type: string + collection_role: + description: 'The Molecule collection role to test' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + molecule: + name: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + runs-on: ubuntu-latest + timeout-minutes: 60 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + AWS_REGION: "us-west-1" + MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + distro: ${{ fromJSON(inputs.distros) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} + role-session-name: github-actions-molecule-ansible + aws-region: ${{ env.AWS_REGION }} + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: '3.11' + cache: 'pip' + cache-dependency-path: '.github/workflows/reusable-molecule-test-linux.yml' + + - name: Install dependencies + run: | + sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev + python -m pip install --upgrade pip + pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore + + - name: Run role tests + id: molecule-role-test + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 30 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug test --destroy never -s "${{ inputs.collection_role }}" + continue-on-error: true + + - name: Ensure instances are destroyed + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 10 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug destroy -s "${{ inputs.collection_role }}" + + - name: Assert molecule tests passed + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 + with: + expected: success + actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/reusable-molecule-test-windows.yml b/.github/workflows/reusable-molecule-test-windows.yml new file mode 100644 index 0000000..177103e --- /dev/null +++ b/.github/workflows/reusable-molecule-test-windows.yml @@ -0,0 +1,129 @@ +# Reusable workflow for Windows Molecule tests +# Centralizes all Molecule test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Molecule Test (Windows)" + +on: + workflow_call: + inputs: + distros: + description: 'JSON array of distro configurations' + required: true + type: string + collection_role: + description: 'The Molecule collection role to test' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + molecule: + name: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + runs-on: ubuntu-latest + timeout-minutes: 60 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} + FALCON_CID: ${{ secrets.FALCON_CID }} + FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} + AWS_REGION: "us-west-1" + MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + distro: ${{ fromJSON(inputs.distros) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} + role-session-name: github-actions-molecule-ansible + aws-region: ${{ env.AWS_REGION }} + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: '3.11' + cache: 'pip' + cache-dependency-path: '.github/workflows/reusable-molecule-test-windows.yml' + + - name: Install dependencies + run: | + sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev + python -m pip install --upgrade pip + pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm + + - name: Run role tests + id: molecule-role-test + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 30 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug test --destroy never -s "${{ inputs.collection_role }}" + continue-on-error: true + + - name: Ensure instances are destroyed + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 10 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug destroy -s "${{ inputs.collection_role }}" + + - name: Assert molecule tests passed + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 + with: + expected: success + actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/shell_format.yml b/.github/workflows/shell_format.yml index f7ed7e5..5784db5 100644 --- a/.github/workflows/shell_format.yml +++ b/.github/workflows/shell_format.yml @@ -1,18 +1,25 @@ +name: Shell Format Check + on: pull_request: paths: - 'bash/**' - '.github/workflows/shell_format.yml' +permissions: + contents: read + jobs: shfmt: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: + contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run shfmt with reviewdog - uses: reviewdog/action-shfmt@v1.0.4 + uses: reviewdog/action-shfmt@650566520dd8dfd3ac8f4129754a0aa342fdda4d # v1.0.4 with: fail_on_error: true workdir: 'bash' diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 27e2795..7b779b9 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,3 +1,5 @@ +name: ShellCheck Linting + on: push: paths: @@ -9,23 +11,28 @@ on: - 'bash/**' - '.github/workflows/shellcheck.yml' +permissions: + contents: read + jobs: bash: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: format: tty scandir: './bash' dash: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run ShellCheck to check against dash shells - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: format: tty scandir: './bash' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ac0f002..4b35252 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,16 +9,20 @@ on: schedule: - cron: '18 23 * * *' +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 14