From 9ae4f2553dfd64f8c4e913c52dba9b4c76acab96 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 29 Jan 2026 15:18:05 -0500 Subject: [PATCH 1/2] ci: initial hardening steps --- .github/workflows/bash_install.yml | 17 ++++++++++------- .github/workflows/bash_install_decrement.yml | 17 ++++++++++------- .github/workflows/bash_install_only.yml | 17 ++++++++++------- .github/workflows/bash_install_policy.yml | 17 ++++++++++------- .github/workflows/bash_migrate.yml | 17 ++++++++++------- .github/workflows/container_sensor_pull.yml | 8 ++++++-- .github/workflows/docs.yml | 9 +++++++-- .github/workflows/psscriptanalyzer.yml | 11 ++++++++--- .github/workflows/pwsh_install_ccid.yml | 18 +++++++++++------- .github/workflows/pwsh_install_policy.yml | 18 +++++++++++------- .github/workflows/pwsh_migrate.yml | 18 +++++++++++------- .github/workflows/pwsh_uninstall.yml | 18 +++++++++++------- .github/workflows/release.yml | 8 +++++--- .github/workflows/shell_format.yml | 11 +++++++++-- .github/workflows/shellcheck.yml | 15 +++++++++++---- .github/workflows/stale.yml | 6 +++++- 16 files changed, 145 insertions(+), 80 deletions(-) diff --git a/.github/workflows/bash_install.yml b/.github/workflows/bash_install.yml index 03294f0c..976924ad 100644 --- a/.github/workflows/bash_install.yml +++ b/.github/workflows/bash_install.yml @@ -16,6 +16,9 @@ on: - 'bash/install/**' - '.github/workflows/bash_install.yml' +permissions: + contents: read + jobs: molecule: if: | @@ -84,24 +87,24 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -115,7 +118,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -134,7 +137,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -152,7 +155,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/bash_install_decrement.yml b/.github/workflows/bash_install_decrement.yml index 3accdc70..a42ef2b2 100644 --- a/.github/workflows/bash_install_decrement.yml +++ b/.github/workflows/bash_install_decrement.yml @@ -16,6 +16,9 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_decrement.yml' +permissions: + contents: read + jobs: molecule: if: | @@ -84,24 +87,24 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -115,7 +118,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -134,7 +137,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -152,7 +155,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/bash_install_only.yml b/.github/workflows/bash_install_only.yml index 6206c83f..17060ec7 100644 --- a/.github/workflows/bash_install_only.yml +++ b/.github/workflows/bash_install_only.yml @@ -16,6 +16,9 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_only.yml' +permissions: + contents: read + jobs: molecule: if: | @@ -84,24 +87,24 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -115,7 +118,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -134,7 +137,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -152,7 +155,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/bash_install_policy.yml b/.github/workflows/bash_install_policy.yml index 67acb658..8d99caa1 100644 --- a/.github/workflows/bash_install_policy.yml +++ b/.github/workflows/bash_install_policy.yml @@ -16,6 +16,9 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_policy.yml' +permissions: + contents: read + jobs: molecule: if: | @@ -84,24 +87,24 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -115,7 +118,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -134,7 +137,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -152,7 +155,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/bash_migrate.yml b/.github/workflows/bash_migrate.yml index 7fb18c51..d71b2d62 100644 --- a/.github/workflows/bash_migrate.yml +++ b/.github/workflows/bash_migrate.yml @@ -16,6 +16,9 @@ on: - 'bash/migrate/**.sh' - '.github/workflows/bash_migrate.yml' +permissions: + contents: read + jobs: molecule: if: | @@ -84,24 +87,24 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -115,7 +118,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -134,7 +137,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -152,7 +155,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/container_sensor_pull.yml b/.github/workflows/container_sensor_pull.yml index 662156ba..e75a26d4 100644 --- a/.github/workflows/container_sensor_pull.yml +++ b/.github/workflows/container_sensor_pull.yml @@ -14,6 +14,9 @@ on: - 'bash/containers/falcon-container-sensor-pull/**' - '.github/workflows/container_sensor_pull.yml' +permissions: + contents: read + jobs: container_sensor_pull: if: | @@ -23,6 +26,7 @@ jobs: github.event.label.name == 'ok-to-test') name: ${{ matrix.sensortype.type }} runs-on: ubuntu-latest + timeout-minutes: 30 env: FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} @@ -42,11 +46,11 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index dd00426e..4e8f347d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,17 +7,22 @@ on: branches: [ main ] paths: - '**.md' + +permissions: + contents: read + jobs: markdown-link-check: name: Broken Links runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: submodules: recursive - name: Run link check - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@4a1af151f4d7cf4d8f8ac5780597672a3671b88b # 1.0.17 with: use-quiet-mode: 'no' use-verbose-mode: 'yes' diff --git a/.github/workflows/psscriptanalyzer.yml b/.github/workflows/psscriptanalyzer.yml index 64bef30c..49bca7de 100644 --- a/.github/workflows/psscriptanalyzer.yml +++ b/.github/workflows/psscriptanalyzer.yml @@ -11,20 +11,25 @@ on: - 'powershell/**' - '.github/workflows/psscriptanalyzer.yml' +permissions: + contents: read + security-events: write + jobs: powershell: runs-on: windows-latest + timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@main + uses: microsoft/psscriptanalyzer-action@7a0da25f33985767f15f93140306528900744195 # main with: path: .\powershell recurse: true excludeRule: '"PSUseShouldProcessForStateChangingFunctions"' output: 'results.sarif' - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@fbcef3fba75224ed6476919775448de80b23cb15 # v3.32.0 with: sarif_file: results.sarif diff --git a/.github/workflows/pwsh_install_ccid.yml b/.github/workflows/pwsh_install_ccid.yml index f40fbf68..b006c341 100644 --- a/.github/workflows/pwsh_install_ccid.yml +++ b/.github/workflows/pwsh_install_ccid.yml @@ -15,6 +15,10 @@ on: - 'molecule/pwsh_install_ccid/**' - 'powershell/install/**' - '.github/workflows/pwsh_install_ccid.yml' + +permissions: + contents: read + jobs: molecule: if: | @@ -50,24 +54,24 @@ jobs: - pwsh_install_ccid steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -81,7 +85,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -100,7 +104,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -118,7 +122,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/pwsh_install_policy.yml b/.github/workflows/pwsh_install_policy.yml index 08033233..bbb89f90 100644 --- a/.github/workflows/pwsh_install_policy.yml +++ b/.github/workflows/pwsh_install_policy.yml @@ -15,6 +15,10 @@ on: - 'molecule/pwsh_install_policy/**' - 'powershell/install/**' - '.github/workflows/pwsh_install_policy.yml' + +permissions: + contents: read + jobs: molecule: if: | @@ -50,24 +54,24 @@ jobs: - pwsh_install_policy steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -81,7 +85,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -100,7 +104,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -118,7 +122,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/pwsh_migrate.yml b/.github/workflows/pwsh_migrate.yml index 7bb260e1..a9143e71 100644 --- a/.github/workflows/pwsh_migrate.yml +++ b/.github/workflows/pwsh_migrate.yml @@ -15,6 +15,10 @@ on: - 'molecule/pwsh_migrate/**' - 'powershell/migrate/**' - '.github/workflows/pwsh_migrate.yml' + +permissions: + contents: read + jobs: molecule: if: | @@ -50,24 +54,24 @@ jobs: - pwsh_migrate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -81,7 +85,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -100,7 +104,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -118,7 +122,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/pwsh_uninstall.yml b/.github/workflows/pwsh_uninstall.yml index 15e8cfcc..65b45b43 100644 --- a/.github/workflows/pwsh_uninstall.yml +++ b/.github/workflows/pwsh_uninstall.yml @@ -15,6 +15,10 @@ on: - 'molecule/pwsh_uninstall/**' - 'powershell/install/**' - '.github/workflows/pwsh_uninstall.yml' + +permissions: + contents: read + jobs: molecule: if: | @@ -50,24 +54,24 @@ jobs: - pwsh_uninstall steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: github.event_name != 'pull_request_target' - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: ref: ${{github.event.pull_request.head.sha}} if: github.event_name == 'pull_request_target' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} role-session-name: github-actions-molecule-ansible aws-region: ${{ env.AWS_REGION }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.11' cache: 'pip' @@ -81,7 +85,7 @@ jobs: - name: Run role tests id: molecule-role-test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -100,7 +104,7 @@ jobs: continue-on-error: true - name: Ensure instances are destroyed - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} @@ -118,7 +122,7 @@ jobs: molecule --debug destroy -s ${{ matrix.collection_role }} - name: Assert molecule tests passed - uses: nick-fields/assert-action@v2 + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 with: expected: success actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 603076af..75a16dc4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,14 +5,16 @@ on: types: - created +permissions: + contents: write + jobs: release: runs-on: ubuntu-latest - permissions: - contents: write + timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Release artifacts to GitHub run: | # Create powershell install zip diff --git a/.github/workflows/shell_format.yml b/.github/workflows/shell_format.yml index f7ed7e57..5784db5b 100644 --- a/.github/workflows/shell_format.yml +++ b/.github/workflows/shell_format.yml @@ -1,18 +1,25 @@ +name: Shell Format Check + on: pull_request: paths: - 'bash/**' - '.github/workflows/shell_format.yml' +permissions: + contents: read + jobs: shfmt: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: + contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run shfmt with reviewdog - uses: reviewdog/action-shfmt@v1.0.4 + uses: reviewdog/action-shfmt@650566520dd8dfd3ac8f4129754a0aa342fdda4d # v1.0.4 with: fail_on_error: true workdir: 'bash' diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 27e27955..7b779b96 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,3 +1,5 @@ +name: ShellCheck Linting + on: push: paths: @@ -9,23 +11,28 @@ on: - 'bash/**' - '.github/workflows/shellcheck.yml' +permissions: + contents: read + jobs: bash: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: format: tty scandir: './bash' dash: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run ShellCheck to check against dash shells - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: format: tty scandir: './bash' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ac0f0028..4b352527 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,16 +9,20 @@ on: schedule: - cron: '18 23 * * *' +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest + timeout-minutes: 10 permissions: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 14 From 543db18e867eac413166378e596f97026b3285a1 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Fri, 30 Jan 2026 08:35:39 -0500 Subject: [PATCH 2/2] ci: replace pull_request_target with environment-based protection - Convert 10 workflows from pull_request_target to pull_request trigger - Create 3 reusable workflows with centralized test logic: - reusable-molecule-test-linux.yml - reusable-molecule-test-windows.yml - reusable-container-sensor-pull.yml - Add environment protection (molecule-testing) for PR secret access - Update actions/checkout to v5.0.1 (SHA pinned) - Fix psscriptanalyzer action pinning from main to v1.1 - Add CODEOWNERS file with falcon-scripts-cs-maintainers Security improvements: - Eliminates pull_request_target risks from fork PRs - Environment approval gates secret access for external contributors - All actions properly SHA-pinned with version comments - PR SHA passed explicitly to prevent confusion attacks --- .github/CODEOWNERS | 5 + .github/workflows/bash_install.yml | 162 +++--------------- .github/workflows/bash_install_decrement.yml | 162 +++--------------- .github/workflows/bash_install_only.yml | 162 +++--------------- .github/workflows/bash_install_policy.yml | 162 +++--------------- .github/workflows/bash_migrate.yml | 162 +++--------------- .github/workflows/container_sensor_pull.yml | 57 +++--- .github/workflows/psscriptanalyzer.yml | 2 +- .github/workflows/pwsh_install_ccid.yml | 131 ++++---------- .github/workflows/pwsh_install_policy.yml | 131 ++++---------- .github/workflows/pwsh_migrate.yml | 131 ++++---------- .github/workflows/pwsh_uninstall.yml | 131 ++++---------- .../reusable-container-sensor-pull.yml | 58 +++++++ .../reusable-molecule-test-linux.yml | 126 ++++++++++++++ .../reusable-molecule-test-windows.yml | 129 ++++++++++++++ 15 files changed, 601 insertions(+), 1110 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/reusable-container-sensor-pull.yml create mode 100644 .github/workflows/reusable-molecule-test-linux.yml create mode 100644 .github/workflows/reusable-molecule-test-windows.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..98ee80aa --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# CODEOWNERS file for falcon-scripts repository +# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default owners for everything in the repo +* @CrowdStrike/falcon-scripts-cs-maintainers diff --git a/.github/workflows/bash_install.yml b/.github/workflows/bash_install.yml index 976924ad..bb9c36c2 100644 --- a/.github/workflows/bash_install.yml +++ b/.github/workflows/bash_install.yml @@ -9,8 +9,7 @@ on: - 'bash/install/**' - '.github/workflows/bash_install.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install/**' - 'bash/install/**' @@ -20,142 +19,37 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install - steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_decrement.yml b/.github/workflows/bash_install_decrement.yml index a42ef2b2..7fb4d1fb 100644 --- a/.github/workflows/bash_install_decrement.yml +++ b/.github/workflows/bash_install_decrement.yml @@ -9,8 +9,7 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_decrement.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_decrement/**' - 'bash/install/**' @@ -20,142 +19,37 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_decrement - steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_decrement.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_decrement + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_only.yml b/.github/workflows/bash_install_only.yml index 17060ec7..42142a9e 100644 --- a/.github/workflows/bash_install_only.yml +++ b/.github/workflows/bash_install_only.yml @@ -9,8 +9,7 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_only.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_only/**' - 'bash/install/**' @@ -20,142 +19,37 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_only - steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_only.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_only + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_install_policy.yml b/.github/workflows/bash_install_policy.yml index 8d99caa1..c3a4257a 100644 --- a/.github/workflows/bash_install_policy.yml +++ b/.github/workflows/bash_install_policy.yml @@ -9,8 +9,7 @@ on: - 'bash/install/**' - '.github/workflows/bash_install_policy.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_install_policy/**' - 'bash/install/**' @@ -20,142 +19,37 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_install_policy - steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install_policy.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/install/falcon-linux-install.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_install_policy + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/bash_migrate.yml b/.github/workflows/bash_migrate.yml index d71b2d62..bb01084e 100644 --- a/.github/workflows/bash_migrate.yml +++ b/.github/workflows/bash_migrate.yml @@ -9,8 +9,7 @@ on: - 'bash/migrate/**.sh' - '.github/workflows/bash_migrate.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/bash_migrate/**' - 'bash/migrate/**.sh' @@ -20,142 +19,37 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: ubuntu-20.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04* - instance_type: t2.micro - - distro: ubuntu-22.04 - image_owner: '099720109477' - image_arch: x86_64 - image_name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04* - instance_type: t2.micro - - distro: amazon-2023 - image_owner: '137112412989' - image_arch: x86_64 - image_name: al2023-ami-2023* - instance_type: t2.micro - - distro: amazon-2 - image_owner: '137112412989' - image_arch: x86_64 - image_name: amzn2-ami-hvm-2.0*gp2 - instance_type: t2.micro - - distro: sles-15-sp5 - image_owner: '013907871322' - image_arch: x86_64 - image_name: suse-sles-15-sp5-v????????-hvm* - instance_type: t2.micro - - distro: almalinux-8 - image_owner: '679593333241' - image_arch: x86_64 - image_name: AlmaLinux OS 8* - instance_type: t2.micro - - distro: rhel-9 - image_owner: '309956199498' - image_arch: x86_64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t2.micro - - distro: rhel-9-arm - image_owner: '309956199498' - image_arch: arm64 - image_name: RHEL-9.?.?_HVM-* - instance_type: t4g.micro - collection_role: - - bash_migrate - steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/bash_install.yml' + persist-credentials: false - - name: Install dependencies + - name: Shellcheck run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + shellcheck --version + shellcheck bash/migrate/cs-migrate.sh + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-linux.yml + with: + distros: | + [ + {"name": "ubuntu-20.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04*", "instance_type": "t2.micro"}, + {"name": "ubuntu-22.04", "image_owner": "099720109477", "image_arch": "x86_64", "image_name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*", "instance_type": "t2.micro"}, + {"name": "amazon-2023", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "al2023-ami-2023*", "instance_type": "t2.micro"}, + {"name": "amazon-2", "image_owner": "137112412989", "image_arch": "x86_64", "image_name": "amzn2-ami-hvm-2.0*gp2", "instance_type": "t2.micro"}, + {"name": "sles-15-sp5", "image_owner": "013907871322", "image_arch": "x86_64", "image_name": "suse-sles-15-sp5-v????????-hvm*", "instance_type": "t2.micro"}, + {"name": "almalinux-8", "image_owner": "679593333241", "image_arch": "x86_64", "image_name": "AlmaLinux OS 8*", "instance_type": "t2.micro"}, + {"name": "rhel-9", "image_owner": "309956199498", "image_arch": "x86_64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t2.micro"}, + {"name": "rhel-9-arm", "image_owner": "309956199498", "image_arch": "arm64", "image_name": "RHEL-9.?.?_HVM-*", "instance_type": "t4g.micro"} + ] + collection_role: bash_migrate + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/container_sensor_pull.yml b/.github/workflows/container_sensor_pull.yml index e75a26d4..7ec5b367 100644 --- a/.github/workflows/container_sensor_pull.yml +++ b/.github/workflows/container_sensor_pull.yml @@ -8,8 +8,7 @@ on: - 'bash/containers/falcon-container-sensor-pull/**' - '.github/workflows/container_sensor_pull.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'bash/containers/falcon-container-sensor-pull/**' - '.github/workflows/container_sensor_pull.yml' @@ -18,43 +17,31 @@ permissions: contents: read jobs: - container_sensor_pull: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.sensortype.type }} + validate: + name: Validate runs-on: ubuntu-latest - timeout-minutes: 30 - env: - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - sensortype: - - type: falcon-container - cli_arg: '' - - type: falcon-sensor - cli_arg: '-n' - - type: falcon-kac - cli_arg: '--kubernetes-admission-controller' - steps: - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' + persist-credentials: false - - name: Run script to pull ${{ matrix.sensortype.type }} image + - name: Shellcheck run: | - bash bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh ${{ matrix.sensortype.cli_arg }} + shellcheck --version + shellcheck bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh + + container-test: + name: Container Test + needs: validate + uses: ./.github/workflows/reusable-container-sensor-pull.yml + with: + sensor_types: | + [ + {"type": "falcon-container", "cli_arg": ""}, + {"type": "falcon-sensor", "cli_arg": "-n"}, + {"type": "falcon-kac", "cli_arg": "--kubernetes-admission-controller"} + ] + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/psscriptanalyzer.yml b/.github/workflows/psscriptanalyzer.yml index 49bca7de..0689ae96 100644 --- a/.github/workflows/psscriptanalyzer.yml +++ b/.github/workflows/psscriptanalyzer.yml @@ -23,7 +23,7 @@ jobs: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@7a0da25f33985767f15f93140306528900744195 # main + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f # v1.1 with: path: .\powershell recurse: true diff --git a/.github/workflows/pwsh_install_ccid.yml b/.github/workflows/pwsh_install_ccid.yml index b006c341..02799a27 100644 --- a/.github/workflows/pwsh_install_ccid.yml +++ b/.github/workflows/pwsh_install_ccid.yml @@ -9,8 +9,7 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_install_ccid.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_install_ccid/**' - 'powershell/install/**' @@ -20,109 +19,39 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_install_ccid steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_install_ccid.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_install_ccid + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_install_policy.yml b/.github/workflows/pwsh_install_policy.yml index bbb89f90..7713f90d 100644 --- a/.github/workflows/pwsh_install_policy.yml +++ b/.github/workflows/pwsh_install_policy.yml @@ -9,8 +9,7 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_install_policy.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_install_policy/**' - 'powershell/install/**' @@ -20,109 +19,39 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_install_policy steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_install_policy.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_install_policy + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_migrate.yml b/.github/workflows/pwsh_migrate.yml index a9143e71..a432484d 100644 --- a/.github/workflows/pwsh_migrate.yml +++ b/.github/workflows/pwsh_migrate.yml @@ -9,8 +9,7 @@ on: - 'powershell/migrate/**' - '.github/workflows/pwsh_migrate.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_migrate/**' - 'powershell/migrate/**' @@ -20,109 +19,39 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_migrate steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_migrate.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/migrate -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_migrate + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/pwsh_uninstall.yml b/.github/workflows/pwsh_uninstall.yml index 65b45b43..a3a11893 100644 --- a/.github/workflows/pwsh_uninstall.yml +++ b/.github/workflows/pwsh_uninstall.yml @@ -9,8 +9,7 @@ on: - 'powershell/install/**' - '.github/workflows/pwsh_uninstall.yml' - pull_request_target: - types: [ labeled ] + pull_request: paths: - 'molecule/pwsh_uninstall/**' - 'powershell/install/**' @@ -20,109 +19,39 @@ permissions: contents: read jobs: - molecule: - if: | - github.event_name == 'push' || - github.event_name == 'schedule' || - (github.event_name == 'pull_request_target' && - github.event.label.name == 'ok-to-test') - name: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} + validate: + name: Validate runs-on: ubuntu-latest - env: - PY_COLORS: 1 - ANSIBLE_FORCE_COLOR: 1 - FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} - FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} - FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} - FALCON_CID: ${{ secrets.FALCON_CID }} - FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} - AWS_REGION: "us-west-1" - MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} - permissions: - contents: read - id-token: write - strategy: - fail-fast: false - matrix: - molecule: - - distro: WindowsServer2022 - image_owner: 801119661308 - image_arch: x86_64 - image_name: Windows_Server-2022-English-Full-Base-* - instance_type: t3a.medium - collection_role: - - pwsh_uninstall steps: - name: Check out code uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - if: github.event_name != 'pull_request_target' - - - name: Check out code - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: ${{github.event.pull_request.head.sha}} - if: github.event_name == 'pull_request_target' - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} - role-session-name: github-actions-molecule-ansible - aws-region: ${{ env.AWS_REGION }} - - - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: - python-version: '3.11' - cache: 'pip' - cache-dependency-path: '.github/workflows/pwsh_uninstall.yml' + persist-credentials: false - - name: Install dependencies + - name: Validate PowerShell syntax + shell: pwsh run: | - sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev - python -m pip install --upgrade pip - pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm - - - name: Run role tests - id: molecule-role-test - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 30 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug test --destroy never -s ${{ matrix.collection_role }} - continue-on-error: true - - - name: Ensure instances are destroyed - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 - env: - MOLECULE_INSTANCE_NAME: ${{ matrix.molecule.distro }}-${{ matrix.collection_role }} - MOLECULE_IMAGE_OWNER: ${{ matrix.molecule.image_owner }} - MOLECULE_IMAGE_ARCH: ${{ matrix.molecule.image_arch }} - MOLECULE_IMAGE_NAME: '${{ matrix.molecule.image_name }}' - MOLECULE_INSTANCE_TYPE: ${{ matrix.molecule.instance_type }} - MOLECULE_REGION: ${{ env.AWS_REGION}} - with: - timeout_minutes: 10 - max_attempts: 3 - retry_on: error - command: >- - molecule --version && - ansible --version && - molecule --debug destroy -s ${{ matrix.collection_role }} - - - name: Assert molecule tests passed - uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 - with: - expected: success - actual: ${{ steps.molecule-role-test.outcome }} + $scripts = Get-ChildItem -Path powershell/install -Filter *.ps1 -Recurse + foreach ($script in $scripts) { + $null = [System.Management.Automation.Language.Parser]::ParseFile($script.FullName, [ref]$null, [ref]$errors) + if ($errors.Count -gt 0) { + Write-Error "Syntax errors in $($script.FullName):" + $errors | ForEach-Object { Write-Error $_.ToString() } + exit 1 + } + } + Write-Host "All PowerShell scripts passed syntax validation" + + molecule-test: + name: Molecule Test + needs: validate + uses: ./.github/workflows/reusable-molecule-test-windows.yml + with: + distros: | + [ + {"name": "WindowsServer2022", "image_owner": "801119661308", "image_arch": "x86_64", "image_name": "Windows_Server-2022-English-Full-Base-*", "instance_type": "t3a.medium"} + ] + collection_role: pwsh_uninstall + pr_sha: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }} + pr_repo: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || '' }} + secrets: inherit diff --git a/.github/workflows/reusable-container-sensor-pull.yml b/.github/workflows/reusable-container-sensor-pull.yml new file mode 100644 index 00000000..f3be8e47 --- /dev/null +++ b/.github/workflows/reusable-container-sensor-pull.yml @@ -0,0 +1,58 @@ +# Reusable workflow for container sensor pull tests +# Centralizes test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Container Sensor Pull Test" + +on: + workflow_call: + inputs: + sensor_types: + description: 'JSON array of sensor type configurations' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + container_sensor_pull: + name: ${{ matrix.sensortype.type }} + runs-on: ubuntu-latest + timeout-minutes: 30 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + sensortype: ${{ fromJSON(inputs.sensor_types) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Run script to pull ${{ matrix.sensortype.type }} image + run: | + bash bash/containers/falcon-container-sensor-pull/falcon-container-sensor-pull.sh "${{ matrix.sensortype.cli_arg }}" diff --git a/.github/workflows/reusable-molecule-test-linux.yml b/.github/workflows/reusable-molecule-test-linux.yml new file mode 100644 index 00000000..bdd3556a --- /dev/null +++ b/.github/workflows/reusable-molecule-test-linux.yml @@ -0,0 +1,126 @@ +# Reusable workflow for Linux Molecule tests +# Centralizes all Molecule test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Molecule Test (Linux)" + +on: + workflow_call: + inputs: + distros: + description: 'JSON array of distro configurations' + required: true + type: string + collection_role: + description: 'The Molecule collection role to test' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + molecule: + name: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + runs-on: ubuntu-latest + timeout-minutes: 60 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + AWS_REGION: "us-west-1" + MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + distro: ${{ fromJSON(inputs.distros) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} + role-session-name: github-actions-molecule-ansible + aws-region: ${{ env.AWS_REGION }} + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: '3.11' + cache: 'pip' + cache-dependency-path: '.github/workflows/reusable-molecule-test-linux.yml' + + - name: Install dependencies + run: | + sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev + python -m pip install --upgrade pip + pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore + + - name: Run role tests + id: molecule-role-test + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 30 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug test --destroy never -s "${{ inputs.collection_role }}" + continue-on-error: true + + - name: Ensure instances are destroyed + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 10 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug destroy -s "${{ inputs.collection_role }}" + + - name: Assert molecule tests passed + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 + with: + expected: success + actual: ${{ steps.molecule-role-test.outcome }} diff --git a/.github/workflows/reusable-molecule-test-windows.yml b/.github/workflows/reusable-molecule-test-windows.yml new file mode 100644 index 00000000..177103e1 --- /dev/null +++ b/.github/workflows/reusable-molecule-test-windows.yml @@ -0,0 +1,129 @@ +# Reusable workflow for Windows Molecule tests +# Centralizes all Molecule test logic with environment-based secret protection +# +# SECURITY: This workflow requires secrets to be configured in the 'molecule-testing' +# GitHub Environment with required reviewers enabled. For push/schedule events, +# secrets are accessed from repository level. For pull_request events (including +# forks), the environment protection gates secret access pending approval. +name: "Reusable: Molecule Test (Windows)" + +on: + workflow_call: + inputs: + distros: + description: 'JSON array of distro configurations' + required: true + type: string + collection_role: + description: 'The Molecule collection role to test' + required: true + type: string + pr_sha: + description: 'PR head SHA for checkout (empty for push/schedule)' + required: false + type: string + default: '' + pr_repo: + description: 'PR head repo for checkout (empty for push/schedule)' + required: false + type: string + default: '' + +permissions: + contents: read + +jobs: + molecule: + name: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + runs-on: ubuntu-latest + timeout-minutes: 60 + environment: ${{ inputs.pr_sha != '' && 'molecule-testing' || '' }} + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} + FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + FALCON_CLOUD: ${{ secrets.FALCON_CLOUD }} + FALCON_CID: ${{ secrets.FALCON_CID }} + FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} + AWS_REGION: "us-west-1" + MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} + permissions: + contents: read + id-token: write + strategy: + fail-fast: false + matrix: + distro: ${{ fromJSON(inputs.distros) }} + + steps: + - name: Check out code + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.pr_sha || github.sha }} + repository: ${{ inputs.pr_repo || github.repository }} + persist-credentials: false + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_OIDC_ROLE }} + role-session-name: github-actions-molecule-ansible + aws-region: ${{ env.AWS_REGION }} + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: '3.11' + cache: 'pip' + cache-dependency-path: '.github/workflows/reusable-molecule-test-windows.yml' + + - name: Install dependencies + run: | + sudo apt install apt-transport-https ca-certificates curl software-properties-common libssl-dev + python -m pip install --upgrade pip + pip install molecule "molecule-plugins[ec2]" ansible ansible-core==2.16.7 ansible-lint boto3 botocore pywinrm + + - name: Run role tests + id: molecule-role-test + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 30 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug test --destroy never -s "${{ inputs.collection_role }}" + continue-on-error: true + + - name: Ensure instances are destroyed + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + env: + MOLECULE_INSTANCE_NAME: ${{ matrix.distro.name }}-${{ inputs.collection_role }} + MOLECULE_IMAGE_OWNER: ${{ matrix.distro.image_owner }} + MOLECULE_IMAGE_ARCH: ${{ matrix.distro.image_arch }} + MOLECULE_IMAGE_NAME: ${{ matrix.distro.image_name }} + MOLECULE_INSTANCE_TYPE: ${{ matrix.distro.instance_type }} + MOLECULE_REGION: ${{ env.AWS_REGION }} + with: + timeout_minutes: 10 + max_attempts: 3 + retry_on: error + command: >- + molecule --version && + ansible --version && + molecule --debug destroy -s "${{ inputs.collection_role }}" + + - name: Assert molecule tests passed + uses: nick-fields/assert-action@aa0067e01f0f6545c31755d6ca128c5a3a14f6bf # v2.0.0 + with: + expected: success + actual: ${{ steps.molecule-role-test.outcome }}