efaac33c47
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 3s
CI/CD Pipeline / Clippy Lints (push) Successful in 43s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m12s
CI/CD Pipeline / Security Audit (push) Successful in 5s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m12s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 57s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m12s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m7s
- Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for *.key, *.key.pem, configs/certs/*.pem, *.srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>
295 lines
11 KiB
YAML
295 lines
11 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
tags: ['v*.*.*']
|
|
pull_request:
|
|
branches: [master]
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
RUST_BACKTRACE: 1
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
# ── Quality Gates (GitHub-hosted, all triggers) ──────────────────────────
|
|
|
|
fmt:
|
|
name: fmt
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: rustfmt
|
|
- uses: Swatinem/rust-cache@v2
|
|
- run: cargo fmt --all -- --check
|
|
|
|
clippy:
|
|
name: Clippy
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: clippy
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- run: cargo clippy --all-targets --all-features -- -D warnings
|
|
|
|
test:
|
|
name: Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- run: cargo test --all-features
|
|
|
|
audit:
|
|
name: Security Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- run: cargo install cargo-audit && cargo audit --ignore RUSTSEC-2025-0134
|
|
|
|
gitleaks:
|
|
name: Secret scanning
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
enrollment-tests:
|
|
name: Enrollment Tests
|
|
needs: [fmt, clippy]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- run: cargo test --test enroll_identity
|
|
- run: cargo test --test enrollment_test
|
|
- run: cargo test --test enrollment_e2e
|
|
|
|
# ── Release Preparation (tag push only) ───────────────────────────────────
|
|
|
|
prepare-release:
|
|
name: Prepare Release
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Generate release notes
|
|
id: release_notes
|
|
run: |
|
|
PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
|
|
if [ -n "$PREV_TAG" ]; then
|
|
NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
|
|
else
|
|
NOTES=$(git log --pretty=format:"- %s (%h)" --no-merges)
|
|
fi
|
|
echo "notes<<EOF" >> $GITHUB_OUTPUT
|
|
echo "$NOTES" >> $GITHUB_OUTPUT
|
|
echo "EOF" >> $GITHUB_OUTPUT
|
|
- name: Create GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
body: ${{ steps.release_notes.outputs.notes }}
|
|
|
|
# ── Build Jobs (tag push only, self-hosted runners) ───────────────────────
|
|
|
|
build-deb-u2404:
|
|
name: Build .deb (Ubuntu 24.04)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, ubuntu-24.04]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build .deb package
|
|
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
|
|
- name: Rename package with distro suffix
|
|
run: |
|
|
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
|
|
if [ -n "$FILE" ]; then
|
|
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_u2404_amd64/')"
|
|
fi
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: linux-patch-api_*_u2404_amd64.deb
|
|
|
|
build-deb-u2204:
|
|
name: Build .deb (Ubuntu 22.04)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, ubuntu-22.04]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build .deb package
|
|
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
|
|
- name: Rename package with distro suffix
|
|
run: |
|
|
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
|
|
if [ -n "$FILE" ]; then
|
|
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_u2204_amd64/')"
|
|
fi
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: linux-patch-api_*_u2204_amd64.deb
|
|
|
|
build-deb-debian13:
|
|
name: Build .deb (Debian 13)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, debian-13]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y build-essential libsystemd-dev pkg-config libssl-dev
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build .deb package
|
|
run: chmod +x scripts/build-package.sh && scripts/build-package.sh
|
|
- name: Rename package with distro suffix
|
|
run: |
|
|
FILE=$(ls linux-patch-api_*_amd64.deb 2>/dev/null | head -1)
|
|
if [ -n "$FILE" ]; then
|
|
mv "$FILE" "$(echo "$FILE" | sed 's/_amd64/_debian13_amd64/')"
|
|
fi
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: linux-patch-api_*_debian13_amd64.deb
|
|
|
|
build-rpm-fedora:
|
|
name: Build .rpm (Fedora)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, fedora]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo dnf install -y systemd-devel openssl-devel pkg-config gcc make
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build release binary
|
|
run: cargo build --release
|
|
- name: Build RPM package
|
|
run: chmod +x build-rpm.sh && SKIP_CARGO_BUILD=1 sudo -E ./build-rpm.sh
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: releases/linux-patch-api-*.rpm
|
|
|
|
build-rpm-almalinux:
|
|
name: Build .rpm (AlmaLinux 10)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, almalinux-10]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo dnf install -y systemd-devel openssl-devel pkg-config gcc make
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build release binary
|
|
run: cargo build --release
|
|
- name: Build RPM package
|
|
run: chmod +x build-rpm.sh && SKIP_CARGO_BUILD=1 sudo -E ./build-rpm.sh
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: releases/linux-patch-api-*.rpm
|
|
|
|
build-arch:
|
|
name: Build .pkg.tar.zst (Arch Linux)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: [self-hosted, linux, arch]
|
|
steps:
|
|
- name: Clean previous build artifacts from root
|
|
run: sudo rm -rf releases/ || true
|
|
- uses: actions/checkout@v4
|
|
- name: Install system dependencies
|
|
run: sudo pacman -Syu --noconfirm systemd openssl pkg-config gcc
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Build release binary
|
|
run: cargo build --release
|
|
- name: Build Arch package
|
|
run: chmod +x build-arch.sh && SKIP_CARGO_BUILD=1 ./build-arch.sh
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: releases/*.pkg.tar.zst
|
|
|
|
build-alpine:
|
|
name: Build .apk (Alpine)
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
needs: [fmt, clippy, test, enrollment-tests, audit, prepare-release]
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: alpine:latest
|
|
env:
|
|
HOME: /root
|
|
steps:
|
|
- name: Install prerequisites for actions/checkout
|
|
run: apk add --no-cache bash git curl tar
|
|
- uses: actions/checkout@v4
|
|
- name: Install Alpine build dependencies
|
|
run: apk add --no-cache gcc musl-dev openssl-dev openssl elogind-dev alpine-sdk abuild
|
|
- name: Install Rust via rustup
|
|
run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
|
|
- name: Add Rust to PATH
|
|
run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
|
|
- name: Add musl target
|
|
run: rustup target add x86_64-unknown-linux-musl
|
|
- name: Build release binary (musl target)
|
|
run: cargo build --release --target x86_64-unknown-linux-musl
|
|
- name: Build Alpine package
|
|
run: |
|
|
chmod +x build-alpine.sh
|
|
SKIP_CARGO_BUILD=1 ./build-alpine.sh
|
|
- name: Upload to GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
files: releases/linux-patch-api-*.apk
|