Skip to content
Build, test and release

ci: increase timeout + add more domains (#15) #15

Sign in to view logs

ci: increase timeout + add more domains (#15)

ci: increase timeout + add more domains (#15) #15

Workflow file for this run

.github/workflows/bullfrog.yml at d50cb56
name: Build, test and release
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build:
runs-on: ubuntu-22.04
permissions:
contents: read
steps:
- name: Enable egress filtering
uses: bullfrogsec/[email protected]
with:
egress-policy: block
dns-policy: any
allowed-domains: |
registry.npmjs.org
*.golang.org
storage.googleapis.com
*.github.com
*.blob.core.windows.net
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Install deps
run: sudo apt-get install libnetfilter-queue-dev
- name: Build
run: |
make bootstrap
make build
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
with:
name: build-artifacts
path: |
agent/agent
action/dist
check-dist-diff:
runs-on: ubuntu-22.04
permissions:
contents: read
needs: build
steps:
- name: Enable egress filtering
uses: bullfrogsec/[email protected]
with:
egress-policy: block
allowed-domains: |
*.github.com
results-receiver.actions.githubusercontent.com.luykedtozraezimdvwvtsy4hga.cx.internal.cloudapp.net
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: build-artifacts
- name: Check if dist has changed for the action/dist folder
run: |
git diff --exit-code --quiet action/dist || (echo "action/dist has changed, please commit the changes" && exit 1)
test-audit:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
with:
allowed-domains: |
*.google.com
- name: Make HTTP requests
run: |
timeout 5 curl https://www.google.com --output /dev/null
timeout 5 curl https://www.bing.com --output /dev/null
test-block:
needs: build
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-22.04, ubuntu-24.04]
timeout-minutes: 3
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
with:
allowed-domains: |
*.google.com
egress-policy: block
- name: Make HTTP requests
run: source test/make_http_requests.sh
- name: Make DNS requests
run: |
if timeout 5 dig example.com; then
echo 'Expected 'dig example.com' to fail, but it succeeded';
exit 1;
fi;
if timeout 5 dig www.wikipedia.org; then
echo 'Expected 'dig www.wikipedia.org' to fail, but it succeeded';
exit 1;
fi;
test-block-but-allow-any-dns-requests:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
with:
allowed-domains: |
*.google.com
dns-policy: any
egress-policy: block
- name: Make HTTP requests
run: source test/make_http_requests.sh
- name: Make DNS requests
run: |
timeout 5 dig example.com
timeout 5 dig www.wikipedia.org
test-docker:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Enable egress filtering
uses: ./
with:
allowed-ips: |
172.17.0.0/16
allowed-domains: |
production.cloudflare.docker.com
docker.io
*.docker.io
www.google.com
egress-policy: block
- name: Test curl calls within Docker
run: |
docker run --rm --entrypoint sh alpine/curl:8.7.1 -c "
if ! timeout 5 curl https://www.google.com --output /dev/null; then
echo 'Expected curl to www.google.com to succeed, but it failed';
exit 1;
fi;
if timeout 5 curl https://www.bing.com --output /dev/null; then
echo 'Expected curl to www.bing.com to fail, but it succeeded';
exit 1;
fi;
"
- name: Nginx
run: source test/docker_nginx.sh
- name: Nginx with port forwarding
run: source test/docker_nginx_port_forwarding.sh
release:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-22.04
permissions:
contents: write
pull-requests: write
needs:
[
build,
check-dist-diff,
test-audit,
test-block,
test-block-but-allow-any-dns-requests,
test-docker,
]
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/[email protected]
with:
# TODO: set to block once we confirm the domains required for the release process
egress-policy: audit
allowed-domains: |
uploads.github.com
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: build-artifacts
- uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f
if: github.event_name == 'push'
id: release
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
token: ${{ secrets.BULLFROG_BOT_PAT }}
- name: Upload Release Artifact
if: ${{ steps.release.outputs.release_created }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Upload"
tar -czf agent.tar.gz agent/agent
gh release upload ${{ steps.release.outputs.tag_name }} agent.tar.gz
# Update major/minor tags for Github Action
# Ref: https://github.com/googleapis/release-please-action/tree/main?tab=readme-ov-file#creating-majorminor-tags
- name: Tag major and minor versions for Github Action
if: ${{ steps.release.outputs.release_created }}
run: |
git config user.name github-actions[bot]
git config user.email 41898282+github-actions[bot]@users.noreply.github.com
git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/fallard84/bullfrog.git"
git tag -d v${{ steps.release.outputs.major }} || true
git tag -d v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
git push origin :v${{ steps.release.outputs.major }} || true
git push origin :v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
git tag -a v${{ steps.release.outputs.major }} -m "Release v${{ steps.release.outputs.major }}"
git tag -a v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} -m "Release v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}"
git push origin v${{ steps.release.outputs.major }}
git push origin v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}
validate-action-in-another-workflow:
needs: release
if: ${{ needs.release.outputs.release_created }}
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow. Refer to https://github.com/bullfrogsec/bullfrog/commit/3a3e5e03112ef726b3079d402415760c9021fa39 for details.
- uses: jenseng/dynamic-uses@02f544690a931f3967153cd5f14679cfeb61f830
with:
uses: bullfrogsec/bullfrog@${{ needs.release.outputs.tag_name }}
with: '{"allowed-domains": "www.google.com", "egress-policy": "block"}'
- name: Make HTTP requests
run: |
if ! curl https://www.google.com --output /dev/null; then
echo 'Expected curl to www.google.com to succeed, but it failed';
exit 1;
fi;
if curl https://www.bing.com --max-time 5 --output /dev/null; then
echo 'Expected curl to www.bing.com to fail, but it succeeded';
exit 1;
fi;