Network hardening using sysctl #2768
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors | |
| # | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| # This workflow uses environment-based authorization together | |
| # with 'pull_request_target' trigger as explained in: | |
| # https://ssrc.atlassian.net/wiki/x/OABjMg | |
| check-identity: | |
| if: ${{ github.repository == 'tiiuae/ghaf' }} # Skip in forks | |
| runs-on: ubuntu-latest | |
| outputs: | |
| authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}} | |
| environment: "internal-build-workflow" | |
| steps: | |
| - name: Check identity | |
| id: check-authorized-user | |
| shell: bash | |
| run: | | |
| authorized_user='False' | |
| for user in ${{ vars.AUTHORIZED_USERS }}; | |
| do | |
| if [ "$user" = "${{ github.actor }}" ]; then | |
| authorized_user='True' | |
| break | |
| fi | |
| done | |
| echo "github.event_name: ${{ github.event_name }}" | |
| echo "github.repository: ${{ github.repository }}" | |
| echo "github.event.pull_request.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}" | |
| echo "github.actor: ${{ github.actor }}" | |
| echo "github.ref: ${{ github.ref}}" | |
| echo "github.event.pull_request.head.sha: ${{github.event.pull_request.head.sha}}" | |
| echo "authorized_user=$authorized_user" | |
| echo "authorized_user=$authorized_user" >> "$GITHUB_OUTPUT" | |
| authorize-internal: | |
| needs: [check-identity] | |
| runs-on: ubuntu-latest | |
| if: ${{ needs.check-identity.outputs.authorized_user == 'True' }} | |
| steps: | |
| - name: Authorize internal | |
| run: echo "authorized" | |
| authorize-external: | |
| needs: [check-identity] | |
| runs-on: ubuntu-latest | |
| if: ${{ needs.check-identity.outputs.authorized_user == 'False' }} | |
| environment: ${{ ( github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external-build-workflow' ) || ( 'internal-build-workflow' ) }} | |
| steps: | |
| - name: Authorize external | |
| run: echo "authorized" | |
| authorize: | |
| needs: [authorize-internal, authorize-external] | |
| runs-on: ubuntu-latest | |
| # See: https://github.com/actions/runner/issues/491#issuecomment-660122693 | |
| if: | | |
| always() && | |
| (needs.authorize-internal.result == 'success' || needs.authorize-internal.result == 'skipped') && | |
| (needs.authorize-external.result == 'success' || needs.authorize-external.result == 'skipped') && | |
| !(needs.authorize-internal.result == 'skipped' && needs.authorize-external.result == 'skipped') | |
| steps: | |
| - name: Authorize | |
| run: echo "authorized" | |
| build-yml-check: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| fetch-depth: 0 | |
| - name: Check if workflow is modified | |
| id: build-yml-changed | |
| uses: tj-actions/changed-files@v45 | |
| with: | |
| files: .github/workflows/build.yml | |
| - name: Send warning | |
| run: | | |
| if [ "${{ steps.build-yml-changed.outputs.any_changed }}" == "true" ]; then | |
| echo "::error::"\ | |
| "This change edits workflow file '.github/workflows/build.yml'."\ | |
| "Raising this error to notify that the workflow change will only take impact after merge."\ | |
| "Therefore, you need to manually test the change (perhaps in a forked repo)"\ | |
| "before merging to make sure the change does not break anything." | |
| exit 1 | |
| fi | |
| build_matrix: | |
| name: "build" | |
| needs: [authorize] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 360 | |
| strategy: | |
| matrix: | |
| include: | |
| - arch: x86_64-linux | |
| target: generic-x86_64-debug | |
| - arch: x86_64-linux | |
| target: lenovo-x1-carbon-gen11-debug | |
| - arch: x86_64-linux | |
| target: nvidia-jetson-orin-agx-debug-from-x86_64 | |
| - arch: x86_64-linux | |
| target: nvidia-jetson-orin-nx-debug-from-x86_64 | |
| # - arch: x86_64-linux | |
| # target: microchip-icicle-kit-debug-from-x86_64 | |
| - arch: x86_64-linux | |
| target: doc | |
| - arch: aarch64-linux | |
| target: nvidia-jetson-orin-nx-debug | |
| - arch: aarch64-linux | |
| target: nvidia-jetson-orin-agx-debug | |
| if: | | |
| always() && | |
| needs.authorize.result == 'success' | |
| concurrency: | |
| # Cancel any in-progress workflow runs from the same PR or branch, | |
| # allowing matrix jobs to run concurrently: | |
| group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}.${{ matrix.target }} | |
| cancel-in-progress: true | |
| steps: | |
| - name: Apt install | |
| run: sudo apt-get update; sudo apt-get install -y inxi git | |
| - name: Print runner system info | |
| run: sudo inxi -c0 --width -1 --basic --memory-short | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| fetch-depth: 0 | |
| - name: Rebase | |
| if: ${{ github.base_ref != '' }} | |
| run: | | |
| BASE="origin/${{ github.base_ref }}" | |
| COMMITS="$(git rev-list "$BASE".. --count)" | |
| CONTEXT=5 | |
| echo -e "\n[+] Git log before rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| echo -e "\n[+] Rebasing $COMMITS commit(s) on top of '$BASE'" | |
| git config user.email "[email protected]"; git config user.name "Foo Bar" | |
| git rebase "$BASE" | |
| echo -e "\n[+] Git log after rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| - name: Install nix | |
| uses: cachix/install-nix-action@v30 | |
| - name: Prepare build | |
| run: | | |
| sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >builder_key" | |
| sudo sh -c "echo '${{ vars.BUILDER_SSH_KNOWN_HOST }}' >>/etc/ssh/ssh_known_hosts" | |
| - name: Build ${{ matrix.arch }}.${{ matrix.target }} | |
| run: | | |
| if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then | |
| BUILDER='${{ vars.BUILDER_X86 }}' | |
| elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then | |
| BUILDER='${{ vars.BUILDER_AARCH }}' | |
| else | |
| echo "::error::Unknown architecture: '${{ matrix.arch }}'" | |
| exit 1 | |
| fi | |
| nix run --inputs-from .# nixpkgs#nix-fast-build -- \ | |
| --flake .#packages.${{ matrix.arch }}.${{ matrix.target }} \ | |
| --remote "$BUILDER" \ | |
| --remote-ssh-option IdentityFile builder_key \ | |
| --option accept-flake-config true \ | |
| --no-download --skip-cached --no-nom |