Merge https://github.com/cisagov/skeleton-ansible-role into lineage/skeleton

jsf9k · jsf9k · commit bf2e4a8f3966 · 2025-01-24T06:30:29.000Z
# Conflicts:
#	.github/workflows/build.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -172,3 +172,116 @@ jobs:
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
+<<<<<<< HEAD
+=======
+  test:
+    name: >-
+      test (${{ matrix.scenario }}) -
+      ${{ matrix.platform }}-${{ matrix.architecture }}
+    needs:
+      - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
+    runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        architecture:
+          - amd64
+          - arm64
+        platform:
+          - amazonlinux2023-systemd
+          - debian10-systemd
+          - debian11-systemd
+          - debian12-systemd
+          - debian13-systemd
+          - fedora39-systemd
+          - fedora40-systemd
+          - fedora41-systemd
+          - kali-systemd
+          - ubuntu-20-systemd
+          - ubuntu-22-systemd
+          - ubuntu-24-systemd
+        scenario:
+          - default
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: setup-env
+        uses: cisagov/setup-env-github-action@develop
+      - uses: actions/checkout@v4
+      - id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ steps.setup-env.outputs.python-version }}
+      - uses: actions/cache@v4
+        env:
+          BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
+            py${{ steps.setup-python.outputs.python-version }}-"
+        with:
+          path: ${{ env.PIP_CACHE_DIR }}
+          key: "${{ env.BASE_CACHE_KEY }}\
+            ${{ hashFiles('**/requirements-test.txt') }}-\
+            ${{ hashFiles('**/requirements.txt') }}"
+          restore-keys: |
+            ${{ env.BASE_CACHE_KEY }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install --upgrade --requirement requirements-test.txt
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      # Disabling the unix-chkpwd AppArmor profile is necessary when
+      # running Molecule tests against Fedora 40 and 41; otherwise,
+      # the privileged container cannot successfully run sudo and
+      # hence Ansible is unable to do anything.  See
+      # fedora-cloud/docker-brew-fedora#117 for more details.
+      #
+      # Purging firefox is currently necessary because the
+      # installation available on the GitHub runner instance provides
+      # two conflicting AppArmor profiles:
+      # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox.
+      # This conflict causes the aa-disable /usr/sbin/unix_chkpwd
+      # command to fail.
+      #
+      # Purging passt is currently necessary because the installation
+      # available on the GitHub runner instance contains a wonky
+      # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes
+      # the aa-disable command to fail.
+      #
+      # TODO: Remove the apt-get purge and systemctl reload commands
+      # when possible.  See cisagov/skeleton-ansible-role#215 for more
+      # details.
+      - name: Disable unix-chkpwd AppArmor profile
+        run: |
+          sudo apt-get purge firefox passt
+          sudo systemctl reload apparmor.service
+          sudo apt-get install apparmor-utils
+          sudo aa-disable /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
+      - name: Run molecule tests
+        run: >-
+          molecule test
+          --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
+          --scenario-name ${{ matrix.scenario }}
+      # TODO: Remove the apt-get install command when possible.  See
+      # cisagov/skeleton-ansible-role#215 for more details.
+      - name: Re-enable unix-chkpwd AppArmor profile
+        run: |
+          sudo aa-enforce /usr/sbin/unix_chkpwd
+          sudo apt-get install firefox passt
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
+      - name: Setup tmate debug session
+        uses: mxschmitt/action-tmate@v3
+        if: env.RUN_TMATE
+>>>>>>> be68cb2505df92d0e66f832e9bbe4ccd884fb628
