v0.10.1 #53
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: release | |
| on: # yamllint disable-line rule:truthy | |
| release: | |
| types: | |
| - released | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| # Do not copy the AMI to other regions until we have figured out a | |
| # workable mechanism for creating and managing AMI KMS keys in other | |
| # regions. | |
| # See https://github.com/cisagov/cool-system/issues/18 for details. | |
| # COPY_REGIONS_KMS_MAP: "us-east-2:alias/cool-amis, | |
| # us-west-1:alias/cool-amis, | |
| # us-west-2:alias/cool-amis" | |
| PIP_CACHE_DIR: ~/.cache/pip | |
| RUN_TMATE: ${{ secrets.RUN_TMATE }} | |
| jobs: | |
| diagnostics: | |
| name: Run diagnostics | |
| # This job does not need any permissions | |
| permissions: {} | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Note that a duplicate of this step must be added at the top of | |
| # each job. | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| check_github_status: "true" | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-packer#411 for more details. | |
| monitor_permissions: "false" | |
| output_workflow_context: "true" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| release: | |
| environment: production | |
| needs: | |
| - diagnostics | |
| permissions: | |
| # actions/checkout needs this to fetch code | |
| contents: read | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| architecture: | |
| # The CDM Nessus Agent does not support ARM64 on Fedora. | |
| # - arm64 | |
| - x86_64 | |
| steps: | |
| - name: Apply standard cisagov job preamble | |
| uses: cisagov/action-job-preamble@v1 | |
| with: | |
| # This functionality is poorly implemented and has been | |
| # causing problems due to the MITM implementation hogging or | |
| # leaking memory. As a result we disable it by default. If | |
| # you want to temporarily enable it, simply set | |
| # monitor_permissions equal to "true". | |
| # | |
| # TODO: Re-enable this functionality when practical. See | |
| # cisagov/skeleton-packer#411 for more details. | |
| monitor_permissions: "false" | |
| # Use a variable to specify the permissions monitoring | |
| # configuration. By default this will yield the | |
| # configuration stored in the cisagov organization-level | |
| # variable, but if you want to use a different configuration | |
| # then simply: | |
| # 1. Create a repository-level variable with the name | |
| # ACTIONS_PERMISSIONS_CONFIG. | |
| # 2. Set this new variable's value to the configuration you | |
| # want to use for this repository. | |
| # | |
| # Note in particular that changing the permissions | |
| # monitoring configuration *does not* require you to modify | |
| # this workflow. | |
| permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} | |
| - id: setup-env | |
| uses: cisagov/setup-env-github-action@develop | |
| - uses: actions/checkout@v4 | |
| - id: setup-python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ steps.setup-env.outputs.python-version }} | |
| - uses: actions/cache@v4 | |
| env: | |
| BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ | |
| py${{ steps.setup-python.outputs.python-version }}-\ | |
| packer${{ steps.setup-env.outputs.packer-version }}-\ | |
| tf-${{ steps.setup-env.outputs.terraform-version }}- | |
| with: | |
| path: | | |
| ${{ env.PIP_CACHE_DIR }} | |
| key: ${{ env.BASE_CACHE_KEY }}\ | |
| ${{ hashFiles('**/requirements.txt') }} | |
| restore-keys: | | |
| ${{ env.BASE_CACHE_KEY }} | |
| - uses: hashicorp/setup-packer@v3 | |
| with: | |
| version: ${{ steps.setup-env.outputs.packer-version }} | |
| - uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ steps.setup-env.outputs.terraform-version }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install --upgrade \ | |
| --requirement requirements.txt | |
| # Do not copy the AMI to other regions until we have figured out a | |
| # workable mechanism for creating and managing AMI KMS keys in other | |
| # regions. | |
| # See https://github.com/cisagov/cool-system/issues/18 for details. | |
| # - name: Add copy regions to packer configuration | |
| # run: | | |
| # echo $COPY_REGIONS_KMS_MAP | \ | |
| # ./patch_packer_config.py variables.pkr.hcl | |
| - name: Assume AWS build role | |
| uses: aws-actions/[email protected] | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_DEFAULT_REGION }} | |
| role-to-assume: ${{ secrets.BUILD_ROLE_TO_ASSUME }} | |
| role-duration-seconds: 3600 | |
| # When called by Packer, Ansible will find /usr/bin/python3 and | |
| # use it; therefore, we must ensure that /usr/bin/python3 points | |
| # to the version of Python that we installed in the | |
| # actions/setup-python step above. This can hose other tasks | |
| # that are expecting to find the system Python at that location, | |
| # though, so we undo this change after running Packer. | |
| - name: Create a /usr/bin/python3 symlink to the installed python | |
| run: | | |
| sudo mv /usr/bin/python3 /usr/bin/python3-default | |
| sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ | |
| /usr/bin/python3 | |
| - name: Install Packer plugins | |
| run: packer init . | |
| - id: get-third-party-bucket-name | |
| name: Get the third-party bucket name from SSM Parameter Store | |
| run: | | |
| echo name=$(aws ssm get-parameter \ | |
| --name /third_party_bucket_name \ | |
| --output text \ | |
| --query Parameter.Value \ | |
| --with-decryption) >> $GITHUB_OUTPUT | |
| - name: Create machine image | |
| run: | | |
| packer build -only amazon-ebs.${{ matrix.architecture }} \ | |
| -timestamp-ui \ | |
| -var build_bucket=${{ steps.get-third-party-bucket-name.outputs.name }} \ | |
| -var cdm_enabled=true \ | |
| -var github_ref_name=${{ github.ref_name }} \ | |
| -var github_sha=${{ github.sha }} \ | |
| -var is_prerelease=${{ github.event.release.prerelease }} \ | |
| -var release_tag=${{ github.event.release.tag_name }} \ | |
| -var release_url=${{ github.event.release.html_url }} \ | |
| . | |
| - name: Remove /usr/bin/python3 symlink to the installed python | |
| run: | | |
| sudo mv /usr/bin/python3-default /usr/bin/python3 | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@v3 | |
| if: env.RUN_TMATE |