Merge pull request #98 from mitre/V-93241-fix #186
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify the Baseline using Vagrant | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| release: | |
| types: | |
| - published | |
| jobs: | |
| my-job: | |
| name: Validate my profile | |
| runs-on: ubuntu-22.04 | |
| env: | |
| CHEF_LICENSE: accept-silent | |
| CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} | |
| KITCHEN_YAML: kitchen.vagrant.yml | |
| strategy: | |
| matrix: | |
| suite: ['hardened'] | |
| fail-fast: false | |
| steps: | |
| - name: Add needed packages | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install jq | |
| - name: Add VirtualBox | |
| run: sudo apt-get install virtualbox | |
| - name: Add vagrant | |
| run: | | |
| wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
| echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
| sudo apt update && sudo apt install vagrant | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.1' | |
| - name: Disable ri and rdoc | |
| run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' | |
| # - name: Setup caching | |
| # uses: actions/cache@v3 | |
| # with: | |
| # path: vendor/bundle | |
| # key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} | |
| # restore-keys: | | |
| # ${{ runner.os }}-gems- | |
| - name: Bundle install | |
| run: bundle install | |
| - name: Installed Inspec | |
| run: bundle exec inspec version | |
| - name: Vendor the Profile | |
| run: bundle exec inspec vendor . --overwrite | |
| - name: Run kitchen test | |
| run: | | |
| cd test/cookbooks/Win2019STIG | |
| bundle exec kitchen test ${{ matrix.suite }} || true | |
| - name: Save Test Result JSON | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| path: test/cookbooks/Win2019STIG/results/*.json | |
| - name: Display our ${{ matrix.suite }} results summary | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: 'view summary -i test/cookbooks/Win2019STIG/results/${{ matrix.suite }}-test-result.json' | |
| - name: Ensure the scan meets our ${{ matrix.suite }} results threshold | |
| uses: mitre/saf_action@v1 | |
| with: | |
| command_string: 'validate threshold -i test/cookbooks/Win2019STIG/results/${{ matrix.suite }}-test-result.json -F test/cookbooks/Win2019STIG/${{ matrix.suite }}.threshold.yml' |