add secure enclave signatures to local server response #4895
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
workflow_dispatch: | |
push: | |
branches: [main, master] | |
tags: '*' | |
pull_request: | |
branches: '**' | |
merge_group: | |
types: [checks_requested] | |
jobs: | |
build_and_test: | |
name: launcher | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false # Consider changing this sometime | |
matrix: | |
os: | |
- ubuntu-20.04 | |
- macos-12 | |
- windows-latest | |
steps: | |
- name: Check out code | |
id: checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # need a full checkout for `git describe` | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version-file: './go.mod' | |
check-latest: true | |
id: go | |
# use bash, because the powershell syntax is different and this is a cross platform workflow | |
- id: go-cache-paths | |
shell: bash | |
run: | | |
echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" | |
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.go-build }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.go-mod }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- name: Get dependencies | |
run: make deps | |
- name: Set up zig | |
if: ${{ contains(matrix.os, 'ubuntu') }} | |
uses: goto-bus-stop/setup-zig@v2 | |
- name: Build | |
run: make -j2 github-build | |
- name: Check macOS build target | |
if: contains(matrix.os, 'macos') | |
# this uses grep's exit code | |
run: otool -l build/launcher | grep -A1 "minos 11" | |
- name: Lipo | |
run: make github-lipo | |
if: ${{ contains(matrix.os, 'macos') }} | |
- name: App Bundle | |
run: make github-launcherapp | |
if: ${{ contains(matrix.os, 'macos') }} | |
- name: Test | |
run: make test | |
- name: Cache build output | |
uses: actions/cache@v3 | |
with: | |
path: ./build | |
key: ${{ runner.os }}-${{ github.run_id }} | |
enableCrossOsArchive: true | |
# upload coverage here, because we don't cache it with the build | |
- name: Upload coverage | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ runner.os }}-coverage.out | |
path: coverage.out | |
# this job captures the version of launcher on one of the runners then that version is | |
# compared to the version of all other runners during exec testing. This is to ensure | |
# that the version of launcher is the same across all runners. | |
version_baseline: | |
name: Version Baseline | |
runs-on: ubuntu-20.04 | |
needs: build_and_test | |
outputs: | |
version: ${{ steps.version.outputs.version }} | |
steps: | |
- name: cache restore build output | |
uses: actions/cache/restore@v3 | |
with: | |
path: ./build | |
key: ${{ runner.os }}-${{ github.run_id }} | |
enableCrossOsArchive: true | |
- id: version | |
name: Launcher Version | |
working-directory: build | |
shell: bash | |
run: ./launcher --version 2>/dev/null | awk '/version /{print "version="$4}' >> "$GITHUB_OUTPUT" | |
exec_testing: | |
name: Exec Test | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
# See https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-software | |
- ubuntu-20.04 | |
- ubuntu-22.04 | |
- macos-11 | |
- macos-12 | |
- macos-13 | |
- windows-2019 | |
- windows-2022 | |
needs: version_baseline | |
steps: | |
- name: cache restore build output | |
uses: actions/cache/restore@v3 | |
with: | |
path: ./build | |
key: ${{ runner.os }}-${{ github.run_id }} | |
enableCrossOsArchive: true | |
- name: Launcher Version | |
working-directory: build | |
shell: bash | |
run: | | |
./launcher --version | |
thisVersion=$(./launcher --version 2>/dev/null | grep "version" | awk '{print $4}') | |
baseVersion="${{ needs.version_baseline.outputs.version }}" | |
if [[ "$thisVersion" != "$baseVersion" ]]; then | |
printf "launcher version %s does not match baseline version %s" "$thisVersion" "$baseVersion" | |
exit 1 | |
fi | |
- name: Download Osquery | |
working-directory: build | |
run: ./launcher download-osquery --directory . | |
- name: Osquery Version | |
working-directory: build | |
run: ./osqueryd --version | |
- name: Launcher Doctor | |
working-directory: build | |
run: ./launcher doctor | |
# If the prior exec tests suceeded, this grabs the cached things, and moves them to artifacts. We ought | |
# be able to do this entirely on ubuntu, so let's try! | |
store_artifacts: | |
name: Store Artifacts | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
artifactos: | |
# artifactos needs to match the runner.os set by the builds. (Which is not quite the same as matrix.os) | |
- linux | |
- macos | |
- windows | |
needs: exec_testing | |
steps: | |
- name: cache restore build output | |
uses: actions/cache/restore@v3 | |
with: | |
path: ./build | |
key: ${{ matrix.artifactos }}-${{ github.run_id }} | |
enableCrossOsArchive: true | |
- name: Upload Build | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ matrix.artifactos }}-build | |
path: build/ | |
if-no-files-found: error | |
package_builder_test: | |
name: package_builder | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: true | |
matrix: | |
os: | |
- ubuntu-20.04 | |
- macos-12 | |
- windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # need a full checkout for `git describe` | |
- uses: actions/setup-go@v3 | |
with: | |
go-version-file: './go.mod' | |
check-latest: true | |
id: go | |
- id: go-cache-paths | |
shell: bash | |
run: | | |
echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT" | |
echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT" | |
- name: Go Build Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.go-build }} | |
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }} | |
- name: Go Mod Cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.go-cache-paths.outputs.go-mod }} | |
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }} | |
- run: make deps | |
- id: build | |
run: make package-builder | |
- name: package | |
id: run-package-builder | |
run: ${{ steps.build.outputs.binary }} make --i-am-a-kolide-customer --debug --hostname=localhost --enroll_secret=secret --launcher_version=nightly --osquery_version=nightly --output_dir=./ | |
- name: Test install macOS | |
if: ${{ contains(matrix.os, 'macos') }} | |
run: | | |
# Check that we can install | |
sudo installer -dumplog -pkg ./launcher.darwin-launchd-pkg.pkg -target / | |
# Quick check that at least a couple of the files we expect now exist | |
if [ ! -f /Library/LaunchDaemons/com.launcher.launcher.plist ]; then echo "missing launchd entry" && exit 1; fi | |
if [ ! -f /usr/local/launcher/osquery.app/Contents/MacOS/osqueryd ]; then echo "missing osqueryd binary" && exit 1; fi | |
if [ ! -L /usr/local/launcher/bin/osqueryd ]; then echo "missing osquery symlink" && exit 1; fi | |
if [ ! -e /usr/local/launcher/bin/osqueryd ]; then echo "osquery symlink is present but broken" && exit 1; fi | |
if [ ! -f /usr/local/launcher/Kolide.app/Contents/MacOS/launcher ]; then echo "missing launcher binary" && exit 1; fi | |
if [ ! -L /usr/local/launcher/bin/launcher ]; then echo "missing launcher symlink" && exit 1; fi | |
if [ ! -e /usr/local/launcher/bin/launcher ]; then echo "launcher symlink is present but broken" && exit 1; fi | |
# This job is here as a github status check -- it allows us to move | |
# the merge dependency from being on all the jobs to this single | |
# one. | |
ci_mergeable: | |
runs-on: ubuntu-latest | |
steps: | |
- run: true | |
needs: | |
- build_and_test | |
- package_builder_test | |
- exec_testing |