Agent Capability Tests - ARM #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Agent Capability Tests - ARM | |
on: | |
workflow_dispatch: | |
jobs: | |
test-host-outbound: | |
runs-on: ARMLinuxRunner | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@rc | |
with: | |
egress-policy: audit | |
allowed-endpoints: > | |
github.com:443 | |
goreleaser.com:443 | |
- run: cat /etc/systemd/resolved.conf | |
- run: cat /etc/resolv.conf | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Run outbound calls from host | |
run: | | |
start_time=$(date +%s) | |
end_time=$((start_time + 90)) # 5 minutes = 300 seconds | |
while [ $(date +%s) -lt $end_time ]; do | |
curl -I https://www.google.com | |
curl -I https://goreleaser.com | |
sleep 10 # wait 10 seconds between calls | |
done | |
test-docker-outbound: | |
runs-on: ARMLinuxRunner | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@rc | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
archive.ubuntu.com:80 | |
github.com:443 | |
goreleaser.com:443 | |
production.cloudflare.docker.com:443 | |
*.docker.io:443 | |
security.ubuntu.com:80 | |
ports.ubuntu.com:80 | |
- run: cat /etc/resolv.conf | |
- run: cat /run/systemd/resolve/resolv.conf | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Run outbound calls from within Docker container | |
continue-on-error: true | |
run: | | |
# Start the container | |
docker run --rm -d --name test-container ubuntu:latest sleep 90 | |
# Install curl in the container | |
docker exec test-container apt-get update | |
docker exec test-container apt-get install -y curl | |
# Print /etc/resolv.conf from the container | |
docker exec test-container cat /etc/resolv.conf | |
# Make outbound calls | |
for i in {1..9}; do | |
docker exec test-container curl -I https://www.google.com | |
docker exec test-container curl -I https://goreleaser.com | |
sleep 10 # wait 10 seconds between calls | |
done | |
# Stop the container | |
docker stop test-container | |
- name: Print Docker logs with journalctl | |
run: | | |
sudo journalctl -u docker.service --no-pager | |
shell: bash | |
- run: cat /etc/resolv.conf | |
- run: cat /run/systemd/resolve/resolv.conf | |
test-docker-build-outbound: | |
runs-on: ARMLinuxRunner | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@rc | |
with: | |
egress-policy: audit | |
allowed-endpoints: > | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
github.com:443 | |
goreleaser.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
security.ubuntu.com:80 | |
- run: cat /etc/resolv.conf | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Build Docker image and test outbound calls during build | |
continue-on-error: true | |
run: | | |
# Create a Dockerfile that installs curl and makes outbound calls | |
cat <<EOF > Dockerfile | |
FROM ubuntu:latest | |
RUN apt-get update && apt-get install -y curl | |
RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done | |
EOF | |
# Build the Docker image | |
docker build -t test-image . | |
# Print /etc/resolv.conf from the build container (temporary container used during build) | |
container_id=$(docker create test-image) | |
docker start $container_id | |
docker exec $container_id cat /etc/resolv.conf | |
docker stop $container_id | |
docker rm $container_id | |
- name: Print Docker logs with journalctl | |
run: | | |
sudo journalctl -u docker.service --no-pager | |
shell: bash | |
- run: cat /etc/resolv.conf | |
- run: cat /run/systemd/resolve/resolv.conf | |
test-long-running-docker: | |
runs-on: ARMLinuxRunner | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@rc | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
archive.ubuntu.com:80 | |
auth.docker.io:443 | |
github.com:443 | |
goreleaser.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
security.ubuntu.com:80 | |
ports.ubuntu.com:80 | |
- run: cat /etc/resolv.conf | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Run long-running Docker container with outbound calls | |
continue-on-error: true | |
run: | | |
# Start the long-running container | |
docker run --rm -d --name long-running-container ubuntu:latest bash -c " | |
apt-get update && apt-get install -y curl && | |
while true; do | |
curl -I https://www.google.com; | |
curl -I https://goreleaser.com; | |
sleep 10; | |
done | |
" | |
# Print /etc/resolv.conf from the container | |
docker exec long-running-container cat /etc/resolv.conf | |
# Let the container run for 5 minutes | |
sleep 90 | |
# Stop the container | |
docker stop long-running-container | |
- name: Print Docker logs with journalctl | |
run: | | |
sudo journalctl -u docker.service --no-pager | |
shell: bash | |
- run: cat /etc/resolv.conf | |
- run: cat /run/systemd/resolve/resolv.conf |