default-bare #174
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: default-bare | |
on: | |
push: | |
pull_request: | |
schedule: # run weekly, every Wednesday 04:00 | |
- cron: '0 4 * * 3' | |
jobs: | |
build: | |
runs-on: macos-latest | |
strategy: | |
fail-fast: false | |
max-parallel: 4 | |
env: | |
ANSIBLE_CALLBACKS_ENABLED: profile_tasks | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: juju4.harden_darwin | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.x' | |
- name: Install dependencies | |
run: | | |
python3 --version | |
python3 -c "import ssl; print(ssl.OPENSSL_VERSION)" | |
python3 -c 'import ssl; ssl.PROTOCOL_TLSv1_2' | |
python3 -m pip install --upgrade pip | |
pip3 install ansible-lint flake8 yamllint | |
set -x | |
which ansible || true | |
pip3 install ansible | |
pip3 show ansible | |
ls -l $HOME/.local/bin || true | |
ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true | |
echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH | |
which ansible | |
ansible --version | |
cd $GITHUB_WORKSPACE/juju4.harden_darwin | |
[ -f get-dependencies.sh ] && sh -x get-dependencies.sh | |
{ echo '[defaults]'; echo 'callback_whitelist = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg | |
- name: Environment | |
run: | | |
pwd | |
env | |
find . -ls | |
- name: run test | |
run: | | |
cd $GITHUB_WORKSPACE/juju4.harden_darwin && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml | |
env: | |
PY_COLORS: '1' | |
ANSIBLE_FORCE_COLOR: '1' | |
- name: idempotency run | |
run: | | |
cd $GITHUB_WORKSPACE/juju4.harden_darwin && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0) | |
- name: After script | |
run: | | |
set -x | |
ls -A $HOME/ | |
ls -lhA /Applications/ | |
ls -lhA /usr/local/bin/ | |
ls -lhAR /private/var/_install/ | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - launchtl | |
run: | | |
launchctl list | |
ls -lA /Library/LaunchDaemons/ /Library/LaunchAgents/ | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - tools | |
run: | | |
set -x | |
[ -f /private/var/root/osxlockdown.audit ] && sudo cat /private/var/root/osxlockdown.audit || true | |
ls -lA "/Library/Application Support/Google/Chrome/External Extensions" || true | |
cp "/Library/Managed Preferences/com.google.Chrome.plist" /tmp/chrome.plist && plutil -convert xml1 /tmp/chrome.plist && cat /tmp/chrome.plist | |
cat /Applications/Firefox.app/Contents/Resources/distribution/policies.json || true | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - santa | |
run: | | |
cat /Users/Shared/com.google.santa.mobileconfig | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - osquery | |
run: | | |
set -x | |
ls -lhAR /opt/osquery | |
codesign -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd | |
cat /Library/LaunchDaemons/io.osquery.agent.plist | |
cat /Users/Shared/osquery5.mobileconfig | |
if: ${{ always() }} | |
continue-on-error: true |