Skip to content

default-bare

default-bare #174

Workflow file for this run

---
name: default-bare
on:
push:
pull_request:
schedule: # run weekly, every Wednesday 04:00
- cron: '0 4 * * 3'
jobs:
build:
runs-on: macos-latest
strategy:
fail-fast: false
max-parallel: 4
env:
ANSIBLE_CALLBACKS_ENABLED: profile_tasks
steps:
- uses: actions/checkout@v4
with:
path: juju4.harden_darwin
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install dependencies
run: |
python3 --version
python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
python3 -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
python3 -m pip install --upgrade pip
pip3 install ansible-lint flake8 yamllint
set -x
which ansible || true
pip3 install ansible
pip3 show ansible
ls -l $HOME/.local/bin || true
ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true
echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH
which ansible
ansible --version
cd $GITHUB_WORKSPACE/juju4.harden_darwin
[ -f get-dependencies.sh ] && sh -x get-dependencies.sh
{ echo '[defaults]'; echo 'callback_whitelist = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
- name: Environment
run: |
pwd
env
find . -ls
- name: run test
run: |
cd $GITHUB_WORKSPACE/juju4.harden_darwin && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
- name: idempotency run
run: |
cd $GITHUB_WORKSPACE/juju4.harden_darwin && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
- name: After script
run: |
set -x
ls -A $HOME/
ls -lhA /Applications/
ls -lhA /usr/local/bin/
ls -lhAR /private/var/_install/
if: ${{ always() }}
continue-on-error: true
- name: After script - launchtl
run: |
launchctl list
ls -lA /Library/LaunchDaemons/ /Library/LaunchAgents/
if: ${{ always() }}
continue-on-error: true
- name: After script - tools
run: |
set -x
[ -f /private/var/root/osxlockdown.audit ] && sudo cat /private/var/root/osxlockdown.audit || true
ls -lA "/Library/Application Support/Google/Chrome/External Extensions" || true
cp "/Library/Managed Preferences/com.google.Chrome.plist" /tmp/chrome.plist && plutil -convert xml1 /tmp/chrome.plist && cat /tmp/chrome.plist
cat /Applications/Firefox.app/Contents/Resources/distribution/policies.json || true
if: ${{ always() }}
continue-on-error: true
- name: After script - santa
run: |
cat /Users/Shared/com.google.santa.mobileconfig
if: ${{ always() }}
continue-on-error: true
- name: After script - osquery
run: |
set -x
ls -lhAR /opt/osquery
codesign -dr - /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd
cat /Library/LaunchDaemons/io.osquery.agent.plist
cat /Users/Shared/osquery5.mobileconfig
if: ${{ always() }}
continue-on-error: true