feat: allow user to use local ticket auth #284
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint and Test | |
| on: | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: pre-commit/[email protected] | |
| matrix-prep-config: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - id: release | |
| if: ${{ startsWith(github.head_ref, 'release/') || contains( github.event.pull_request.labels.*.name, | |
| 'run-all-versions') }} | |
| run: | | |
| echo "config={\"python-version\": [\"3.13\"]}" >> $GITHUB_OUTPUT | |
| - id: not-release | |
| if: ${{ !startsWith(github.head_ref, 'release/') }} | |
| run: | | |
| echo "config={\"python-version\": [\"3.13\"]}" >> $GITHUB_OUTPUT | |
| outputs: | |
| config: ${{ steps.release.outputs.config || steps.not-release.outputs.config | |
| }} | |
| test: | |
| needs: | |
| - matrix-prep-config | |
| - lint | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| name: Test Python ${{ matrix.python-version }} | |
| strategy: | |
| matrix: ${{ fromJson(needs.matrix-prep-config.outputs.config) }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| if: ${{ endsWith(github.repository, 'Empire') }} | |
| with: | |
| submodules: 'recursive' | |
| # token is only needed in sponsors repo because of private submodules | |
| # don't use token in public repo because prs from forks cannot access secrets | |
| - uses: actions/checkout@v6 | |
| if: ${{ endsWith(github.repository, 'Empire-Sponsors') }} | |
| with: | |
| submodules: 'recursive' | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Initialize mandatory git config | |
| run: | | |
| git config --global user.name "GitHub Actions" | |
| git config --global user.email [email protected] | |
| - name: Install Poetry | |
| run: | | |
| curl -sL https://install.python-poetry.org | python - -y | |
| # Poetry cache depends on OS, Python version and Poetry version. | |
| # https://gist.github.com/gh640/233a6daf68e9e937115371c0ecd39c61 | |
| - name: Setup Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'poetry' | |
| - name: Set up MySQL | |
| run: | | |
| sudo systemctl start mysql | |
| mysql -u root -proot -e "CREATE USER IF NOT EXISTS 'empire_user'@'localhost' IDENTIFIED BY 'empire_password';" || true | |
| mysql -u root -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'empire_user'@'localhost' WITH GRANT OPTION;" || true | |
| mysql -u root -proot -e "FLUSH PRIVILEGES;" || true | |
| - name: Install dependencies | |
| run: | | |
| poetry env use ${{ matrix.python-version }} | |
| poetry install | |
| sudo apt install -y mono-runtime | |
| - name: Run test suite - mysql | |
| run: | | |
| set -o pipefail | |
| if [ "${{ matrix.python-version }}" = "3.13" ]; then | |
| DATABASE_USE=mysql poetry run pytest -v --runslow --cov=empire/server --junitxml=pytest.xml --cov-report=term-missing:skip-covered . | tee pytest-coverage.txt | |
| else | |
| DATABASE_USE=mysql poetry run pytest -v --runslow . | |
| fi | |
| - name: Run test suite - sqlite | |
| if: ${{ startsWith(github.head_ref, 'release/') || contains(github.event.pull_request.labels.*.name, | |
| 'test-sqlite') }} | |
| run: | | |
| DATABASE_USE=sqlite poetry run pytest . -v --runslow | |
| - name: Pytest coverage comment | |
| if: ${{ matrix.python-version == '3.13' }} | |
| uses: MishaKav/[email protected] | |
| with: | |
| pytest-coverage-path: ./pytest-coverage.txt | |
| junitxml-path: ./pytest.xml | |
| test_image: | |
| # To save CI time, only run these tests on the release PRs | |
| if: ${{ startsWith(github.head_ref, 'release/') || contains( github.event.pull_request.labels.*.name, | |
| 'docker') }} | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| name: Test Docker Image | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: 'recursive' | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Set up SSH (sponsors only) | |
| if: ${{ endswith(github.repository, 'Empire-Sponsors') }} | |
| run: | | |
| eval "$(ssh-agent -s)" | |
| echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV | |
| echo "SSH_AUTH_PID=$SSH_AUTH_PID" >> $GITHUB_ENV | |
| if [ -n "$CI_SSH_KEY_BOT" ]; then echo "$CI_SSH_KEY_BOT" | tr -d '\r' | ssh-add -; fi | |
| mkdir -p ~/.ssh | |
| ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts | |
| chmod 700 ~/.ssh | |
| chmod 600 ~/.ssh/known_hosts | |
| env: | |
| CI_SSH_KEY_BOT: ${{ secrets.CI_SSH_KEY_BOT }} | |
| - name: Build docker image | |
| run: DOCKER_BUILDKIT=1 docker compose -f .github/docker-compose.yml build | |
| - name: Run tests on docker image | |
| run: docker compose -f .github/docker-compose.yml run test | |
| - name: run structure tests docker | |
| uses: plexsystems/[email protected] | |
| with: | |
| image: bcsecurity/empire-test:latest | |
| config: .github/cst-config-docker.yaml | |
| test_install_script: | |
| needs: test | |
| timeout-minutes: 30 | |
| runs-on: ubuntu-latest | |
| name: Test Install Script | |
| strategy: | |
| matrix: | |
| # Because the box runs out of disk space, we can't run all tests on a single docker compose build. | |
| images: | |
| - ['debian11', 'debian12'] | |
| - ['ubuntu2204', 'ubuntu2404'] | |
| - ['kalirolling'] # 'parrotrolling' | |
| # Parrot disabled for now because the apt repo is having some slowness issues. | |
| # Install is running up way too many minutes. | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: 'recursive' | |
| depth: 0 | |
| - name: Set up SSH (sponsors only) | |
| if: ${{ endswith(github.repository, 'Empire-Sponsors') }} | |
| run: | | |
| eval "$(ssh-agent -s)" | |
| echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV | |
| echo "SSH_AUTH_PID=$SSH_AUTH_PID" >> $GITHUB_ENV | |
| if [ -n "$CI_SSH_KEY_BOT" ]; then echo "$CI_SSH_KEY_BOT" | tr -d '\r' | ssh-add -; fi | |
| mkdir -p ~/.ssh | |
| ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts | |
| chmod 700 ~/.ssh | |
| chmod 600 ~/.ssh/known_hosts | |
| env: | |
| CI_SSH_KEY_BOT: ${{ secrets.CI_SSH_KEY_BOT }} | |
| # To save CI time, only run these tests when the install script or deps changed | |
| - name: Get changed files using defaults | |
| id: changed-files | |
| uses: tj-actions/[email protected] | |
| - name: Build images | |
| if: ${{ contains(steps.changed-files.outputs.modified_files, 'setup/install.sh') | |
| || contains(steps.changed-files.outputs.modified_files, 'poetry.lock') | |
| || contains(steps.changed-files.outputs.modified_files, '.github/install_tests') | |
| || startsWith(github.head_ref, 'release/') }} | |
| run: | | |
| DOCKER_BUILDKIT=1 docker compose \ | |
| -f .github/install_tests/docker-compose-install-tests.yml \ | |
| build --ssh default --parallel ${{ join(matrix.images, ' ') }} | |
| - name: run install tests | |
| if: ${{ contains(steps.changed-files.outputs.modified_files, 'setup/install.sh') | |
| || contains(steps.changed-files.outputs.modified_files, 'poetry.lock') | |
| || contains(steps.changed-files.outputs.modified_files, '.github/install_tests') | |
| || startsWith(github.head_ref, 'release/') }} | |
| # Using a script instead of prepackaged action because composite actions can't uses | |
| # a matrix and this is way simpler to read. | |
| run: | | |
| curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && \ | |
| chmod +x container-structure-test-linux-amd64 && \ | |
| mkdir -p $HOME/bin && \ | |
| export PATH=$PATH:$HOME/bin && \ | |
| mv container-structure-test-linux-amd64 $HOME/bin/container-structure-test | |
| ./.github/install_tests/run-all-cst.sh ${{ join(matrix.images, ' ') }} |