forked from EmpireProject/Empire
-
-
Notifications
You must be signed in to change notification settings - Fork 677
183 lines (183 loc) · 7.77 KB
/
lint-and-test.yml
File metadata and controls
183 lines (183 loc) · 7.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: Lint and Test
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: pre-commit/action@v3.0.1
matrix-prep-config:
runs-on: ubuntu-latest
steps:
- id: release
if: ${{ startsWith(github.head_ref, 'release/') || contains( github.event.pull_request.labels.*.name,
'run-all-versions') }}
run: |
echo "config={\"python-version\": [\"3.13\"]}" >> $GITHUB_OUTPUT
- id: not-release
if: ${{ !startsWith(github.head_ref, 'release/') }}
run: |
echo "config={\"python-version\": [\"3.13\"]}" >> $GITHUB_OUTPUT
outputs:
config: ${{ steps.release.outputs.config || steps.not-release.outputs.config
}}
test:
needs:
- matrix-prep-config
- lint
timeout-minutes: 30
runs-on: ubuntu-latest
name: Test Python ${{ matrix.python-version }}
strategy:
matrix: ${{ fromJson(needs.matrix-prep-config.outputs.config) }}
steps:
- uses: actions/checkout@v6
if: ${{ endsWith(github.repository, 'Empire') }}
with:
submodules: 'recursive'
# token is only needed in sponsors repo because of private submodules
# don't use token in public repo because prs from forks cannot access secrets
- uses: actions/checkout@v6
if: ${{ endsWith(github.repository, 'Empire-Sponsors') }}
with:
submodules: 'recursive'
token: ${{ secrets.RELEASE_TOKEN }}
- name: Initialize mandatory git config
run: |
git config --global user.name "GitHub Actions"
git config --global user.email noreply@github.com
- name: Install Poetry
run: |
curl -sL https://install.python-poetry.org | python - -y
# Poetry cache depends on OS, Python version and Poetry version.
# https://gist.github.com/gh640/233a6daf68e9e937115371c0ecd39c61
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
cache: 'poetry'
- name: Set up MySQL
run: |
sudo systemctl start mysql
mysql -u root -proot -e "CREATE USER IF NOT EXISTS 'empire_user'@'localhost' IDENTIFIED BY 'empire_password';" || true
mysql -u root -proot -e "GRANT ALL PRIVILEGES ON *.* TO 'empire_user'@'localhost' WITH GRANT OPTION;" || true
mysql -u root -proot -e "FLUSH PRIVILEGES;" || true
- name: Install dependencies
run: |
poetry env use ${{ matrix.python-version }}
poetry install
sudo apt install -y mono-runtime
- name: Run test suite - mysql
run: |
set -o pipefail
if [ "${{ matrix.python-version }}" = "3.13" ]; then
DATABASE_USE=mysql poetry run pytest -v --runslow --cov=empire/server --junitxml=pytest.xml --cov-report=term-missing:skip-covered . | tee pytest-coverage.txt
else
DATABASE_USE=mysql poetry run pytest -v --runslow .
fi
- name: Run test suite - sqlite
if: ${{ startsWith(github.head_ref, 'release/') || contains(github.event.pull_request.labels.*.name,
'test-sqlite') }}
run: |
DATABASE_USE=sqlite poetry run pytest . -v --runslow
- name: Pytest coverage comment
if: ${{ matrix.python-version == '3.13' }}
uses: MishaKav/pytest-coverage-comment@v1.2.0
with:
pytest-coverage-path: ./pytest-coverage.txt
junitxml-path: ./pytest.xml
test_image:
# To save CI time, only run these tests on the release PRs
if: ${{ startsWith(github.head_ref, 'release/') || contains( github.event.pull_request.labels.*.name,
'docker') }}
timeout-minutes: 30
runs-on: ubuntu-latest
name: Test Docker Image
steps:
- uses: actions/checkout@v6
with:
submodules: 'recursive'
token: ${{ secrets.RELEASE_TOKEN }}
- name: Set up SSH
run: |
eval "$(ssh-agent -s)"
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV
echo "SSH_AUTH_PID=$SSH_AUTH_PID" >> $GITHUB_ENV
if [ -n "$CI_SSH_KEY_BOT" ]; then echo "$CI_SSH_KEY_BOT" | tr -d '\r' | ssh-add -; fi
mkdir -p ~/.ssh
ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts
chmod 700 ~/.ssh
chmod 600 ~/.ssh/known_hosts
env:
CI_SSH_KEY_BOT: ${{ secrets.CI_SSH_KEY_BOT }}
- name: Build docker image
run: DOCKER_BUILDKIT=1 docker compose -f .github/docker-compose.yml build
- name: Run tests on docker image
run: docker compose -f .github/docker-compose.yml run test
- name: run structure tests docker
uses: plexsystems/container-structure-test-action@v0.3.0
with:
image: bcsecurity/empire-test:latest
config: .github/cst-config-docker.yaml
test_install_script:
needs: test
timeout-minutes: 30
runs-on: ubuntu-latest
name: Test Install Script
strategy:
matrix:
# Because the box runs out of disk space, we can't run all tests on a single docker compose build.
images:
- ['debian11', 'debian12', 'debian13']
- ['ubuntu2204', 'ubuntu2404']
- ['kalirolling'] # 'parrotrolling'
# Parrot disabled for now because the apt repo is having some slowness issues.
# Install is running up way too many minutes.
steps:
- uses: actions/checkout@v6
with:
submodules: 'recursive'
depth: 0
- name: Set up SSH
run: |
eval "$(ssh-agent -s)"
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV
echo "SSH_AUTH_PID=$SSH_AUTH_PID" >> $GITHUB_ENV
if [ -n "$CI_SSH_KEY_BOT" ]; then echo "$CI_SSH_KEY_BOT" | tr -d '\r' | ssh-add -; fi
mkdir -p ~/.ssh
ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> ~/.ssh/known_hosts
chmod 700 ~/.ssh
chmod 600 ~/.ssh/known_hosts
env:
CI_SSH_KEY_BOT: ${{ secrets.CI_SSH_KEY_BOT }}
# To save CI time, only run these tests when the install script or deps changed
- name: Get changed files using defaults
id: changed-files
uses: tj-actions/changed-files@v47.0.1
- name: Build images
if: ${{ contains(steps.changed-files.outputs.modified_files, 'setup/install.sh')
|| contains(steps.changed-files.outputs.modified_files, 'poetry.lock')
|| contains(steps.changed-files.outputs.modified_files, '.github/install_tests')
|| startsWith(github.head_ref, 'release/') }}
run: |
DOCKER_BUILDKIT=1 docker compose \
-f .github/install_tests/docker-compose-install-tests.yml \
build --ssh default --parallel ${{ join(matrix.images, ' ') }}
- name: run install tests
if: ${{ contains(steps.changed-files.outputs.modified_files, 'setup/install.sh')
|| contains(steps.changed-files.outputs.modified_files, 'poetry.lock')
|| contains(steps.changed-files.outputs.modified_files, '.github/install_tests')
|| startsWith(github.head_ref, 'release/') }}
# Using a script instead of prepackaged action because composite actions can't uses
# a matrix and this is way simpler to read.
run: |
curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && \
chmod +x container-structure-test-linux-amd64 && \
mkdir -p $HOME/bin && \
export PATH=$PATH:$HOME/bin && \
mv container-structure-test-linux-amd64 $HOME/bin/container-structure-test
./.github/install_tests/run-all-cst.sh ${{ join(matrix.images, ' ') }}