Security improvements #8
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
This commit is contained in:
parent
f11683256b
commit
2ce3195d35
3 changed files with 9 additions and 8 deletions
|
|
@ -16,7 +16,6 @@ env:
|
||||||
NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:...
|
NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:...
|
||||||
POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
|
POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
|
||||||
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }} # e.g., quay.io/podman/stable@sha256:...
|
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }} # e.g., quay.io/podman/stable@sha256:...
|
||||||
SELINUX_ZLABEL: "" # set to ":z" if SELinux is enforcing
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test-backend:
|
test-backend:
|
||||||
|
|
@ -28,7 +27,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
||||||
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
||||||
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
|
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Setup ephemeral PiP container
|
- name: Setup ephemeral PiP container
|
||||||
|
|
@ -82,7 +81,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||||
podman run --rm \
|
podman run --rm \
|
||||||
-v "$WORKSPACE":/workspace${SELINUX_ZLABEL} \
|
-v "$WORKSPACE":/workspace \
|
||||||
-w /workspace \
|
-w /workspace \
|
||||||
"'"${RUST_IMG_DIGEST}"'" \
|
"'"${RUST_IMG_DIGEST}"'" \
|
||||||
sh -c "cargo test --lib -- --test-threads=1"'
|
sh -c "cargo test --lib -- --test-threads=1"'
|
||||||
|
|
@ -95,7 +94,7 @@ jobs:
|
||||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||||
podman run --rm \
|
podman run --rm \
|
||||||
--network integ-'"$RUN_ID"' \
|
--network integ-'"$RUN_ID"' \
|
||||||
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
|
-v "$WORKSPACE":/workspace \
|
||||||
-w /workspace \
|
-w /workspace \
|
||||||
-e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
|
-e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
|
||||||
"'"${RUST_IMG_DIGEST}"'" \
|
"'"${RUST_IMG_DIGEST}"'" \
|
||||||
|
|
@ -121,7 +120,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
||||||
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
||||||
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
|
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Setup ephemeral PiP container
|
- name: Setup ephemeral PiP container
|
||||||
|
|
@ -144,7 +143,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||||
podman run --rm \
|
podman run --rm \
|
||||||
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
|
-v "$WORKSPACE":/workspace \
|
||||||
-w /workspace \
|
-w /workspace \
|
||||||
"'"${NODE_IMG_DIGEST}"'" \
|
"'"${NODE_IMG_DIGEST}"'" \
|
||||||
sh -c "npm ci && npm run test"'
|
sh -c "npm ci && npm run test"'
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,8 @@ After=default.target
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
Environment="XDG_RUNTIME_DIR=/run/user/%U"
|
Environment="XDG_RUNTIME_DIR=/run/user/%U"
|
||||||
|
UMask=007
|
||||||
|
NoNewPrivileges=yes
|
||||||
ExecStartPre=/usr/bin/mkdir -p ${XDG_RUNTIME_DIR}/podman-host
|
ExecStartPre=/usr/bin/mkdir -p ${XDG_RUNTIME_DIR}/podman-host
|
||||||
ExecStartPre=/usr/bin/chmod 770 ${XDG_RUNTIME_DIR}/podman-host
|
ExecStartPre=/usr/bin/chmod 770 ${XDG_RUNTIME_DIR}/podman-host
|
||||||
ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock
|
ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock
|
||||||
|
|
|
||||||
|
|
@ -40,8 +40,8 @@ podman run -d \
|
||||||
--network=none \
|
--network=none \
|
||||||
--tmpfs /run:rw,size=64M \
|
--tmpfs /run:rw,size=64M \
|
||||||
--tmpfs /tmp:rw,size=256M \
|
--tmpfs /tmp:rw,size=256M \
|
||||||
-v "${SOCKET_PATH}:/var/run/podman.sock${SELINUX_ZLABEL:-}" \
|
-v "${SOCKET_PATH}:/var/run/podman.sock" \
|
||||||
-v "${WORKSPACE}:/workspace:rw${SELINUX_ZLABEL:-}" \
|
-v "${WORKSPACE}:/workspace:rw" \
|
||||||
-e CONTAINER_HOST="unix:///var/run/podman.sock" \
|
-e CONTAINER_HOST="unix:///var/run/podman.sock" \
|
||||||
"${PODMAN_CLIENT_IMG_DIGEST}" \
|
"${PODMAN_CLIENT_IMG_DIGEST}" \
|
||||||
sleep infinity
|
sleep infinity
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue