apparmor.d/.gitlab-ci.yml

---

include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  PKGDEST: $CI_PROJECT_DIR/.pkg
  PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'

stages:
  - lint
  - test
  - build
  - preprocess
  - deploy


# Code Linter
# -----------

bash:
  stage: lint
  image: koalaman/shellcheck-alpine
  script:
    - shellcheck --shell=bash
        PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
        tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh

golangci-lint:
  stage: lint
  image: golangci/golangci-lint
  script:
    - golangci-lint run --exclude-dirs pkg/paths

packer:
  stage: lint
  image:
    name: hashicorp/packer:latest
    entrypoint: [""]
  script:
    - cd tests &&
      packer fmt --check packer/ &&
      packer validate --syntax-only packer/

sast:
  stage: lint


# Code test
# ---------

tests:
  stage: test
  image: golang
  coverage: '/Coverage: \d+.\d+/'
  script:
    - apt update && apt install -y rsync
    - cp tests/journalctl /usr/bin/journalctl
    - chmod 755 /usr/bin/journalctl
    - mkdir -p /var/log/audit/
    - touch /var/log/audit/audit.log /var/log/audit/audit.log.1
    - go test ./cmd/... -v -cover -coverprofile=coverage.out
    - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out
    - go tool cover -func=coverage.out

check:
  stage: test
  image: registry.gitlab.com/roddhjav/builders/archlinux
  script:
    - make check

# Package Build
# -------------

archlinux:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/archlinux
  script:
    - sudo pacman -Syu --noconfirm --noprogressbar
    - makepkg -s --noconfirm --noprogressbar
  artifacts:
    expire_in: 1 day
    paths:
      - $PKGDEST/*

debian:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/debian
  script:
    - sudo chown -R build:build /builds/
    - git config --global --add safe.directory $CI_PROJECT_DIR
    - mkdir -p "$PKGDEST"
    - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync
    - sudo apt-get install -y -t bookworm-backports golang-go
    - bash dists/build.sh dpkg
  artifacts:
    expire_in: 1 day
    paths:
      - $PKGDEST/*.deb

ubuntu:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/ubuntu
  script:
    - sudo chown -R ubuntu:ubuntu /builds/
    - git config --global --add safe.directory $CI_PROJECT_DIR
    - mkdir -p "$PKGDEST"
    - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go
    - bash dists/build.sh dpkg
  artifacts:
    expire_in: 1 day
    paths:
      - $PKGDEST/*.deb

whonix:
  extends: debian
  variables:
    DISTRIBUTION: whonix
  before_script:
    - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules

opensuse:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/opensuse
  script:
    - mkdir -p "$PKGDEST"
    - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
    - bash dists/build.sh rpm
  artifacts:
    expire_in: 1 day
    paths:
      - $PKGDEST/*.rpm


# Profile Preprocessing
# ---------------------

preprocess-archlinux:
  stage: preprocess
  image: archlinux
  dependencies:
    - archlinux
  script:
    - pacman -Syu --noconfirm --noprogressbar apparmor
    - pacman -U --noconfirm --noprogressbar $PKGDEST/*
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null

preprocess-debian:
  stage: preprocess
  image: debian
  dependencies:
    - debian
  script:
    - apt-get update -q
    - apt-get install -y apparmor apparmor-profiles
    - dpkg --install $PKGDEST/*
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null

preprocess-ubuntu:
  stage: preprocess
  image: ubuntu
  dependencies:
    - ubuntu
  script:
    - apt-get update -q
    - apt-get install -y apparmor apparmor-profiles
    - dpkg --install $PKGDEST/*
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null

preprocess-whonix:
  extends: preprocess-debian
  dependencies:
    - whonix

preprocess-opensuse:
  stage: preprocess
  image: opensuse/tumbleweed
  dependencies:
    - opensuse
  script:
    - zypper install -y apparmor-profiles
    - rpm -i $PKGDEST/*
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null


# Deploy the documentation 
# ------------------------

pages:
  stage: deploy
  image: python
  variables:
    MKDOCS_OFFLINE: "false"
    GIT_STRATEGY: clone
    GIT_DEPTH: 0
  script:
    - pip install -r requirements.txt
    - mkdocs build --site-dir public
  artifacts:
    paths:
      - public
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`---`

Rewrite aa-log. 2021-11-09 23:41:12 +01:00			`include:`
			`- template: Security/SAST.gitlab-ci.yml`

Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`variables:`
build: unify locally build package output directory. 2024-10-07 15:05:40 +02:00			`PKGDEST: $CI_PROJECT_DIR/.pkg`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'`

			`stages:`
			`- lint`
ci: enable aa-log tests. 2021-12-05 01:21:16 +01:00			`- test`
CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00			`- build`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`- preprocess`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`- deploy`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00

			`# Code Linter`
			`# -----------`

			`bash:`
			`stage: lint`
			`image: koalaman/shellcheck-alpine`
			`script:`
			`- shellcheck --shell=bash`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`PKGBUILD dists/build.sh dists/docker.sh tests/check.sh`
ci: update shell scripts location. 2023-04-24 16:28:33 +02:00			`tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00
Rewrite aa-log. 2021-11-09 23:41:12 +01:00			`golangci-lint:`
			`stage: lint`
			`image: golangci/golangci-lint`
			`script:`
ci: update golangci-lint. 2024-10-19 23:57:08 +02:00			`- golangci-lint run --exclude-dirs pkg/paths`
Rewrite aa-log. 2021-11-09 23:41:12 +01:00
build: add linter options. 2023-09-19 19:35:24 +02:00			`packer:`
			`stage: lint`
			`image:`
			`name: hashicorp/packer:latest`
			`entrypoint: [""]`
			`script:`
			`- cd tests &&`
			`packer fmt --check packer/ &&`
			`packer validate --syntax-only packer/`

Rewrite aa-log. 2021-11-09 23:41:12 +01:00			`sast:`
			`stage: lint`

Add Gitlab CI. 2021-04-04 00:30:06 +02:00
ci: enable aa-log tests. 2021-12-05 01:21:16 +01:00			`# Code test`
			`# ---------`

			`tests:`
			`stage: test`
			`image: golang`
ci: report go coverage result. 2023-01-28 20:44:21 +01:00			`coverage: '/Coverage: \d+.\d+/'`
ci: enable aa-log tests. 2021-12-05 01:21:16 +01:00			`script:`
ci: prebuild needs rsync. 2023-04-19 20:37:20 +02:00			`- apt update && apt install -y rsync`
test: add a dummy output for journalctl --user -b -u dbus.service -o json 2022-10-15 23:05:52 +02:00			`- cp tests/journalctl /usr/bin/journalctl`
			`- chmod 755 /usr/bin/journalctl`
ci(gitlab): ensure audit.log exist. 2023-03-12 18:03:07 +01:00			`- mkdir -p /var/log/audit/`
			`- touch /var/log/audit/audit.log /var/log/audit/audit.log.1`
ci: ensure tests pkg are not run in parallel. 2023-06-18 12:40:32 +02:00			`- go test ./cmd/... -v -cover -coverprofile=coverage.out`
ci: exclude paths lib from the tests. 2024-04-28 13:23:47 +02:00			`- go test $(go list ./pkg/... \| grep -v /pkg/paths) -v -cover -coverprofile=coverage.out`
ci: report go coverage result. 2023-01-28 20:44:21 +01:00			`- go tool cover -func=coverage.out`
ci: enable aa-log tests. 2021-12-05 01:21:16 +01:00
ci: run on ubuntu 24.04 & enable make check. 2024-10-06 17:19:11 +02:00			`check:`
ci: move check job stage. 2024-10-06 18:51:30 +02:00			`stage: test`
ci: run on ubuntu 24.04 & enable make check. 2024-10-06 17:19:11 +02:00			`image: registry.gitlab.com/roddhjav/builders/archlinux`
			`script:`
			`- make check`
ci: enable aa-log tests. 2021-12-05 01:21:16 +01:00
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`# Package Build`
			`# -------------`

ci: restore packages build jobs. 2023-03-28 00:18:33 +02:00			`archlinux:`
CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00			`stage: build`
ci: new builder docker image. 2023-03-29 01:05:59 +02:00			`image: registry.gitlab.com/roddhjav/builders/archlinux`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`script:`
build: drop lsb-release build deps. 2023-04-19 19:57:31 +02:00			`- sudo pacman -Syu --noconfirm --noprogressbar`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`- makepkg -s --noconfirm --noprogressbar`
			`artifacts:`
			`expire_in: 1 day`
			`paths:`
			`- $PKGDEST/*`

ci: restore packages build jobs. 2023-03-28 00:18:33 +02:00			`debian:`
CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00			`stage: build`
ci: new builder docker image. 2023-03-29 01:05:59 +02:00			`image: registry.gitlab.com/roddhjav/builders/debian`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`script:`
fix: gitlab ci dpkg based build. 2023-04-24 00:51:59 +02:00			`- sudo chown -R build:build /builds/`
ci(gitlab): build error quickfix. 2023-02-05 01:17:15 +01:00			`- git config --global --add safe.directory $CI_PROJECT_DIR`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`- mkdir -p "$PKGDEST"`
build: drop lsb-release build deps. 2023-04-19 19:57:31 +02:00			`- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync`
fix(build): update backport repo. 2023-09-21 00:08:17 +02:00			`- sudo apt-get install -y -t bookworm-backports golang-go`
ci: improve debian & ubuntu build jobs. 2023-09-19 21:45:21 +02:00			`- bash dists/build.sh dpkg`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`artifacts:`
			`expire_in: 1 day`
			`paths:`
			`- $PKGDEST/*.deb`

ci: reenable build on ubuntu. 2024-05-08 21:47:45 +02:00			`ubuntu:`
ci: improve debian & ubuntu build jobs. 2023-09-19 21:45:21 +02:00			`stage: build`
			`image: registry.gitlab.com/roddhjav/builders/ubuntu`
			`script:`
ci: reenable build on ubuntu. 2024-05-08 21:47:45 +02:00			`- sudo chown -R ubuntu:ubuntu /builds/`
ci: improve debian & ubuntu build jobs. 2023-09-19 21:45:21 +02:00			`- git config --global --add safe.directory $CI_PROJECT_DIR`
			`- mkdir -p "$PKGDEST"`
			`- sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go`
			`- bash dists/build.sh dpkg`
			`artifacts:`
			`expire_in: 1 day`
			`paths:`
			`- $PKGDEST/*.deb`
ci(gitlab): add ubuntu build. 2022-10-16 00:37:10 +02:00
build(ci): add gitlab ci for whonix. 2023-11-14 00:41:41 +01:00			`whonix:`
			`extends: debian`
			`variables:`
			`DISTRIBUTION: whonix`
build: full system for whonix. 2023-11-22 19:16:03 +01:00			`before_script:`
			`- echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules`
build(ci): add gitlab ci for whonix. 2023-11-14 00:41:41 +01:00
ci: add rpm pkg build. 2023-09-19 21:16:55 +02:00			`opensuse:`
			`stage: build`
			`image: registry.gitlab.com/roddhjav/builders/opensuse`
			`script:`
			`- mkdir -p "$PKGDEST"`
ci: fix opensuse build & re-enable ubuntu preprocess. 2024-06-04 21:26:32 +02:00			`- sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles`
ci: add rpm pkg build. 2023-09-19 21:16:55 +02:00			`- bash dists/build.sh rpm`
			`artifacts:`
			`expire_in: 1 day`
			`paths:`
			`- $PKGDEST/*.rpm`

Add Gitlab CI. 2021-04-04 00:30:06 +02:00
			`# Profile Preprocessing`
			`# ---------------------`

CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00			`preprocess-archlinux:`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`stage: preprocess`
			`image: archlinux`
			`dependencies:`
			`- archlinux`
			`script:`
			`- pacman -Syu --noconfirm --noprogressbar apparmor`
ci: update install method for archlinux. 2023-04-08 14:09:24 +02:00			`- pacman -U --noconfirm --noprogressbar $PKGDEST/*`
Add Gitlab CI. 2021-04-04 00:30:06 +02:00			`- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null`
CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00
			`preprocess-debian:`
			`stage: preprocess`
			`image: debian`
			`dependencies:`
			`- debian`
			`script:`
			`- apt-get update -q`
Debian: improve install method. 2021-09-27 21:24:22 +02:00			`- apt-get install -y apparmor apparmor-profiles`
CI: add preprocessing for Debian. 2021-09-27 20:20:27 +02:00			`- dpkg --install $PKGDEST/*`
			`- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null`
ci(gitlab): add ubuntu build. 2022-10-16 00:37:10 +02:00
ci: fix opensuse build & re-enable ubuntu preprocess. 2024-06-04 21:26:32 +02:00			`preprocess-ubuntu:`
			`stage: preprocess`
ci(gitlab): add ubuntu build. 2022-10-16 00:37:10 +02:00			`image: ubuntu`
			`dependencies:`
			`- ubuntu`
ci: fix opensuse build & re-enable ubuntu preprocess. 2024-06-04 21:26:32 +02:00			`script:`
			`- apt-get update -q`
			`- apt-get install -y apparmor apparmor-profiles`
			`- dpkg --install $PKGDEST/*`
			`- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null`
build(ci): add gitlab ci for whonix. 2023-11-14 00:41:41 +01:00
			`preprocess-whonix:`
			`extends: preprocess-debian`
			`dependencies:`
			`- whonix`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00
ci(gitlab): add profile preprocessing on openSUSE. 2023-03-25 15:38:14 +01:00			`preprocess-opensuse:`
			`stage: preprocess`
fix(ci): wrong opensuse image. 2023-03-25 16:10:55 +01:00			`image: opensuse/tumbleweed`
ci: add rpm pkg build. 2023-09-19 21:16:55 +02:00			`dependencies:`
			`- opensuse`
ci(gitlab): add profile preprocessing on openSUSE. 2023-03-25 15:38:14 +01:00			`script:`
ci: add rpm pkg build. 2023-09-19 21:16:55 +02:00			`- zypper install -y apparmor-profiles`
			`- rpm -i $PKGDEST/*`
ci(gitlab): add profile preprocessing on openSUSE. 2023-03-25 15:38:14 +01:00			`- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null`

docs: initial documentation website. 2023-01-29 22:18:22 +01:00
			`# Deploy the documentation`
			`# ------------------------`

			`pages:`
			`stage: deploy`
			`image: python`
doc: ensure page creation date is correct. 2023-05-07 22:23:01 +02:00			`variables:`
ci: re-enable online doc. 2024-01-30 16:26:07 +01:00			`MKDOCS_OFFLINE: "false"`
doc: ensure page creation date is correct. 2023-05-07 22:23:01 +02:00			`GIT_STRATEGY: clone`
			`GIT_DEPTH: 0`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`script:`
			`- pip install -r requirements.txt`
ci: set token for git-committers 2024-09-26 21:20:20 +02:00			`- mkdocs build --site-dir public`
docs: initial documentation website. 2023-01-29 22:18:22 +01:00			`artifacts:`
			`paths:`
			`- public`
			`rules:`
			`- if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH`