Verify fleetd-base files at https://download.fleetdm.com #199
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Verify fleetd-base files at https://download.fleetdm.com | |
on: | |
workflow_dispatch: # Manual | |
inputs: | |
base-url: | |
description: "The base URL to download the files from" | |
required: false | |
default: "https://download.fleetdm.com" | |
type: string | |
workflow_call: | |
inputs: | |
base-url: | |
description: "The base URL to download the files from" | |
required: false | |
default: "https://download.fleetdm.com" | |
type: string | |
schedule: | |
- cron: "0 5 * * *" # Nightly 5AM UTC, not at the same time as release-fleetd-base workflow | |
# This workflow is called by release-fleetd-base workflow, so it does not have its own concurrency group. | |
defaults: | |
run: | |
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
shell: bash | |
permissions: | |
contents: read | |
jobs: | |
verify-checksums: | |
runs-on: ubuntu-latest | |
env: | |
BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Verify checksums | |
run: | | |
curl -O ${{ env.BASE_URL }}/stable/meta.json | |
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.msi | |
fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1) | |
if [ "$(jq --raw-output '.fleetd_base_msi_sha256' meta.json)" != "$fleetd_base_msi_sha256" ]; then | |
echo "Checksum mismatch for fleetd-base.msi" | |
exit 1 | |
else | |
echo "Checksum matches for fleetd-base.msi" | |
fi | |
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.pkg | |
fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1) | |
if [ "$(jq --raw-output '.fleetd_base_pkg_sha256' meta.json)" != "$fleetd_base_pkg_sha256" ]; then | |
echo "Checksum mismatch for fleetd-base.pkg" | |
exit 1 | |
else | |
echo "Checksum matches for fleetd-base.pkg" | |
fi | |
: # Check the files at the permalinks | |
curl -o fleetd-base-permalink.msi "$(jq --raw-output '.fleetd_base_msi_url' meta.json)" | |
diff fleetd-base.msi fleetd-base-permalink.msi | |
curl -o fleetd-base-permalink.pkg "$(jq --raw-output '.fleetd_base_pkg_url' meta.json)" | |
diff fleetd-base.pkg fleetd-base-permalink.pkg | |
- name: Slack Notification | |
if: failure() | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
payload: | | |
{ | |
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Verify fleetd-base files > ${{ github.job}} result: ${{ job.status }}\nhttps://github.com/fleetdm/fleet/actions/runs/${{ | |
github.run_id }}\n${{ github.event.pull_request.html_url || | |
github.event.head.html_url }}" | |
} | |
} | |
] | |
} | |
env: | |
JOB_STATUS: ${{ job.status }} | |
EVENT_URL: ${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
RUN_URL: https://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
verify-fleetd-base-msi: | |
runs-on: windows-latest | |
env: | |
BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Download fleetd-base.msi | |
shell: powershell | |
run: | | |
Invoke-WebRequest "${{ env.BASE_URL }}/stable/fleetd-base.msi" -OutFile "fleetd-base.msi" | |
if (! $?) { exit 1 } | |
Get-ChildItem | |
- name: Install fleetd-base.msi | |
shell: powershell | |
run: | | |
Start-Process msiexec "/i fleetd-base.msi /qn FLEET_URL='https://fleet.example.com' FLEET_SECRET='insecure'" -Wait | |
if (! $?) { exit 1 } | |
Start-Sleep -Seconds 5 | |
cd "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs" | |
Get-ChildItem | |
if (!(Test-Path "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" -PathType Leaf)) { exit 1 } | |
- name: Slack Notification | |
if: failure() | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
payload: | | |
{ | |
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Verify fleetd-base files > ${{ github.job}} result: ${{ job.status }}\nhttps://github.com/fleetdm/fleet/actions/runs/${{ | |
github.run_id }}\n${{ github.event.pull_request.html_url || | |
github.event.head.html_url }}" | |
} | |
} | |
] | |
} | |
env: | |
JOB_STATUS: ${{ job.status }} | |
EVENT_URL: ${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
RUN_URL: https://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
verify-fleetd-base-pkg: | |
runs-on: macos-latest | |
env: | |
BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Download fleetd-base.pkg | |
run: | | |
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.pkg | |
- name: Install fleetd-base.pkg | |
run: | | |
sudo installer -pkg fleetd-base.pkg -target / | |
- name: Slack Notification | |
if: failure() | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
payload: | | |
{ | |
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "Verify fleetd-base files > ${{ github.job}} result: ${{ job.status }}\nhttps://github.com/fleetdm/fleet/actions/runs/${{ | |
github.run_id }}\n${{ github.event.pull_request.html_url || | |
github.event.head.html_url }}" | |
} | |
} | |
] | |
} | |
env: | |
JOB_STATUS: ${{ job.status }} | |
EVENT_URL: ${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
RUN_URL: https://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }} | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |