-
Notifications
You must be signed in to change notification settings - Fork 465
110 lines (98 loc) · 4.1 KB
/
verify-fleetd-base.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
name: Verify fleetd-base files at https://download.fleetdm.com
on:
workflow_dispatch: # Manual
inputs:
base-url:
description: 'The base URL to download the files from'
required: false
default: 'https://download.fleetdm.com'
type: string
workflow_call:
inputs:
base-url:
description: 'The base URL to download the files from'
required: false
default: 'https://download.fleetdm.com'
type: string
schedule:
- cron: '0 5 * * *' # Nightly 5AM UTC, not at the same time as release-fleetd-base workflow
# This workflow is called by release-fleetd-base workflow, so it does not have its own concurrency group.
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
verify-checksums:
runs-on: ubuntu-latest
env:
BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Verify checksums
run: |
curl -O ${{ env.BASE_URL }}/stable/meta.json
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.msi
fleetd_base_msi_sha256=$(shasum -a 256 fleetd-base.msi | cut -d ' ' -f 1)
if [ "$(jq --raw-output '.fleetd_base_msi_sha256' meta.json)" != "$fleetd_base_msi_sha256" ]; then
echo "Checksum mismatch for fleetd-base.msi"
exit 1
else
echo "Checksum matches for fleetd-base.msi"
fi
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.pkg
fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)
if [ "$(jq --raw-output '.fleetd_base_pkg_sha256' meta.json)" != "$fleetd_base_pkg_sha256" ]; then
echo "Checksum mismatch for fleetd-base.pkg"
exit 1
else
echo "Checksum matches for fleetd-base.pkg"
fi
: # Check the files at the permalinks
curl -o fleetd-base-permalink.msi "$(jq --raw-output '.fleetd_base_msi_url' meta.json)"
diff fleetd-base.msi fleetd-base-permalink.msi
curl -o fleetd-base-permalink.pkg "$(jq --raw-output '.fleetd_base_pkg_url' meta.json)"
diff fleetd-base.pkg fleetd-base-permalink.pkg
verify-fleetd-base-msi:
runs-on: windows-latest
env:
BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download fleetd-base.msi
shell: powershell
run: |
Invoke-WebRequest "${{ env.BASE_URL }}/stable/fleetd-base.msi" -OutFile "fleetd-base.msi"
if (! $?) { exit 1 }
Get-ChildItem
- name: Install fleetd-base.msi
shell: powershell
run: |
Start-Process msiexec "/i fleetd-base.msi /qn FLEET_URL='https://fleet.example.com' FLEET_SECRET='insecure'" -Wait
if (! $?) { exit 1 }
Start-Sleep -Seconds 5
cd "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs"
Get-ChildItem
if (!(Test-Path "C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log" -PathType Leaf)) { exit 1 }
verify-fleetd-base-pkg:
runs-on: macos-latest
env:
BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download fleetd-base.pkg
run: |
curl -O ${{ env.BASE_URL }}/stable/fleetd-base.pkg
- name: Install fleetd-base.pkg
run: |
sudo installer -pkg fleetd-base.pkg -target /