1
+ name : RunsOn Tests
2
+
3
+ on :
4
+ workflow_dispatch :
5
+
6
+ jobs :
7
+ test-host-outbound :
8
+ runs-on :
9
+ - runs-on=${{ github.run_id }}
10
+ - runner=2cpu-linux-x64
11
+ - image=ubuntu22-stepsecurity-x64
12
+ steps :
13
+ - name : Harden Runner
14
+ uses : step-security/harden-runner@rc
15
+ with :
16
+ egress-policy : audit
17
+ allowed-endpoints : >
18
+ github.com:443
19
+ goreleaser.com:443
20
+
21
+
22
+ - name : Checkout code
23
+ uses : actions/checkout@v3
24
+
25
+ - name : Run outbound calls from host
26
+ run : |
27
+ start_time=$(date +%s)
28
+ end_time=$((start_time + 90)) # 5 minutes = 300 seconds
29
+
30
+ while [ $(date +%s) -lt $end_time ]; do
31
+ curl -I https://www.google.com
32
+ curl -I https://goreleaser.com
33
+ sleep 10 # wait 10 seconds between calls
34
+ done
35
+
36
+ test-docker-outbound :
37
+ runs-on :
38
+ - runs-on=${{ github.run_id }}
39
+ - runner=2cpu-linux-x64
40
+ - image=ubuntu22-stepsecurity-x64
41
+ steps :
42
+ - name : Harden Runner
43
+ uses : step-security/harden-runner@rc
44
+ with :
45
+ egress-policy : block
46
+ allowed-endpoints : >
47
+ archive.ubuntu.com:80
48
+ github.com:443
49
+ goreleaser.com:443
50
+ production.cloudflare.docker.com:443
51
+ docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
52
+ *.docker.io:443
53
+ security.ubuntu.com:80
54
+
55
+ - name : Checkout code
56
+ uses : actions/checkout@v3
57
+
58
+ - name : Run outbound calls from within Docker container
59
+ continue-on-error : true
60
+ run : |
61
+ # Start the container
62
+ docker run --rm -d --name test-container ubuntu:latest sleep 90
63
+
64
+ # Install curl in the container
65
+ docker exec test-container apt-get update
66
+ docker exec test-container apt-get install -y curl
67
+
68
+ # Print /etc/resolv.conf from the container
69
+ docker exec test-container cat /etc/resolv.conf
70
+
71
+ # Make outbound calls
72
+ for i in {1..9}; do
73
+ docker exec test-container curl -I https://www.google.com
74
+ docker exec test-container curl -I https://goreleaser.com
75
+ sleep 10 # wait 10 seconds between calls
76
+ done
77
+
78
+ # Stop the container
79
+ docker stop test-container
80
+
81
+
82
+ test-docker-build-outbound :
83
+ runs-on :
84
+ - runs-on=${{ github.run_id }}
85
+ - runner=2cpu-linux-x64
86
+ - image=ubuntu22-stepsecurity-x64
87
+ steps :
88
+ - name : Harden Runner
89
+ uses : step-security/harden-runner@rc
90
+ with :
91
+ egress-policy : audit
92
+ allowed-endpoints : >
93
+ archive.ubuntu.com:80
94
+ auth.docker.io:443
95
+ github.com:443
96
+ goreleaser.com:443
97
+ production.cloudflare.docker.com:443
98
+ docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
99
+ registry-1.docker.io:443
100
+ security.ubuntu.com:80
101
+
102
+ - name : Checkout code
103
+ uses : actions/checkout@v3
104
+
105
+ - name : Build Docker image and test outbound calls during build
106
+ continue-on-error : true
107
+ run : |
108
+ # Create a Dockerfile that installs curl and makes outbound calls
109
+ cat <<EOF > Dockerfile
110
+ FROM ubuntu:latest
111
+ RUN apt-get update && apt-get install -y curl
112
+ RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done
113
+ EOF
114
+
115
+ # Build the Docker image
116
+ docker build -t test-image .
117
+
118
+ # Print /etc/resolv.conf from the build container (temporary container used during build)
119
+ container_id=$(docker create test-image)
120
+ docker start $container_id
121
+ docker exec $container_id cat /etc/resolv.conf
122
+ docker stop $container_id
123
+ docker rm $container_id
124
+
125
+ - name : Print Docker logs with journalctl
126
+ run : |
127
+ sudo journalctl -u docker.service --no-pager
128
+ shell : bash
129
+
130
+ test-long-running-docker :
131
+ runs-on :
132
+ - runs-on=${{ github.run_id }}
133
+ - runner=2cpu-linux-x64
134
+ - image=ubuntu22-stepsecurity-x64
135
+ steps :
136
+ - name : Harden Runner
137
+ uses : step-security/harden-runner@rc
138
+ with :
139
+ egress-policy : block
140
+ allowed-endpoints : >
141
+ archive.ubuntu.com:80
142
+ auth.docker.io:443
143
+ github.com:443
144
+ goreleaser.com:443
145
+ production.cloudflare.docker.com:443
146
+ registry-1.docker.io:443
147
+ docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
148
+ security.ubuntu.com:80
149
+
150
+
151
+ - name : Checkout code
152
+ uses : actions/checkout@v3
153
+
154
+ - name : Run long-running Docker container with outbound calls
155
+ continue-on-error : true
156
+ run : |
157
+ # Start the long-running container
158
+ docker run --rm -d --name long-running-container ubuntu:latest bash -c "
159
+ apt-get update && apt-get install -y curl &&
160
+ while true; do
161
+ curl -I https://www.google.com;
162
+ curl -I https://goreleaser.com;
163
+ sleep 10;
164
+ done
165
+ "
166
+
167
+ # Print /etc/resolv.conf from the container
168
+ docker exec long-running-container cat /etc/resolv.conf
169
+
170
+ # Let the container run for 5 minutes
171
+ sleep 90
172
+
173
+ # Stop the container
174
+ docker stop long-running-container
175
+
176
+
0 commit comments