Update admx and adml templates #1198
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update admx and adml templates | |
on: | |
push: | |
branches: | |
- '**' # Ignore tag push, but take any branch | |
paths: | |
- 'cmd/admxgen/**' | |
- 'internal/ad/admxgen/**' | |
- '.github/workflows/adm-builds.yaml' | |
schedule: | |
- cron: '42 0 * * *' | |
jobs: | |
build-admxgen: | |
name: Build admxgen static binary | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v4 | |
with: | |
go-version-file: go.mod | |
- run: | | |
mkdir /tmp/adsys | |
CGO_ENABLED=0 go build ./cmd/admxgen/ | |
- name: Upload admxgen | |
uses: actions/upload-artifact@v3 | |
with: | |
name: admxgen | |
path: | | |
admxgen | |
./cmd/admxgen/defs/* | |
if-no-files-found: error | |
supported-releases: | |
name: Build matrix for supported ADSys, Ubuntu, and docker releases | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-supported-releases.outputs.matrix }} | |
needs: build-admxgen | |
steps: | |
- name: Install needed binaries | |
run: | | |
sudo DEBIAN_FRONTEND=noninteractive apt update | |
sudo DEBIAN_FRONTEND=noninteractive apt install -y distro-info jq | |
- name: Build matrix for supported ADSys, Ubuntu, and docker releases | |
id: set-supported-releases | |
run: | | |
set -eu | |
function releaseDockerExists() { | |
local codename="${1}" | |
exists=1 | |
curl "https://registry.hub.docker.com/api/content/v1/repositories/public/library/ubuntu/tags?page_size=3000" 2>/dev/null | \ | |
jq -r '.results[].name' | grep -q "${codename}" && exists=0 | |
echo "${exists}" | |
} | |
all="$(distro-info --supported-esm) $(distro-info --supported)" | |
all="$(echo $all | tr ' ' '\n' | sort -u)" | |
releases="" | |
for r in ${all}; do | |
# Filter out unsupported LTS releases | |
if [ "${r}" = "trusty" -o "${r}" = "xenial" -o "${r}" = "bionic" ]; then | |
continue | |
fi | |
exists=$(releaseDockerExists ${r}) | |
if [ ${exists} != 0 ]; then | |
continue | |
fi | |
if [ -n "${releases}" ]; then | |
releases="${releases}, " | |
fi | |
releases="${releases}'ubuntu:${r}'" | |
done | |
echo "matrix={\"releases\":[${releases}]}" >> $GITHUB_OUTPUT | |
collect-releases: | |
name: Collect supported keys on each releases | |
runs-on: ubuntu-latest | |
needs: | |
- build-admxgen | |
- supported-releases | |
strategy: | |
matrix: ${{fromJson(needs.supported-releases.outputs.matrix)}} | |
container: | |
image: ${{ matrix.releases }} | |
steps: | |
- name: Download admxgen and definition files | |
uses: actions/download-artifact@v3 | |
with: | |
name: admxgen | |
- name: Install desktop with all default package in container | |
run: | | |
export DEBIAN_FRONTEND=noninteractive | |
apt update | |
apt -y install ubuntu-desktop | |
- name: Collect support keys | |
run: | | |
chmod 755 ./admxgen | |
./admxgen expand --current-session ubuntu ./cmd/admxgen/defs/ ./out/ | |
- name: Prepare artefact name variable | |
shell: bash | |
run: | | |
set -eu | |
artifacts_name=${{ matrix.releases }} | |
artifacts_name=${artifacts_name/:/-} | |
echo "artifacts_name=${artifacts_name}" >> $GITHUB_ENV | |
- name: Generated definition files | |
uses: actions/upload-artifact@v3 | |
with: | |
name: policies-${{ env.artifacts_name }} | |
path: out/* | |
if-no-files-found: error | |
generate-ad: | |
name: Merge keys to generated admx/adml | |
runs-on: ubuntu-latest | |
needs: collect-releases | |
strategy: | |
matrix: | |
releases: ['LTS', 'ALL'] | |
steps: | |
- name: Install needed binaries | |
run: | | |
sudo DEBIAN_FRONTEND=noninteractive apt update | |
sudo DEBIAN_FRONTEND=noninteractive apt install -y distro-info | |
- name: Download all available artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
path: artifacts | |
- name: Display structure of downloaded files | |
run: | | |
set -eu | |
allowflag="--allow-missing-keys" | |
target=$(ubuntu-distro-info -r --supported-esm | cut -d" " -f1) | |
if [ ${{ matrix.releases }} = "ALL" ]; then | |
target=$(ubuntu-distro-info -r --supported | cut -d" " -f1) | |
allowflag="" | |
fi | |
mkdir wanted/ | |
for f in $(find artifacts/policies-*/ -type f); do | |
for wanted in ${target}; do | |
if [ $(basename $f) != ${wanted}.yaml ]; then | |
continue | |
fi | |
cp $f wanted/ | |
done | |
done | |
chmod +x artifacts/admxgen/admxgen | |
artifacts/admxgen/admxgen admx --auto-detect-releases ${allowflag} artifacts/admxgen/cmd/admxgen/defs/categories.yaml wanted/ . | |
ls -R | |
- name: Upload adm template files | |
uses: actions/upload-artifact@v3 | |
with: | |
name: adm-${{ matrix.releases }} | |
path: Ubuntu.adm* | |
if-no-files-found: error | |
integrate-ad: | |
name: Integrate AD in current git tree | |
runs-on: ubuntu-latest | |
needs: generate-ad | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download adm template files for "all" | |
uses: actions/download-artifact@v3 | |
with: | |
name: adm-ALL | |
path: policies/Ubuntu/all | |
- name: Download adm template files for lts only | |
uses: actions/download-artifact@v3 | |
with: | |
name: adm-LTS | |
path: policies/Ubuntu/lts-only | |
- name: Copy admx and adml to git | |
run: | | |
git add policies/ | |
- name: Get output branch for branch name | |
id: get-branch-name | |
shell: bash | |
run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT | |
- name: Create Pull Request | |
uses: peter-evans/create-pull-request@v5 | |
with: | |
commit-message: Refresh policy definition files | |
title: Refresh policy definition files | |
labels: policies, automated pr | |
body: "[Auto-generated pull request](https://github.com/ubuntu/adsys/actions/workflows/adm-builds.yaml) by GitHub Action" | |
branch: auto-update-policydefinitions-${{ steps.get-branch-name.outputs.branch }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
delete-branch: true | |
open-issue-on-fail: | |
name: Open issue on failure | |
runs-on: ubuntu-latest | |
needs: integrate-ad | |
if: ${{ failure() }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Create issue if build failed | |
uses: JasonEtco/create-an-issue@v2 | |
env: | |
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
filename: .github/workflows/adm-builds-fail.md | |
search_existing: open | |
update_existing: true |