From 01cc9c811f09c8b089ef8a4459dce4a75d990c18 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 20 Nov 2023 20:45:01 +0100 Subject: [PATCH 1/8] update python versions for testing Signed-off-by: Martin Schurz --- .github/workflows/os_hardening.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index c63b907c4..9e681c76a 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -57,10 +57,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.11 + - name: Set up Python 3.12 uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install dependencies run: | From addbbd32cf6ef23ce3b9997ed71f9a7ffa5752ba Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 09:19:28 +0100 Subject: [PATCH 2/8] run tests on update of dependencied Signed-off-by: Martin Schurz --- .github/workflows/ansible-lint.yml | 2 ++ .github/workflows/mysql_hardening.yml | 2 ++ .github/workflows/nginx_hardening.yml | 2 ++ .github/workflows/os_hardening.yml | 2 ++ .github/workflows/os_hardening_vm.yml | 2 ++ .github/workflows/ssh_hardening.yml | 2 ++ .github/workflows/ssh_hardening_bsd.yml | 2 ++ .github/workflows/ssh_hardening_custom_tests.yml | 2 ++ 8 files changed, 16 insertions(+) diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 8787add5d..aa402cded 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -7,11 +7,13 @@ on: # yamllint disable-line rule:truthy branches: [master] paths: - 'roles/**' + - 'requirements.txt' pull_request: # The branches below must be a subset of the branches above branches: [master] paths: - 'roles/**' + - 'requirements.txt' jobs: ansible-lint: diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index bea6d55c8..55d6f83f7 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -9,12 +9,14 @@ on: # yamllint disable-line rule:truthy - 'roles/mysql_hardening/**' - 'molecule/mysql_hardening/**' - '.github/workflows/mysql_hardening.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/mysql_hardening/**' - 'molecule/mysql_hardening/**' - '.github/workflows/mysql_hardening.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 0' diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index be0f2c36d..090c88fbb 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/nginx_hardening/**' - 'molecule/nginx_hardening/**' - '.github/workflows/nginx_hardening.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/nginx_hardening/**' - 'molecule/nginx_hardening/**' - '.github/workflows/nginx_hardening.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 1' diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 9e681c76a..f711dfe77 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/os_hardening/**' - 'molecule/os_hardening/**' - '.github/workflows/os_hardening.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/os_hardening/**' - 'molecule/os_hardening/**' - '.github/workflows/os_hardening.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 3' diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index 31fda1a11..bdeb0224b 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/os_hardening/**' - 'molecule/os_hardening_vm/**' - '.github/workflows/os_hardening_vm.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/os_hardening/**' - 'molecule/os_hardening_vm/**' - '.github/workflows/os_hardening_vm.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 2' diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index f2df44873..c69e28c43 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening/**' - '.github/workflows/ssh_hardening.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening/**' - '.github/workflows/ssh_hardening.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 5' diff --git a/.github/workflows/ssh_hardening_bsd.yml b/.github/workflows/ssh_hardening_bsd.yml index cb2fdcc31..931bddc80 100644 --- a/.github/workflows/ssh_hardening_bsd.yml +++ b/.github/workflows/ssh_hardening_bsd.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening_bsd/**' - '.github/workflows/ssh_hardening_bsd.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening_bsd/**' - '.github/workflows/ssh_hardening_bsd.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 5' diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index 6846fceb1..f77faa9e2 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -8,12 +8,14 @@ on: # yamllint disable-line rule:truthy - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening_custom_tests/**' - '.github/workflows/ssh_hardening_custom_tests.yml' + - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/ssh_hardening/**' - 'molecule/ssh_hardening_custom_tests/**' - '.github/workflows/ssh_hardening_custom_tests.yml' + - 'requirements.txt' schedule: - cron: '0 6 * * 4' From e2c2d0d5e2582086b46238bb295aff61a8b0c7f3 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 09:22:08 +0100 Subject: [PATCH 3/8] pin Ansible version Signed-off-by: Martin Schurz --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index e856defcb..26bce2ab5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ molecule molecule-plugins[docker] yamllint -ansible +ansible==2.16.0 ansible-lint docker flake8 From 7b32deca17f1563dd1c1672272c2ff003d96977e Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 09:27:39 +0100 Subject: [PATCH 4/8] pin the right ansible package Signed-off-by: Martin Schurz --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 26bce2ab5..0497913cf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,8 @@ molecule molecule-plugins[docker] yamllint -ansible==2.16.0 +ansible +ansible-core==2.16.0 ansible-lint docker flake8 From 5c5f2ce44655837128aadca32d966466b481d2c3 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 09:33:02 +0100 Subject: [PATCH 5/8] remove the base ansible package Signed-off-by: Martin Schurz --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0497913cf..262565334 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,6 @@ molecule molecule-plugins[docker] yamllint -ansible ansible-core==2.16.0 ansible-lint docker From c3b924590095ad8766dba45585b06fb461ccdf90 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 10:19:23 +0100 Subject: [PATCH 6/8] fix for mysql role Signed-off-by: Martin Schurz --- molecule/mysql_hardening/prepare.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 53a3a1901..0258e9654 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -7,6 +7,8 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + vars: + mysql_replication_master: localhost tasks: - name: Use Python 3 on Debian 11 set_fact: From aae720c977562c1db0a71c68f17557c38769b378 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 12:23:49 +0100 Subject: [PATCH 7/8] update python version for all tests Signed-off-by: Martin Schurz --- .github/workflows/mysql_hardening.yml | 4 ++-- .github/workflows/nginx_hardening.yml | 4 ++-- .github/workflows/os_hardening.yml | 2 +- .github/workflows/roles-readme.yml | 2 +- .github/workflows/ssh_hardening.yml | 4 ++-- .github/workflows/ssh_hardening_custom_tests.yml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 55d6f83f7..96972058b 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -59,10 +59,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.11 + - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install dependencies run: | diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 090c88fbb..e7ea7e27b 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -58,10 +58,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.11 + - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install dependencies run: | diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index f711dfe77..dc3d1f7e3 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -59,7 +59,7 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.12 + - name: Set up Python uses: actions/setup-python@v4 with: python-version: 3.12 diff --git a/.github/workflows/roles-readme.yml b/.github/workflows/roles-readme.yml index 6e4c8ee85..3f516d9a7 100644 --- a/.github/workflows/roles-readme.yml +++ b/.github/workflows/roles-readme.yml @@ -29,7 +29,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install aar_doc run: pip3 install aar_doc diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index c69e28c43..119b7a343 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -59,10 +59,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.11 + - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install dependencies run: | diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index f77faa9e2..94d7fafe6 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -59,10 +59,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.11 + - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.11 + python-version: 3.12 - name: Install dependencies run: | From f15ff3fc83b726086608578b1c368907ea03249d Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 21 Nov 2023 16:37:50 +0100 Subject: [PATCH 8/8] remove unneeded mysql vars Signed-off-by: Martin Schurz --- molecule/mysql_hardening/prepare.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 0258e9654..53a3a1901 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -7,8 +7,6 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - vars: - mysql_replication_master: localhost tasks: - name: Use Python 3 on Debian 11 set_fact: