Skip to content

fix: add csp #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
nims14 wants to merge 10 commits into from
Closed

fix: add csp #191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
85ce110
fix: add csp
nims14 May 6, 2025
95f33ea
update actions/upload-artifacts
nims14 May 6, 2025
f9e7858
update actions/checkout
nims14 May 6, 2025
014d6b8
Trying to build using old Jenkinsfile
papajulio May 6, 2025
b4e4464
Fixing other things
papajulio May 6, 2025
f92a79d
Installing missing 7oz
papajulio May 6, 2025
89b3af9
Fixing and archiving the outputs not publishing
papajulio May 6, 2025
3b01a2b
Adding missing permissions
papajulio May 6, 2025
d54fbaa
Archiving only the resulting packages
papajulio May 6, 2025
6b71590
fixing archiving
papajulio May 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: CI Build
on: [push,pull_request,workflow_dispatch]
on: [push, pull_request, workflow_dispatch]

jobs:
build-settings:
Expand All @@ -11,7 +11,7 @@ jobs:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
steps:
- name: Checkout Sysdig
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Get settings for this release
id: get_settings
shell: python
Expand All @@ -27,18 +27,17 @@ jobs:
print(f'version={version}'.lower(), file=ofp)
print(f'semver={semver}'.lower(), file=ofp)


build-sysdig-inspect:
needs: [build-settings]
env:
BUILDER: "sysdiglabs/sysdig-inspect-builder:0.2"
BUILDER: 'sysdiglabs/sysdig-inspect-builder:0.2'
SEMVER: ${{ needs.build-settings.outputs.semver }}
VERSION: ${{ needs.build-settings.outputs.version }}
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

runs-on: ubuntu-latest
container:
image: "sysdiglabs/sysdig-inspect-builder:0.2"
image: 'sysdiglabs/sysdig-inspect-builder:0.2'
env:
INSTALL_DEPS: true
GIT_BRANCH: dev
Expand All @@ -49,7 +48,7 @@ jobs:
- /var/run/docker.sock:/var/run/docker.sock
steps:
- name: Checkout Sysdig
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: install 7z
run: |
cd /tmp
Expand All @@ -63,27 +62,26 @@ jobs:
- name: Build sysdig-inspect
run: ./build/build.sh
- name: Upload artifacts rpm
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-${{ env.VERSION }}-linux-x86_64.rpm
path: |
out/linux/installers/sysdig-inspect-linux-x86_64.rpm
- name: Upload artifacts deb
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-${{ env.VERSION }}-linux-x86_64.deb
path: |
out/linux/installers/sysdig-inspect-linux-x86_64.deb
- name: Upload artifacts dmg
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-${{ env.VERSION }}-mac-x86_64.dmg
path: |
out/mac/binaries/sysdig-inspect-${{ env.SEMVER }}-mac-86_64.dmg
- name: Upload artifacts zip
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-${{ env.VERSION }}-mac-x86_64.zip
path: |
out/mac/binaries/sysdig-inspect-mac-x86_64.zip

20 changes: 10 additions & 10 deletions .github/workflows/release-draft.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ permissions:
jobs:
build-sysdig-inspect:
env:
BUILDER: "sysdiglabs/sysdig-inspect-builder:0.2"
BUILDER: 'sysdiglabs/sysdig-inspect-builder:0.2'
VERSION: ${{ github.ref_name }}
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

runs-on: ubuntu-latest
container:
image: "sysdiglabs/sysdig-inspect-builder:0.2"
image: 'sysdiglabs/sysdig-inspect-builder:0.2'
env:
INSTALL_DEPS: true
GIT_BRANCH: ${{ github.ref_name }}
Expand All @@ -27,7 +27,7 @@ jobs:
- /var/run/docker.sock:/var/run/docker.sock
steps:
- name: Checkout Sysdig
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: install 7z
run: |
cd /tmp
Expand All @@ -41,25 +41,25 @@ jobs:
- name: Build sysdig-inspect
run: ./build/build.sh
- name: Upload artifacts rpm
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-linux-x86_64.rpm
path: |
out/linux/installers/sysdig-inspect-linux-x86_64.rpm
- name: Upload artifacts deb
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-linux-x86_64.deb
path: |
out/linux/installers/sysdig-inspect-linux-x86_64.deb
- name: Upload artifacts dmg
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-mac-x86_64.dmg
path: |
out/mac/binaries/sysdig-inspect-${{ env.VERSION }}-mac-x86_64.dmg
- name: Upload artifacts zip
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-mac-x86_64.zip
path: |
Expand All @@ -73,15 +73,15 @@ jobs:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
steps:
- name: Download artifacts (linux-amd64 deb)
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-linux-x86_64.deb
- name: Download artifacts (linux-amd64 rpm)
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-linux-x86_64.rpm
- name: Download artifacts (osx-amd64)
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: sysdig-inspect-release-${{ env.VERSION }}-mac-x86_64.zip
- name: test
Expand Down
34 changes: 7 additions & 27 deletions build/Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
pipeline {
agent {
label 'builder-backend-j8'
label 'amazon-linux2'
}

options {
Expand All @@ -9,8 +9,6 @@ pipeline {

environment {
BUILDER = "sysdiglabs/sysdig-inspect-builder:0.2"
VERSION = readFile "VERSION"
INSPECT_USER_TRACKING_KEY = credentials('INSPECT_USER_TRACKING_KEY')
}

stages {
Expand All @@ -25,13 +23,12 @@ pipeline {
sh "docker rm sysdig-inspect-builder || echo \\\"Builder image not found\\\""

// NOTE: 'checkout scm' is equivalent to
// git url: "https://github.com/:account/:repository", branch: "${env.BRANCH_NAME}", credentialsId: ${env.MY_CREDENTAILS_NAME}"
// git url: "https://github.com/:account/:repository", branch: "${env.BRANCH}", credentialsId: ${env.MY_CREDENTAILS_NAME}"
checkout scm

// Define build number
script {
def now = new Date()

env.VERSION_BUILD_NUMBER=now.format("yyyyMMdd.HHmmss", TimeZone.getTimeZone('UTC'))
}
}
Expand All @@ -42,35 +39,18 @@ pipeline {
CWD = sh(script: 'pwd', , returnStdout: true).trim()
}
steps {
sh "docker run --name sysdig-inspect-builder -v ${CWD}:/usr/bin/sysdig-inspect -v /var/run/docker.sock:/var/run/docker.sock -e INSTALL_DEPS=true -e GIT_BRANCH=${env.BRANCH_NAME} -e BUILD_NUMBER=${env.VERSION_BUILD_NUMBER} -e USER_TRACKING_KEY=${env.INSPECT_USER_TRACKING_KEY} ${env.BUILDER}"
sh "docker run --name sysdig-inspect-builder -v ${CWD}:/usr/bin/sysdig-inspect -v /var/run/docker.sock:/var/run/docker.sock -e INSTALL_DEPS=true -e GIT_BRANCH=${env.BRANCH} -e BUILD_NUMBER=${env.VERSION_BUILD_NUMBER} ${env.BUILDER}"

//
// The build creates files with owner root,
// and because of this the job won't be able to cleanup files.
//
sh "sudo chown -R \$(id -u):\$(id -g) deps/sysdig-linux"
sh "sudo chown -R \$(id -u):\$(id -g) out"
}
}

stage('Publish Docker image') {
steps {
withCredentials([usernamePassword(credentialsId: "docker-hub", passwordVariable: "DOCKER_PASSWORD", usernameVariable: "DOCKER_USERNAME")]) {
sh "docker login -u=${env.DOCKER_USERNAME} -p=${env.DOCKER_PASSWORD}"
sh "GIT_BRANCH=${env.BRANCH_NAME} BUILD_NUMBER=${env.VERSION_BUILD_NUMBER} ./build/publish.sh"
}
}
}

stage('Tag') {
when {
branch 'master'
}
steps {
echo "Tagging repository v${VERSION}"

withCredentials([usernamePassword(credentialsId: "github-jenkins-user-token", passwordVariable: "GIT_PASSWORD", usernameVariable: "GIT_USERNAME")]) {
sh("git tag -a v${VERSION} -m 'Release v${VERSION}'")
sh("git push https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com/draios/sysdig-inspect --tags")
post {
always {
archiveArtifacts allowEmptyArchive: true, artifacts: "out/linux/installers/*.rpm, out/linux/installers/*.deb, out/mac/binaries/*.dmg, out/mac/binaries/*.zip"
}
}
}
Expand Down
4 changes: 4 additions & 0 deletions build/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,10 @@ install_dependencies() {
if [ "${INSTALL_DEPS}" = "true" ]; then
echo "Installing dependencies..."

cd /tmp
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && update-ca-certificates -f && curl -L -o 7z.tar.xz https://www.7-zip.org/a/7z2301-linux-x64.tar.xz && tar -xaf 7z.tar.xz && mv 7zz /usr/bin/7z && rm -vfr /tmp/*
cd -

rm -rf deps

if [ "${BUILD_LINUX}" = "true" ] || [ "${BUILD_CONTAINER}" = "true" ]; then
Expand Down
143 changes: 77 additions & 66 deletions config/environment.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,79 +1,90 @@
'use strict';

module.exports = function(environment) {
//<<<<<<< HEAD
const rootURLParamIndex = process.argv.indexOf('--root-url');
const rootURL = rootURLParamIndex >= 0 ? process.argv[rootURLParamIndex + 1] : '/';
//=======
// let ENV = {
// modulePrefix: 'sysdig-inspect',
// environment,
// rootURL: '/',
// locationType: 'auto',
// EmberENV: {
// FEATURES: {
// // Here you can enable experimental features on an ember canary build
// // e.g. EMBER_NATIVE_DECORATOR_SUPPORT: true
// },
// EXTEND_PROTOTYPES: {
// // Prevent Ember Data from overriding Date.parse.
// Date: false
// }
// },
//>>>>>>> bd341dc (v3.4.4...v3.12.1)
module.exports = function (environment) {
//<<<<<<< HEAD
const rootURLParamIndex = process.argv.indexOf('--root-url');
const rootURL =
rootURLParamIndex >= 0 ? process.argv[rootURLParamIndex + 1] : '/';
//=======
// let ENV = {
// modulePrefix: 'sysdig-inspect',
// environment,
// rootURL: '/',
// locationType: 'auto',
// EmberENV: {
// FEATURES: {
// // Here you can enable experimental features on an ember canary build
// // e.g. EMBER_NATIVE_DECORATOR_SUPPORT: true
// },
// EXTEND_PROTOTYPES: {
// // Prevent Ember Data from overriding Date.parse.
// Date: false
// }
// },
//>>>>>>> bd341dc (v3.4.4...v3.12.1)

const targetEnvParamIndex = process.argv.indexOf('--target-env');
const targetEnv = targetEnvParamIndex >= 0 ? process.argv[targetEnvParamIndex + 1] : 'electron';
const targetEnvParamIndex = process.argv.indexOf('--target-env');
const targetEnv =
targetEnvParamIndex >= 0
? process.argv[targetEnvParamIndex + 1]
: 'electron';

const userTrackingKeyIndex = process.argv.indexOf('--user-tracking-key');
const userTrackingKey = userTrackingKeyIndex >= 0 ? process.argv[userTrackingKeyIndex + 1] : null;
const userTrackingKeyIndex = process.argv.indexOf('--user-tracking-key');
const userTrackingKey =
userTrackingKeyIndex >= 0 ? process.argv[userTrackingKeyIndex + 1] : null;

let ENV = {
targetEnv,
modulePrefix: 'sysdig-inspect',
environment,
rootURL: rootURL,
locationType: 'hash',
EmberENV: {
FEATURES: {
// Here you can enable experimental features on an ember canary build
// e.g. 'with-controller': true
},
EXTEND_PROTOTYPES: {
// Prevent Ember Data from overriding Date.parse.
Date: false
}
},
let ENV = {
targetEnv,
modulePrefix: 'sysdig-inspect',
environment,
rootURL: rootURL,
locationType: 'hash',
EmberENV: {
FEATURES: {
// Here you can enable experimental features on an ember canary build
// e.g. 'with-controller': true
},
EXTEND_PROTOTYPES: {
// Prevent Ember Data from overriding Date.parse.
Date: false,
},
},

APP: {
// Here you can pass flags/options to your application instance
// when it is created
USER_TRACKING_KEY: userTrackingKey,
}
};
APP: {
// Here you can pass flags/options to your application instance
// when it is created
USER_TRACKING_KEY: userTrackingKey,
},
contentSecurityPolicy: {
'default-src': "'self'",
'script-src': "'self' 'unsafe-inline' 'unsafe-eval'",
'style-src': "'self' 'unsafe-inline'",
'img-src': "'self' data:",
'font-src': "'self' data:",
},
};

if (environment === 'development') {
// ENV.APP.LOG_RESOLVER = true;
// ENV.APP.LOG_ACTIVE_GENERATION = true;
// ENV.APP.LOG_TRANSITIONS = true;
// ENV.APP.LOG_TRANSITIONS_INTERNAL = true;
// ENV.APP.LOG_VIEW_LOOKUPS = true;
}
if (environment === 'development') {
// ENV.APP.LOG_RESOLVER = true;
// ENV.APP.LOG_ACTIVE_GENERATION = true;
// ENV.APP.LOG_TRANSITIONS = true;
// ENV.APP.LOG_TRANSITIONS_INTERNAL = true;
// ENV.APP.LOG_VIEW_LOOKUPS = true;
}

if (environment === 'test') {
// Testem prefers this...
ENV.locationType = 'none';
if (environment === 'test') {
// Testem prefers this...
ENV.locationType = 'none';

// keep test console output quieter
ENV.APP.LOG_ACTIVE_GENERATION = false;
ENV.APP.LOG_VIEW_LOOKUPS = false;
// keep test console output quieter
ENV.APP.LOG_ACTIVE_GENERATION = false;
ENV.APP.LOG_VIEW_LOOKUPS = false;

ENV.APP.rootElement = '#ember-testing';
}
ENV.APP.rootElement = '#ember-testing';
}

if (environment === 'production') {
if (environment === 'production') {
}

}

return ENV;
return ENV;
};