-
Notifications
You must be signed in to change notification settings - Fork 127
192 lines (164 loc) · 6.36 KB
/
publish.yml
File metadata and controls
192 lines (164 loc) · 6.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: Publish
on:
push:
tags:
- v*.*.*
env:
AZUREHOUND_VERSION: ${{ github.ref_name }}
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
os:
- darwin
- linux
- windows
arch:
- amd64
- arm64
env:
FILE_NAME: AzureHound_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}
steps:
- uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: Build
run: 'go build -ldflags="-s -w -X github.com/bloodhoundad/azurehound/v2/constants.Version=${{ env.AZUREHOUND_VERSION }}"'
env:
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
- name: Upload as Artifact
if: matrix.os == 'windows'
uses: actions/upload-artifact@v4
with:
name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
path: azurehound*
- name: Zip
run: 7z a -tzip -mx9 ${{ env.FILE_NAME }}.zip azurehound*
- name: Compute Checksum
run: sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256
- name: Upload Release
uses: softprops/action-gh-release@v1
with:
files: |
${{ env.FILE_NAME }}.zip
${{ env.FILE_NAME }}.zip.sha256
sign:
runs-on: ubuntu-22.04 # INFO: https://docs.digicert.com/en/digicert-keylocker/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-authenticode-files-with-osslsigncode-using-openssl-pkcs11-engine.html#a-note-for-ubuntu-users-488674
needs: build
strategy:
matrix:
os:
- windows
arch:
- amd64
- arm64
env:
FILE_NAME: AzureHoundEnterprise_${{ github.ref_name }}_${{ matrix.os }}_${{ matrix.arch }}
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/download-artifact@v4
with:
pattern: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
path: unsigned/
- name: Install osslsigncode & pkcs11 engine
run: |
sudo apt-get update
sudo apt-get install -y osslsigncode libengine-pkcs11-openssl
- name: Install DigiCert Client Tools
id: digicert
uses: digicert/ssm-code-signing@v1.0.0
- name: Set PKCS#11 Paths
id: pkcs11
run: |
SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl | grep "libpkcs11.so")"
echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"
- name: Sign Artifacts via DigiCert Signing Manager
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
shell: bash
run: |
export SM_CLIENT_CERT_FILE=$(mktemp)
printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
trap 'rm $SM_CLIENT_CERT_FILE' EXIT
mkdir signed
artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
mv "$artifact" "signed/azurehound.exe"
- name: Verify Signed Artifacts
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
shell: bash
run: |
export SM_CLIENT_CERT_FILE=$(mktemp)
printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT
for artifact in signed/*; do
osslsigncode verify -CAfile cert-chain.pem "$artifact"
done
- name: Zip Signed Executables
run: |
mkdir zipped
7z a -tzip -mx9 zipped/${{ env.FILE_NAME }}.zip signed/*
- name: Checksum Zipped Files
run: |
sha256sum zipped/${{ env.FILE_NAME }}.zip > zipped/${{ env.FILE_NAME }}.zip.sha256
- name: Upload Artifacts to S3
run: |
aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}
containerize:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Log in to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USER }}
password: ${{ secrets.PACKAGE_SCOPE }}
- name: Log in to ACR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ secrets.ACR_AZUREHOUND_REGISTRY_URL }}
username: ${{ secrets.ACR_CLIENT_ID }}
password: ${{ secrets.ACR_SECRET }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: |
ghcr.io/bloodhoundad/azurehound
${{ secrets.ACR_AZUREHOUND_REGISTRY_URL }}/azurehound
tags: |
type=semver,pattern={{version}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
- name: Build Container Image
uses: docker/build-push-action@v6
with:
context: .
build-args: VERSION=${{ github.ref_name }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
push: true
secrets: |
GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}