huanld
2fb067ecbf
checklocks / checklocks (push) Has been cancelled
CodeQL / Analyze (go) (push) Has been cancelled
natlab-integrationtest / natlab-integrationtest (push) Has been cancelled
CI / gomod-cache (push) Has been cancelled
CI / race-root-integration (1/4) (push) Has been cancelled
CI / race-root-integration (2/4) (push) Has been cancelled
CI / race-root-integration (3/4) (push) Has been cancelled
CI / race-root-integration (4/4) (push) Has been cancelled
CI / test (-race, amd64, 1/3) (push) Has been cancelled
CI / test (-race, amd64, 2/3) (push) Has been cancelled
CI / test (-race, amd64, 3/3) (push) Has been cancelled
CI / test (386) (push) Has been cancelled
CI / test (amd64) (push) Has been cancelled
CI / Windows (benchmarks) (push) Has been cancelled
CI / Windows (1/2) (push) Has been cancelled
CI / Windows (2/2) (push) Has been cancelled
CI / macos (push) Has been cancelled
CI / privileged (push) Has been cancelled
CI / vm (push) Has been cancelled
CI / cross (386, linux) (push) Has been cancelled
CI / cross (amd64, darwin) (push) Has been cancelled
CI / cross (amd64, freebsd) (push) Has been cancelled
CI / cross (amd64, openbsd) (push) Has been cancelled
CI / cross (amd64, windows) (push) Has been cancelled
CI / cross (arm, 5, linux) (push) Has been cancelled
CI / cross (arm, 7, linux) (push) Has been cancelled
CI / cross (arm64, darwin) (push) Has been cancelled
CI / cross (arm64, linux) (push) Has been cancelled
CI / cross (arm64, windows) (push) Has been cancelled
CI / cross (loong64, linux) (push) Has been cancelled
CI / ios (push) Has been cancelled
CI / crossmin (amd64, illumos) (push) Has been cancelled
CI / crossmin (amd64, plan9) (push) Has been cancelled
CI / crossmin (amd64, solaris) (push) Has been cancelled
CI / crossmin (ppc64, aix) (push) Has been cancelled
CI / android (push) Has been cancelled
CI / wasm (push) Has been cancelled
CI / tailscale_go (push) Has been cancelled
CI / fuzz (push) Has been cancelled
CI / depaware (push) Has been cancelled
CI / go_generate (push) Has been cancelled
CI / make_tidy (push) Has been cancelled
CI / licenses (push) Has been cancelled
CI / staticcheck (macOS) (push) Has been cancelled
CI / staticcheck (Linux) (push) Has been cancelled
CI / staticcheck (Windows) (push) Has been cancelled
CI / staticcheck (Portable (1/4)) (push) Has been cancelled
CI / staticcheck (Portable (2/4)) (push) Has been cancelled
CI / staticcheck (Portable (3/4)) (push) Has been cancelled
CI / staticcheck (Portable (4/4)) (push) Has been cancelled
CI / notify_slack (push) Has been cancelled
CI / merge_blocker (push) Has been cancelled
CI / check_mergeability_strict (push) Has been cancelled
CI / check_mergeability (push) Has been cancelled
Dockerfile build / deploy (push) Has been cancelled
test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled
test installer.sh / test (curl, alpine:edge) (push) Has been cancelled
test installer.sh / test (curl, alpine:latest) (push) Has been cancelled
test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled
test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled
test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled
test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled
test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled
test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled
test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled
test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled
test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled
test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled
test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled
test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled
test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled
test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled
update-flake / update-flake (push) Has been cancelled
tailscale.com/cmd/vet / vet (push) Has been cancelled
test installer.sh / notify-slack (push) Has been cancelled
Client security fixes (cmd/tailscale-tray/main.go): - SSRF protection in Add Server dialog (validateControlURL): reject private/loopback/link-local/cloud-metadata IPs via DNS resolution - RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL) - Sanitized URL logging (sanitizeURLForLog drops query auth tokens) - Error handling on exec.Command with user-facing showError() Admin panel security (web-admin): - Bcrypt password hashing (replaces SHA256) - Rate limiting: 5 failed logins → 15-min lockout - Session + login attempt cleanup goroutine (hourly) - url.QueryEscape / encodeURIComponent for all API params - Fail-hard startup when no TLS and non-loopback bind - ADMIN_PASSWORD required (no default), password min 12 chars - Username regex whitelist Installer hardening (Setup.wxs): - util:PermissionEx restricts SCM access: only Administrators + SYSTEM can start/stop/reconfigure service. Authenticated Users limited to QueryStatus/QueryConfig/Interrogate - Vital="yes" on ServiceInstall Docs & roadmap: - PRODUCTION_ROADMAP.md: 5-milestone plan (security + features + distribution + ops) with granular tasks, effort, done-when - CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md - AI assistant rules (.cursorrules, .antigravityrules, etc.) Build & distribution: - build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1 - redeploy.ps1, tray-deploy.ps1, test-msi.ps1 - installer/msi/ alternative WXS setup - Restored .github/workflows/ removed in mirror cleanup .gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*
144 lines
5.3 KiB
YAML
144 lines
5.3 KiB
YAML
name: test installer.sh
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 15 * * *' # 10am EST (UTC-4/5)
|
|
push:
|
|
branches:
|
|
- "main"
|
|
paths:
|
|
- scripts/installer.sh
|
|
- .github/workflows/installer.yml
|
|
pull_request:
|
|
paths:
|
|
- scripts/installer.sh
|
|
- .github/workflows/installer.yml
|
|
|
|
jobs:
|
|
test:
|
|
strategy:
|
|
# Don't abort the entire matrix if one element fails.
|
|
fail-fast: false
|
|
# Don't start all of these at once, which could saturate Github workers.
|
|
max-parallel: 4
|
|
matrix:
|
|
image:
|
|
# This is a list of Docker images against which we test our installer.
|
|
# If you find that some of these no longer exist, please feel free
|
|
# to remove them from the list.
|
|
# When adding new images, please only use official ones.
|
|
- "debian:oldstable-slim"
|
|
- "debian:stable-slim"
|
|
- "debian:testing-slim"
|
|
- "debian:sid-slim"
|
|
- "ubuntu:20.04"
|
|
- "ubuntu:22.04"
|
|
- "ubuntu:24.04"
|
|
- "elementary/docker:stable"
|
|
- "elementary/docker:unstable"
|
|
- "parrotsec/core:latest"
|
|
- "kalilinux/kali-rolling"
|
|
- "kalilinux/kali-dev"
|
|
- "oraclelinux:9"
|
|
- "oraclelinux:8"
|
|
- "fedora:latest"
|
|
- "rockylinux:8.7"
|
|
- "rockylinux:9"
|
|
- "amazonlinux:latest"
|
|
- "opensuse/leap:latest"
|
|
- "opensuse/tumbleweed:latest"
|
|
- "archlinux:latest"
|
|
- "alpine:3.21"
|
|
- "alpine:latest"
|
|
- "alpine:edge"
|
|
deps:
|
|
# Run all images installing curl as a dependency.
|
|
- curl
|
|
include:
|
|
# Check a few images with wget rather than curl.
|
|
- { image: "debian:oldstable-slim", deps: "wget" }
|
|
- { image: "debian:sid-slim", deps: "wget" }
|
|
- { image: "debian:stable-slim", deps: "curl" }
|
|
- { image: "ubuntu:24.04", deps: "curl" }
|
|
- { image: "fedora:latest", deps: "curl" }
|
|
# Test TAILSCALE_VERSION pinning on a subset of distros.
|
|
# Skip Alpine as community repos don't reliably keep old versions.
|
|
- { image: "debian:stable-slim", deps: "curl", version: "1.80.0" }
|
|
- { image: "ubuntu:24.04", deps: "curl", version: "1.80.0" }
|
|
- { image: "fedora:latest", deps: "curl", version: "1.80.0" }
|
|
runs-on: ubuntu-latest
|
|
container:
|
|
image: ${{ matrix.image }}
|
|
options: --user root
|
|
steps:
|
|
- name: install dependencies (pacman)
|
|
# Refresh the package databases to ensure that the tailscale package is
|
|
# defined.
|
|
run: pacman -Sy
|
|
if: contains(matrix.image, 'archlinux')
|
|
- name: install dependencies (yum)
|
|
# tar and gzip are needed by the actions/checkout below.
|
|
run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
|
|
if: |
|
|
contains(matrix.image, 'centos') ||
|
|
contains(matrix.image, 'oraclelinux') ||
|
|
contains(matrix.image, 'fedora') ||
|
|
contains(matrix.image, 'amazonlinux')
|
|
- name: install dependencies (zypper)
|
|
# tar and gzip are needed by the actions/checkout below.
|
|
run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
|
|
if: contains(matrix.image, 'opensuse')
|
|
- name: install dependencies (apt-get)
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y ${{ matrix.deps }}
|
|
if: |
|
|
contains(matrix.image, 'debian') ||
|
|
contains(matrix.image, 'ubuntu') ||
|
|
contains(matrix.image, 'elementary') ||
|
|
contains(matrix.image, 'parrotsec') ||
|
|
contains(matrix.image, 'kalilinux')
|
|
- name: checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- name: run installer
|
|
run: scripts/installer.sh
|
|
env:
|
|
TAILSCALE_VERSION: ${{ matrix.version }}
|
|
# Package installation can fail in docker because systemd is not running
|
|
# as PID 1, so ignore errors at this step. The real check is the
|
|
# `tailscale --version` command below.
|
|
continue-on-error: true
|
|
- name: check tailscale version
|
|
run: |
|
|
tailscale --version
|
|
if [ -n "${{ matrix.version }}" ]; then
|
|
tailscale --version | grep -q "^${{ matrix.version }}" || { echo "Version mismatch!"; exit 1; }
|
|
fi
|
|
notify-slack:
|
|
needs: test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Notify Slack of failure on scheduled runs
|
|
if: failure() && github.event_name == 'schedule'
|
|
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
|
|
with:
|
|
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
webhook-type: incoming-webhook
|
|
payload: |
|
|
{
|
|
"attachments": [{
|
|
"title": "Tailscale installer test failed",
|
|
"title_link": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
|
|
"text": "One or more OSes in the test matrix failed. See the run for details.",
|
|
"fields": [
|
|
{
|
|
"title": "Ref",
|
|
"value": "${{ github.ref_name }}",
|
|
"short": true
|
|
}
|
|
],
|
|
"footer": "${{ github.workflow }} on schedule",
|
|
"color": "danger"
|
|
}]
|
|
}
|