Title
#arm-architecture
theopolis

theopolis

03/18/2021, 4:07 AM
I should have gone to bed an hour ago, but I got an example
ec2-github-runner
integration working with a test-fork of osquery: https://github.com/theopolis/osquery-ci-test/runs/2136674997?check_suite_focus=true this approach wont work for pull requests because of GitHub properly limiting access to secrets from non-collaborators. We might be able to get up and running with this by having these workflow jobs run on the main branch and tags. And we can find a solution for pull requests in the future. To have this work for master is a matter of copying and pasting that PR into
osquery/osquery
and setting the proper secrets.
a

Ali Saidi

03/18/2021, 1:34 PM
nice! does it limit secrets for hosted runners from non-collaborators no matter what?
theopolis

theopolis

03/18/2021, 1:45 PM
That's what I understand from the GitHub documentation. If you or someone else has a moment, you can test by opening a PR against https://github.com/theopolis/osquery-ci-test and if it's vulnerable to leaking secrets to non-contributors then the EC2 instance will start, otherwise workflow job will fail.
1:55 PM
We might be able to get up and running with this by having these workflow jobs run on the main branch and tags.
What I mean here is I consider building aarch64 on master to be the MVP for what we need to consider support official. If we implement testing on master then we at least know before we tag a release that aarch64 is working. We'll also have packages built and ready as artifacts for the release process.
And we can find a solution for pull requests in the future.
Longer term the Envoy or CB approach is ideal so that we give PRs the confidence they are not breaking aarach64. I proposed the
ec2-github-runner
as a quick stop-gap solution. But I'd like to give @seph more time to continue to investigate the Envoy approach.
a

Ali Saidi

03/19/2021, 12:58 AM
I tried a PR and the start EC2 runner failed because it wasn’t specified which matches what i expected would happen from the above. No access to secrets from PRs