akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: ensure integration tests and security scans run on all branches

Browse Source 
- Added push and pull_request triggers to integration test workflows (waf, cerberus, crowdsec, rate-limit)
- Added push and pull_request triggers to security scan workflows (security-pr, supply-chain-pr)
- Implemented logic to locate build artifacts when triggered directly via push/PR
- Ensured consistent testing coverage across main, development, feature, and hotfix branches
This commit is contained in:
GitHub Actions
2026-02-06 01:29:27 +00:00
parent 0696507415
commit a14e0966e6
6 changed files with 118 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/cerberus-integration.yml vendored
View File

@@ -6,7 +6,9 @@ on:
workflow_run:
workflows: ["Docker Build, Publish & Test"]
types: [completed]
branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
# Allow manual trigger for debugging
@@ -39,9 +41,9 @@ jobs:
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
SHA: ${{ github.event.workflow_run.head_sha }}
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
@@ -63,6 +65,11 @@ jobs:
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"

15
.github/workflows/crowdsec-integration.yml vendored
View File

@@ -6,7 +6,9 @@ on:
workflow_run:
workflows: ["Docker Build, Publish & Test"]
types: [completed]
branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
# Allow manual trigger for debugging
@@ -39,9 +41,9 @@ jobs:
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
SHA: ${{ github.event.workflow_run.head_sha }}
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
@@ -63,6 +65,11 @@ jobs:
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"

23
.github/workflows/rate-limit-integration.yml vendored
View File

@@ -6,7 +6,9 @@ on:
workflow_run:
workflows: ["Docker Build, Publish & Test"]
types: [completed]
branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
# Allow manual trigger for debugging
@@ -39,9 +41,9 @@ jobs:
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
SHA: ${{ github.event.workflow_run.head_sha }}
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
@@ -63,6 +65,11 @@ jobs:
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"
@@ -103,7 +110,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
@@ -115,12 +122,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."
# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
@@ -144,7 +151,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"

29
.github/workflows/security-pr.yml vendored
View File

@@ -8,6 +8,11 @@ on:
workflows: ["Docker Build, Publish & Test"]
types:
- completed
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
workflow_dispatch:
inputs:
@@ -59,8 +64,8 @@ jobs:
exit 0
fi
# Extract PR number from workflow_run context
HEAD_SHA="${{ github.event.workflow_run.head_sha }}"
# Extract PR number from context
HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}"
# Query GitHub API for PR associated with this commit
@@ -79,9 +84,10 @@ jobs:
fi
# Check if this is a push event (not a PR)
if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then
if [[ "${{ github.event.workflow_run.event }}" == "push" || "${{ github.event_name }}" == "push" ]]; then
HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}"
echo "is_push=true" >> "$GITHUB_OUTPUT"
echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}"
echo "✅ Detected push build from branch: ${HEAD_BRANCH}"
else
echo "is_push=false" >> "$GITHUB_OUTPUT"
fi
@@ -116,6 +122,21 @@ jobs:
echo "artifact_exists=false" >> "$GITHUB_OUTPUT"
exit 0
fi
elif [[ -z "${RUN_ID}" ]]; then
# If triggered by push/pull_request, RUN_ID is empty. Find recent run for this commit.
HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}"
# Retry a few times as the run might be just starting or finishing
for i in {1..3}; do
RUN_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \
--jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
if [[ -n "${RUN_ID}" ]]; then break; fi
echo "⏳ Waiting for workflow run to appear/complete... ($i/3)"
sleep 5
done
fi
echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"

49
.github/workflows/supply-chain-pr.yml vendored
View File

@@ -7,6 +7,11 @@ on:
workflows: ["Docker Build, Publish & Test"]
types:
- completed
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
workflow_dispatch:
inputs:
@@ -56,15 +61,15 @@ jobs:
exit 0
fi
if [[ "${{ github.event_name }}" != "workflow_run" ]]; then
echo "❌ No PR number provided and not triggered by workflow_run"
if [[ "${{ github.event_name }}" != "workflow_run" && "${{ github.event_name }}" != "push" && "${{ github.event_name }}" != "pull_request" ]]; then
echo "❌ No PR number provided and not triggered by workflow_run/push/pr"
echo "pr_number=" >> "$GITHUB_OUTPUT"
exit 0
fi
# Extract PR number from workflow_run context
HEAD_SHA="${{ github.event.workflow_run.head_sha }}"
HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
# Extract PR number from context
HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}"
echo "🔍 Looking for PR with head SHA: ${HEAD_SHA}"
echo "🔍 Head branch: ${HEAD_BRANCH}"
@@ -94,9 +99,10 @@ jobs:
fi
# Check if this is a push event (not a PR)
if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then
if [[ "${{ github.event.workflow_run.event }}" == "push" || "${{ github.event_name }}" == "push" ]]; then
echo "is_push=true" >> "$GITHUB_OUTPUT"
echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}"
HEAD_BRANCH="${{ github.event.workflow_run.head_branch || github.ref_name }}"
echo "✅ Detected push build from branch: ${HEAD_BRANCH}"
else
echo "is_push=false" >> "$GITHUB_OUTPUT"
fi
@@ -135,10 +141,37 @@ jobs:
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \
--jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "")
else
# If RUN_ID is empty (push/pr trigger), try to find a recent successful run for this SHA
HEAD_SHA="${{ github.event.workflow_run.head_sha || github.event.pull_request.head.sha || github.sha }}"
echo "🔍 Searching for workflow run for SHA: ${HEAD_SHA}"
# Retry a few times as the run might be just starting or finishing
for i in {1..3}; do
RUN_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/workflows/docker-build.yml/runs?head_sha=${HEAD_SHA}&status=success&per_page=1" \
--jq '.workflow_runs[0].id // empty' 2>/dev/null || echo "")
if [[ -n "${RUN_ID}" ]]; then
echo "✅ Found Run ID: ${RUN_ID}"
break
fi
echo "⏳ Waiting for workflow run to appear/complete... ($i/3)"
sleep 5
done
if [[ -n "${RUN_ID}" ]]; then
ARTIFACT_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/runs/${RUN_ID}/artifacts" \
--jq ".artifacts[] | select(.name == \"${ARTIFACT_NAME}\") | .id" 2>/dev/null || echo "")
fi
fi
if [[ -z "${ARTIFACT_ID}" ]]; then
# Fallback: search recent artifacts
# Fallback for manual or missing info: search recent artifacts by name
echo "🔍 Falling back to search by artifact name..."
ARTIFACT_ID=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \

23
.github/workflows/waf-integration.yml vendored
View File

@@ -6,7 +6,9 @@ on:
workflow_run:
workflows: ["Docker Build, Publish & Test"]
types: [completed]
branches: [main, development, 'feature/**', 'hotfix/**'] # Explicit branch filter prevents unexpected triggers
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
# Allow manual trigger for debugging
@@ -39,9 +41,9 @@ jobs:
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
SHA: ${{ github.event.workflow_run.head_sha }}
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
@@ -63,6 +65,11 @@ jobs:
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"
@@ -103,7 +110,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
@@ -115,12 +122,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."
# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
@@ -144,7 +151,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"