name: CrowdSec Integration # Phase 2-3: Build Once, Test Many - Use registry image instead of building # This workflow now waits for docker-build.yml to complete and pulls the built image on: workflow_dispatch: inputs: image_tag: description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)' required: false type: string # Prevent race conditions when PR is updated mid-test # Cancels old test runs when new build completes with different SHA concurrency: group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true jobs: crowdsec-integration: name: CrowdSec Bouncer Integration runs-on: ubuntu-latest timeout-minutes: 15 # Only run if docker-build.yml succeeded, or if manually triggered if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && (github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success')) }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Determine the correct image tag based on trigger context # For PRs: pr-{number}-{short-sha}, For non-PR: sha-{short-sha} - name: Determine image tag id: determine-tag env: EVENT: ${{ github.event.workflow_run.event || github.event_name }} REF: ${{ github.event.workflow_run.head_branch || github.ref_name }} SHA: ${{ github.event.workflow_run.head_sha || github.sha }} MANUAL_TAG: ${{ inputs.image_tag }} run: | # Manual trigger uses provided tag if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then if [[ -n "$MANUAL_TAG" ]]; then echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT else # Default to latest if no tag provided echo "tag=latest" >> $GITHUB_OUTPUT fi echo "source_type=manual" >> $GITHUB_OUTPUT exit 0 fi # Extract 7-character short SHA SHORT_SHA=$(echo "$SHA" | cut -c1-7) # Use native pull_requests array (no API calls needed) PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number // empty') if [[ "$EVENT" == "pull_request" || -n "$PR_NUM" ]]; then # Fallback for direct PR trigger if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then PR_NUM="${{ github.event.number }}" fi if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then echo "❌ ERROR: Could not determine PR number" echo "Event: $EVENT" echo "Ref: $REF" echo "SHA: $SHA" echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" exit 1 fi # Immutable tag with SHA suffix prevents race conditions echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT echo "source_type=pr" >> $GITHUB_OUTPUT else # Non-PR workflow_run uses short SHA tag (matches docker-build.yml) echo "tag=sha-${SHORT_SHA}" >> $GITHUB_OUTPUT echo "source_type=sha" >> $GITHUB_OUTPUT fi echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" # Pull image from Docker Hub with retry logic - name: Pull Docker image from registry id: pull_image uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3 with: timeout_minutes: 5 max_attempts: 3 retry_wait_seconds: 10 command: | IMAGE_NAME="docker.io/wikid82/charon:${{ steps.determine-tag.outputs.tag }}" echo "Pulling image: $IMAGE_NAME" docker pull "$IMAGE_NAME" docker tag "$IMAGE_NAME" charon:local echo "✅ Successfully pulled from registry" # Validate image freshness by checking SHA label - name: Validate image SHA env: SHA: ${{ steps.determine-tag.outputs.sha }} run: | LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7) echo "Expected SHA: $SHA" echo "Image SHA: $LABEL_SHA" if [[ "$LABEL_SHA" != "$SHA" ]]; then echo "⚠️ WARNING: Image SHA mismatch!" echo "Image may be stale. Proceeding with caution..." else echo "✅ Image SHA matches expected commit" fi - name: Run CrowdSec integration tests id: crowdsec-test run: | chmod +x .github/skills/scripts/skill-runner.sh .github/skills/scripts/skill-runner.sh integration-test-crowdsec 2>&1 | tee crowdsec-test-output.txt exit ${PIPESTATUS[0]} - name: Run CrowdSec Startup and LAPI Tests id: lapi-test run: | chmod +x .github/skills/scripts/skill-runner.sh .github/skills/scripts/skill-runner.sh integration-test-crowdsec-startup 2>&1 | tee lapi-test-output.txt exit ${PIPESTATUS[0]} - name: Dump Debug Info on Failure if: failure() run: | echo "## 🔍 Debug Information" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Container Status" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY docker ps -a --filter "name=charon" --filter "name=crowdsec" >> $GITHUB_STEP_SUMMARY 2>&1 || true echo '```' >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY # Check which test container exists and dump its logs if docker ps -a --filter "name=charon-crowdsec-startup-test" --format "{{.Names}}" | grep -q "charon-crowdsec-startup-test"; then echo "### Charon Startup Test Container Logs (last 100 lines)" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY docker logs charon-crowdsec-startup-test 2>&1 | tail -100 >> $GITHUB_STEP_SUMMARY || echo "No container logs available" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY elif docker ps -a --filter "name=charon-debug" --format "{{.Names}}" | grep -q "charon-debug"; then echo "### Charon Container Logs (last 100 lines)" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY docker logs charon-debug 2>&1 | tail -100 >> $GITHUB_STEP_SUMMARY || echo "No container logs available" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi echo "" >> $GITHUB_STEP_SUMMARY # Check for CrowdSec specific logs if LAPI test ran if [ -f "lapi-test-output.txt" ]; then echo "### CrowdSec LAPI Test Failures" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY grep -E "✗ FAIL|✗ CRITICAL|CROWDSEC.*BROKEN" lapi-test-output.txt >> $GITHUB_STEP_SUMMARY 2>&1 || echo "No critical failures found in LAPI test" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi - name: CrowdSec Integration Summary if: always() run: | echo "## 🛡️ CrowdSec Integration Test Results" >> $GITHUB_STEP_SUMMARY # CrowdSec Preset Integration Tests if [ "${{ steps.crowdsec-test.outcome }}" == "success" ]; then echo "✅ **CrowdSec Hub Presets: Passed**" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Preset Test Results:" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY grep -E "^✓|^===|^Pull|^Apply" crowdsec-test-output.txt || echo "See logs for details" grep -E "^✓|^===|^Pull|^Apply" crowdsec-test-output.txt >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY else echo "❌ **CrowdSec Hub Presets: Failed**" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Preset Failure Details:" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY grep -E "^✗|Unexpected|Error|failed|FAIL" crowdsec-test-output.txt | head -20 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi echo "" >> $GITHUB_STEP_SUMMARY # CrowdSec Startup and LAPI Tests if [ "${{ steps.lapi-test.outcome }}" == "success" ]; then echo "✅ **CrowdSec Startup & LAPI: Passed**" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### LAPI Test Results:" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY grep -E "^\[TEST\]|✓ PASS|Check [0-9]|CrowdSec LAPI" lapi-test-output.txt >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY else echo "❌ **CrowdSec Startup & LAPI: Failed**" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### LAPI Failure Details:" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY grep -E "✗ FAIL|✗ CRITICAL|Error|failed" lapi-test-output.txt | head -20 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi - name: Cleanup if: always() run: | docker rm -f charon-debug || true docker rm -f charon-crowdsec-startup-test || true docker rm -f crowdsec || true docker network rm containers_default || true