Charon/.github/workflows/waf-integration.yml

name: WAF Integration Tests

on:
  push:
    branches: [ main, development, 'feature/**' ]
    paths:
      - 'backend/internal/caddy/**'
      - 'backend/internal/models/security*.go'
      - 'scripts/coraza_integration.sh'
      - 'Dockerfile'
      - '.github/workflows/waf-integration.yml'
  pull_request:
    branches: [ main, development ]
    paths:
      - 'backend/internal/caddy/**'
      - 'backend/internal/models/security*.go'
      - 'scripts/coraza_integration.sh'
      - 'Dockerfile'
      - '.github/workflows/waf-integration.yml'
  # Allow manual trigger
  workflow_dispatch:

jobs:
  waf-integration:
    name: Coraza WAF Integration
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build Docker image
        run: |
          docker build \
            --build-arg VCS_REF=${{ github.sha }} \
            -t charon:local .

      - name: Run WAF integration tests
        id: waf-test
        run: |
          chmod +x scripts/coraza_integration.sh
          scripts/coraza_integration.sh 2>&1 | tee waf-test-output.txt
          exit ${PIPESTATUS[0]}

      - name: Dump Debug Info on Failure
        if: failure()
        run: |
          echo "## 🔍 Debug Information" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          echo "### Container Status" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          docker ps -a --filter "name=charon" --filter "name=coraza" >> $GITHUB_STEP_SUMMARY 2>&1 || true
          echo '```' >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          echo "### Caddy Admin Config" >> $GITHUB_STEP_SUMMARY
          echo '```json' >> $GITHUB_STEP_SUMMARY
          curl -s http://localhost:2019/config 2>/dev/null | head -200 >> $GITHUB_STEP_SUMMARY || echo "Could not retrieve Caddy config" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          echo "### Charon Container Logs (last 100 lines)" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          docker logs charon-debug 2>&1 | tail -100 >> $GITHUB_STEP_SUMMARY || echo "No container logs available" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          echo "### WAF Ruleset Files" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          docker exec charon-debug sh -c 'ls -la /app/data/caddy/coraza/rulesets/ 2>/dev/null && echo "---" && cat /app/data/caddy/coraza/rulesets/*.conf 2>/dev/null' >> $GITHUB_STEP_SUMMARY || echo "No ruleset files found" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY

      - name: WAF Integration Summary
        if: always()
        run: |
          echo "## 🛡️ WAF Integration Test Results" >> $GITHUB_STEP_SUMMARY
          if [ "${{ steps.waf-test.outcome }}" == "success" ]; then
            echo "✅ **All WAF tests passed**" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "### Test Results:" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            grep -E "^✓|^===|^Coraza" waf-test-output.txt || echo "See logs for details"
            grep -E "^✓|^===|^Coraza" waf-test-output.txt >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
          else
            echo "❌ **WAF tests failed**" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "### Failure Details:" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            grep -E "^✗|Unexpected|Error|failed" waf-test-output.txt | head -20 >> $GITHUB_STEP_SUMMARY || echo "See logs for details" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
          fi

      - name: Cleanup
        if: always()
        run: |
          docker rm -f charon-debug || true
          docker rm -f coraza-backend || true
          docker network rm containers_default || true