akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
ef227a316b87d44a8aae61ad6c2f6cd1e9fa9cd7
Charon/.github/workflows/cerberus-integration.yml
GitHub Actions c27467d459 fix: make gates transparent about fork PR skip behavior 
- Remove `if: always()` from integration-gate, coverage-gate, codecov-gate, pipeline-gate
- Gates now naturally skip when their upstream dependencies are skipped (fork PR behavior)
- Prevents confusing "complete" status when nothing actually ran
- Fork PRs will show "skipped" in UI instead of obscuring behavior behind gate success
- Aligns with GitHub Actions standard job dependency semantics
2026-02-08 11:22:48 +00:00

190 lines
7.4 KiB
YAML
Raw Blame History

name: Cerberus Integration
# Phase 2-3: Build Once, Test Many - Use registry image instead of building
# This workflow now waits for docker-build.yml to complete and pulls the built image
on:
workflow_dispatch:
inputs:
image_tag:
description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
required: false
type: string
# Prevent race conditions when PR is updated mid-test
# Cancels old test runs when new build completes with different SHA
concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
jobs:
cerberus-integration:
name: Cerberus Security Stack Integration
runs-on: ubuntu-latest
timeout-minutes: 20
# Only run if docker-build.yml succeeded, or if manually triggered
if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && (github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success')) }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{short-sha}, For non-PR: sha-{short-sha}
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
if [[ -n "$MANUAL_TAG" ]]; then
echo "tag=${MANUAL_TAG}" >> "$GITHUB_OUTPUT"
else
# Default to latest if no tag provided
echo "tag=latest" >> "$GITHUB_OUTPUT"
fi
echo "source_type=manual" >> "$GITHUB_OUTPUT"
exit 0
fi
# Extract 7-character short SHA
SHORT_SHA=$(echo "$SHA" | cut -c1-7)
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number // empty')
if [[ "$EVENT" == "pull_request" || -n "$PR_NUM" ]]; then
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"
echo "Ref: $REF"
echo "SHA: $SHA"
echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
exit 1
fi
# Immutable tag with SHA suffix prevents race conditions
echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "source_type=pr" >> "$GITHUB_OUTPUT"
else
# Non-PR workflow_run uses short SHA tag (matches docker-build.yml)
echo "tag=sha-${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "source_type=sha" >> "$GITHUB_OUTPUT"
fi
echo "sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "Determined image tag: $(grep tag= "$GITHUB_OUTPUT")"
# Pull image from Docker Hub with retry logic
- name: Pull Docker image from registry
id: pull_image
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 5
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="docker.io/wikid82/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
echo "✅ Successfully pulled from registry"
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
echo "Image SHA: $LABEL_SHA"
if [[ "$LABEL_SHA" != "$SHA" ]]; then
echo "⚠️ WARNING: Image SHA mismatch!"
echo "Image may be stale. Proceeding with caution..."
else
echo "✅ Image SHA matches expected commit"
fi
- name: Run Cerberus integration tests
id: cerberus-test
run: |
chmod +x scripts/cerberus_integration.sh
scripts/cerberus_integration.sh 2>&1 | tee cerberus-test-output.txt
exit "${PIPESTATUS[0]}"
- name: Dump Debug Info on Failure
if: failure()
run: |
{
echo "## 🔍 Debug Information"
echo ""
echo "### Container Status"
echo '```'
docker ps -a --filter "name=charon" --filter "name=cerberus" --filter "name=backend" 2>&1 || true
echo '```'
echo ""
echo "### Security Status API"
echo '```json'
curl -s http://localhost:8480/api/v1/security/status 2>/dev/null | head -100 || echo "Could not retrieve security status"
echo '```'
echo ""
echo "### Caddy Admin Config"
echo '```json'
curl -s http://localhost:2319/config 2>/dev/null | head -200 || echo "Could not retrieve Caddy config"
echo '```'
echo ""
echo "### Charon Container Logs (last 100 lines)"
echo '```'
docker logs charon-cerberus-test 2>&1 | tail -100 || echo "No container logs available"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
- name: Cerberus Integration Summary
if: always()
run: |
{
echo "## 🔱 Cerberus Integration Test Results"
if [ "${{ steps.cerberus-test.outcome }}" == "success" ]; then
echo "✅ **All Cerberus tests passed**"
echo ""
echo "### Test Results:"
echo '```'
grep -E "✓|PASS|TC-[0-9]|=== ALL" cerberus-test-output.txt || echo "See logs for details"
echo '```'
echo ""
echo "### Features Tested:"
echo "- WAF (Coraza) payload inspection"
echo "- Rate limiting enforcement"
echo "- Security handler ordering"
echo "- Legitimate traffic flow"
else
echo "❌ **Cerberus tests failed**"
echo ""
echo "### Failure Details:"
echo '```'
grep -E "✗|FAIL|Error|failed" cerberus-test-output.txt | head -30 || echo "See logs for details"
echo '```'
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: Cleanup
if: always()
run: |
docker rm -f charon-cerberus-test || true
docker rm -f cerberus-backend || true
docker volume rm charon_cerberus_test_data caddy_cerberus_test_data caddy_cerberus_test_config 2>/dev/null || true
docker network rm containers_default || true
Reference in New Issue View Git Blame Copy Permalink