akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
ef227a316b87d44a8aae61ad6c2f6cd1e9fa9cd7
Charon/.github/workflows/crowdsec-integration.yml
GitHub Actions c27467d459 fix: make gates transparent about fork PR skip behavior 
- Remove `if: always()` from integration-gate, coverage-gate, codecov-gate, pipeline-gate
- Gates now naturally skip when their upstream dependencies are skipped (fork PR behavior)
- Prevents confusing "complete" status when nothing actually ran
- Fork PRs will show "skipped" in UI instead of obscuring behavior behind gate success
- Aligns with GitHub Actions standard job dependency semantics
2026-02-08 11:22:48 +00:00

224 lines
8.7 KiB
YAML
Raw Blame History

name: CrowdSec Integration
# Phase 2-3: Build Once, Test Many - Use registry image instead of building
# This workflow now waits for docker-build.yml to complete and pulls the built image
on:
workflow_dispatch:
inputs:
image_tag:
description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
required: false
type: string
# Prevent race conditions when PR is updated mid-test
# Cancels old test runs when new build completes with different SHA
concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
jobs:
crowdsec-integration:
name: CrowdSec Bouncer Integration
runs-on: ubuntu-latest
timeout-minutes: 15
# Only run if docker-build.yml succeeded, or if manually triggered
if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && (github.event.workflow_run.status != 'completed' || github.event.workflow_run.conclusion == 'success')) }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{short-sha}, For non-PR: sha-{short-sha}
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
if [[ -n "$MANUAL_TAG" ]]; then
TAG_VALUE="$MANUAL_TAG"
else
# Default to latest if no tag provided
TAG_VALUE="latest"
fi
{
echo "tag=${TAG_VALUE}"
echo "source_type=manual"
} >> "$GITHUB_OUTPUT"
exit 0
fi
# Extract 7-character short SHA
SHORT_SHA=$(echo "$SHA" | cut -c1-7)
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number // empty')
if [[ "$EVENT" == "pull_request" || -n "$PR_NUM" ]]; then
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"
echo "Ref: $REF"
echo "SHA: $SHA"
echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
exit 1
fi
# Immutable tag with SHA suffix prevents race conditions
{
echo "tag=pr-${PR_NUM}-${SHORT_SHA}"
echo "source_type=pr"
} >> "$GITHUB_OUTPUT"
else
# Non-PR workflow_run uses short SHA tag (matches docker-build.yml)
{
echo "tag=sha-${SHORT_SHA}"
echo "source_type=sha"
} >> "$GITHUB_OUTPUT"
fi
echo "sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "Determined image tag: $(grep tag= "$GITHUB_OUTPUT")"
# Pull image from Docker Hub with retry logic
- name: Pull Docker image from registry
id: pull_image
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 5
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="docker.io/wikid82/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
echo "✅ Successfully pulled from registry"
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
echo "Image SHA: $LABEL_SHA"
if [[ "$LABEL_SHA" != "$SHA" ]]; then
echo "⚠️ WARNING: Image SHA mismatch!"
echo "Image may be stale. Proceeding with caution..."
else
echo "✅ Image SHA matches expected commit"
fi
- name: Run CrowdSec integration tests
id: crowdsec-test
run: |
chmod +x .github/skills/scripts/skill-runner.sh
.github/skills/scripts/skill-runner.sh integration-test-crowdsec 2>&1 | tee crowdsec-test-output.txt
exit "${PIPESTATUS[0]}"
- name: Run CrowdSec Startup and LAPI Tests
id: lapi-test
run: |
chmod +x .github/skills/scripts/skill-runner.sh
.github/skills/scripts/skill-runner.sh integration-test-crowdsec-startup 2>&1 | tee lapi-test-output.txt
exit "${PIPESTATUS[0]}"
- name: Dump Debug Info on Failure
if: failure()
run: |
{
echo "## 🔍 Debug Information"
echo ""
echo "### Container Status"
echo '```'
docker ps -a --filter "name=charon" --filter "name=crowdsec" 2>&1 || true
echo '```'
echo ""
# Check which test container exists and dump its logs
if docker ps -a --filter "name=charon-crowdsec-startup-test" --format "{{.Names}}" | grep -q "charon-crowdsec-startup-test"; then
echo "### Charon Startup Test Container Logs (last 100 lines)"
echo '```'
docker logs charon-crowdsec-startup-test 2>&1 | tail -100 || echo "No container logs available"
echo '```'
elif docker ps -a --filter "name=charon-debug" --format "{{.Names}}" | grep -q "charon-debug"; then
echo "### Charon Container Logs (last 100 lines)"
echo '```'
docker logs charon-debug 2>&1 | tail -100 || echo "No container logs available"
echo '```'
fi
echo ""
# Check for CrowdSec specific logs if LAPI test ran
if [ -f "lapi-test-output.txt" ]; then
echo "### CrowdSec LAPI Test Failures"
echo '```'
grep -E "✗ FAIL|✗ CRITICAL|CROWDSEC.*BROKEN" lapi-test-output.txt 2>&1 || echo "No critical failures found in LAPI test"
echo '```'
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: CrowdSec Integration Summary
if: always()
run: |
{
echo "## 🛡️ CrowdSec Integration Test Results"
# CrowdSec Preset Integration Tests
if [ "${{ steps.crowdsec-test.outcome }}" == "success" ]; then
echo "✅ **CrowdSec Hub Presets: Passed**"
echo ""
echo "### Preset Test Results:"
echo '```'
grep -E "^✓|^===|^Pull|^Apply" crowdsec-test-output.txt || echo "See logs for details"
echo '```'
else
echo "❌ **CrowdSec Hub Presets: Failed**"
echo ""
echo "### Preset Failure Details:"
echo '```'
grep -E "^✗|Unexpected|Error|failed|FAIL" crowdsec-test-output.txt | head -20 || echo "See logs for details"
echo '```'
fi
echo ""
# CrowdSec Startup and LAPI Tests
if [ "${{ steps.lapi-test.outcome }}" == "success" ]; then
echo "✅ **CrowdSec Startup & LAPI: Passed**"
echo ""
echo "### LAPI Test Results:"
echo '```'
grep -E "^\[TEST\]|✓ PASS|Check [0-9]|CrowdSec LAPI" lapi-test-output.txt || echo "See logs for details"
echo '```'
else
echo "❌ **CrowdSec Startup & LAPI: Failed**"
echo ""
echo "### LAPI Failure Details:"
echo '```'
grep -E "✗ FAIL|✗ CRITICAL|Error|failed" lapi-test-output.txt | head -20 || echo "See logs for details"
echo '```'
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: Cleanup
if: always()
run: |
docker rm -f charon-debug || true
docker rm -f charon-crowdsec-startup-test || true
docker rm -f crowdsec || true
docker network rm containers_default || true
Reference in New Issue View Git Blame Copy Permalink