akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
ef227a316b87d44a8aae61ad6c2f6cd1e9fa9cd7
Charon/.github/workflows/waf-integration.yml
GitHub Actions c27467d459 fix: make gates transparent about fork PR skip behavior 
- Remove `if: always()` from integration-gate, coverage-gate, codecov-gate, pipeline-gate
- Gates now naturally skip when their upstream dependencies are skipped (fork PR behavior)
- Prevents confusing "complete" status when nothing actually ran
- Fork PRs will show "skipped" in UI instead of obscuring behavior behind gate success
- Aligns with GitHub Actions standard job dependency semantics
2026-02-08 11:22:48 +00:00

189 lines
6.9 KiB
YAML
Raw Blame History

name: WAF integration
# Phase 2-3: Build Once, Test Many - Use registry image instead of building
# This workflow now waits for docker-build.yml to complete and pulls the built image
on:
workflow_dispatch:
inputs:
image_tag:
description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
required: false
type: string
# Prevent race conditions when PR is updated mid-test
# Cancels old test runs when new build completes with different SHA
concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
jobs:
waf-integration:
name: Coraza WAF Integration
runs-on: ubuntu-latest
timeout-minutes: 15
# Only run if docker-build.yml succeeded, or if manually triggered
if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{short-sha}, For non-PR: sha-{short-sha}
- name: Determine image tag
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event || github.event_name }}
REF: ${{ github.event.workflow_run.head_branch || github.ref_name }}
SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
MANUAL_TAG: ${{ inputs.image_tag }}
run: |
# Manual trigger uses provided tag
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
if [[ -n "$MANUAL_TAG" ]]; then
TAG_VALUE="$MANUAL_TAG"
else
# Default to latest if no tag provided
TAG_VALUE="latest"
fi
{
echo "tag=${TAG_VALUE}"
echo "source_type=manual"
} >> "$GITHUB_OUTPUT"
exit 0
fi
# Extract 7-character short SHA
SHORT_SHA=$(echo "$SHA" | cut -c1-7)
if [[ "$EVENT" == "pull_request" ]]; then
# Use native pull_requests array (no API calls needed)
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
# Fallback for direct PR trigger
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
PR_NUM="${{ github.event.number }}"
fi
if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
echo "❌ ERROR: Could not determine PR number"
echo "Event: $EVENT"
echo "Ref: $REF"
echo "SHA: $SHA"
echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
exit 1
fi
# Immutable tag with SHA suffix prevents race conditions
{
echo "tag=pr-${PR_NUM}-${SHORT_SHA}"
echo "source_type=pr"
} >> "$GITHUB_OUTPUT"
else
# Non-PR workflow_run uses short SHA tag (matches docker-build.yml)
{
echo "tag=sha-${SHORT_SHA}"
echo "source_type=sha"
} >> "$GITHUB_OUTPUT"
fi
echo "sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
echo "Determined image tag: $(grep tag= "$GITHUB_OUTPUT")"
# Pull image from Docker Hub with retry logic
- name: Pull Docker image from registry
id: pull_image
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 5
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="docker.io/wikid82/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
echo "✅ Successfully pulled from registry"
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
echo "Image SHA: $LABEL_SHA"
if [[ "$LABEL_SHA" != "$SHA" ]]; then
echo "⚠️ WARNING: Image SHA mismatch!"
echo "Image may be stale. Proceeding with caution..."
else
echo "✅ Image SHA matches expected commit"
fi
- name: Run WAF integration tests
id: waf-test
run: |
chmod +x scripts/coraza_integration.sh
scripts/coraza_integration.sh 2>&1 | tee waf-test-output.txt
exit "${PIPESTATUS[0]}"
- name: Dump Debug Info on Failure
if: failure()
run: |
{
echo "## 🔍 Debug Information"
echo ""
echo "### Container Status"
echo '```'
docker ps -a --filter "name=charon" --filter "name=coraza" 2>&1 || true
echo '```'
echo ""
echo "### Caddy Admin Config"
echo '```json'
curl -s http://localhost:2019/config 2>/dev/null | head -200 || echo "Could not retrieve Caddy config"
echo '```'
echo ""
echo "### Charon Container Logs (last 100 lines)"
echo '```'
docker logs charon-debug 2>&1 | tail -100 || echo "No container logs available"
echo '```'
echo ""
echo "### WAF Ruleset Files"
echo '```'
docker exec charon-debug sh -c 'ls -la /app/data/caddy/coraza/rulesets/ 2>/dev/null && echo "---" && cat /app/data/caddy/coraza/rulesets/*.conf 2>/dev/null' || echo "No ruleset files found"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
- name: WAF Integration Summary
if: always()
run: |
{
echo "## 🛡️ WAF Integration Test Results"
if [ "${{ steps.waf-test.outcome }}" == "success" ]; then
echo "✅ **All WAF tests passed**"
echo ""
echo "### Test Results:"
echo '```'
grep -E "^✓|^===|^Coraza" waf-test-output.txt || echo "See logs for details"
echo '```'
else
echo "❌ **WAF tests failed**"
echo ""
echo "### Failure Details:"
echo '```'
grep -E "^✗|Unexpected|Error|failed" waf-test-output.txt | head -20 || echo "See logs for details"
echo '```'
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: Cleanup
if: always()
run: |
docker rm -f charon-debug || true
docker rm -f coraza-backend || true
docker network rm containers_default || true
Reference in New Issue View Git Blame Copy Permalink