Appsec improvement and fixes after merge #3302
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# This workflow is actually running | |
# tests (with localstack) but the | |
# name is used for the badge in README.md | |
name: Build | |
on: | |
push: | |
branches: | |
- master | |
- releases/** | |
paths-ignore: | |
- 'README.md' | |
pull_request: | |
branches: | |
- master | |
- releases/** | |
paths-ignore: | |
- 'README.md' | |
# these env variables are for localstack, so we can emulate aws services | |
env: | |
RICHGO_FORCE_COLOR: 1 | |
AWS_HOST: localstack | |
# these are to mimic aws config | |
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE | |
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | |
AWS_REGION: us-east-1 | |
KINESIS_INITIALIZE_STREAMS: "stream-1-shard:1,stream-2-shards:2" | |
CROWDSEC_FEATURE_DISABLE_HTTP_RETRY_BACKOFF: true | |
jobs: | |
build: | |
strategy: | |
matrix: | |
go-version: ["1.21.5"] | |
name: "Build + tests" | |
runs-on: ubuntu-latest | |
services: | |
localstack: | |
image: localstack/localstack:1.3.0 | |
ports: | |
- 4566:4566 # Localstack exposes all services on the same port | |
env: | |
DEBUG: "" | |
LAMBDA_EXECUTOR: "" | |
KINESIS_ERROR_PROBABILITY: "" | |
DOCKER_HOST: unix:///var/run/docker.sock | |
KINESIS_INITIALIZE_STREAMS: ${{ env.KINESIS_INITIALIZE_STREAMS }} | |
HOSTNAME_EXTERNAL: ${{ env.AWS_HOST }} # Required so that resource urls are provided properly | |
# e.g sqs url will get localhost if we don't set this env to map our service | |
options: >- | |
--name=localstack | |
--health-cmd="curl -sS 127.0.0.1:4566 || exit 1" | |
--health-interval=10s | |
--health-timeout=5s | |
--health-retries=3 | |
zoo1: | |
image: confluentinc/cp-zookeeper:7.3.0 | |
ports: | |
- "2181:2181" | |
env: | |
ZOOKEEPER_CLIENT_PORT: 2181 | |
ZOOKEEPER_SERVER_ID: 1 | |
ZOOKEEPER_SERVERS: zoo1:2888:3888 | |
options: >- | |
--name=zoo1 | |
--health-cmd "jps -l | grep zookeeper" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
kafka1: | |
image: crowdsecurity/kafka-ssl | |
ports: | |
- "9093:9093" | |
- "9092:9092" | |
- "9999:9999" | |
env: | |
KAFKA_ADVERTISED_LISTENERS: LISTENER_DOCKER_INTERNAL://127.0.0.1:19092,LISTENER_DOCKER_EXTERNAL://127.0.0.1:9092,LISTENER_DOCKER_EXTERNAL_SSL://127.0.0.1:9093 | |
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: LISTENER_DOCKER_INTERNAL:PLAINTEXT,LISTENER_DOCKER_EXTERNAL:PLAINTEXT,LISTENER_DOCKER_EXTERNAL_SSL:SSL | |
KAFKA_INTER_BROKER_LISTENER_NAME: LISTENER_DOCKER_INTERNAL | |
KAFKA_ZOOKEEPER_CONNECT: "zoo1:2181" | |
KAFKA_BROKER_ID: 1 | |
KAFKA_LOG4J_LOGGERS: "kafka.controller=INFO,kafka.producer.async.DefaultEventHandler=INFO,state.change.logger=INFO" | |
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 | |
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1 | |
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1 | |
KAFKA_JMX_PORT: 9999 | |
KAFKA_JMX_HOSTNAME: "127.0.0.1" | |
KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.authorizer.AclAuthorizer | |
KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true" | |
KAFKA_SSL_KEYSTORE_FILENAME: kafka.kafka1.keystore.jks | |
KAFKA_SSL_KEYSTORE_CREDENTIALS: kafka1_keystore_creds | |
KAFKA_SSL_KEY_CREDENTIALS: kafka1_sslkey_creds | |
KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.kafka1.truststore.jks | |
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: kafka1_truststore_creds | |
KAFKA_SSL_ENABLED_PROTOCOLS: TLSv1.2 | |
KAFKA_SSL_PROTOCOL: TLSv1.2 | |
KAFKA_SSL_CLIENT_AUTH: none | |
KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true" | |
options: >- | |
--name=kafka1 | |
--health-cmd "kafka-broker-api-versions --version" | |
--health-interval 10s | |
--health-timeout 10s | |
--health-retries 5 | |
loki: | |
image: grafana/loki:2.8.0 | |
ports: | |
- "3100:3100" | |
options: >- | |
--name=loki1 | |
--health-cmd "wget -q -O - http://localhost:3100/ready | grep 'ready'" | |
--health-interval 30s | |
--health-timeout 10s | |
--health-retries 5 | |
--health-start-period 30s | |
steps: | |
- name: Check out CrowdSec repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
submodules: false | |
- name: "Set up Go ${{ matrix.go-version }}" | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Build and run tests, static | |
run: | | |
sudo apt -qq -y -o=Dpkg::Use-Pty=0 install build-essential libre2-dev | |
go install github.com/ory/[email protected] | |
go install github.com/kyoh86/[email protected] | |
set -o pipefail | |
make build BUILD_STATIC=1 | |
make go-acc | sed 's/ *coverage:.*of statements in.*//' | richgo testfilter | |
- name: Run tests again, dynamic | |
run: | | |
make clean build | |
set -o pipefail | |
make go-acc | sed 's/ *coverage:.*of statements in.*//' | richgo testfilter | |
- name: Upload unit coverage to Codecov | |
uses: codecov/codecov-action@v3 | |
with: | |
files: coverage.out | |
flags: unit-linux | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@v3 | |
with: | |
version: v1.54 | |
args: --issues-exit-code=1 --timeout 10m | |
only-new-issues: false | |
# the cache is already managed above, enabling it here | |
# gives errors when extracting | |
skip-pkg-cache: true | |
skip-build-cache: true |