Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
170 changes: 0 additions & 170 deletions .github/CI_SETUP.md

This file was deleted.

63 changes: 63 additions & 0 deletions .github/workflows/bump.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Bump versions

# Weekly: check nginx.org/angie.software for newer nginx-stable/angie
# releases than what's pinned in ci-deep.yml's build-flavors matrix, and pull
# the vendored nginx-tests submodule to its upstream HEAD. nginx mainline is
# NOT touched here -- it's resolved dynamically at CI run time (see
# build-test.yml's `resolve` job / ci-deep.yml's per-job resolve steps), so
# there's no static mainline pin to bump.
#
# tools/bump-versions.sh does the actual work (also runnable locally with
# --dry-run to preview). Commits and pushes straight to master -- this repo
# has no branch protection gate for this path, and a version/digest/submodule
# bump is exactly the kind of low-risk, easily-revertable change that doesn't
# need a human in the loop before landing. The next build-test.yml run on
# master is what actually proves the bump didn't break anything.
#
# Action pins (keep in sync with build-test.yml):
# actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd

on:
schedule:
# Weekly, Monday 04:00 UTC.
- cron: "0 4 * * 1"
workflow_dispatch: {}

concurrency:
group: bump-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: write
Comment on lines +30 to +31

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Scope contents: write to the job, and document why.

Needed here since the job commits and pushes to master (Line 63), but zizmor flags it as workflow-level and undocumented. Moving it into the bump: job and adding a short comment keeps this workflow safe if a second job is ever added here without needing write access.

♻️ Suggested fix
-permissions:
-  contents: write
-
 jobs:
   bump:
     name: Bump nginx-stable/angie/nginx-tests pins
     runs-on: [self-hosted, builder02, lxc]
     timeout-minutes: 15
+    # Needs write access to commit and push the version-pin bump directly to master.
+    permissions:
+      contents: write
     steps:
🧰 Tools
🪛 zizmor (1.26.1)

[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bump.yml around lines 30 - 31, Move the workflow-level
contents: write permission into the bump job definition, and add a brief comment
documenting that the job needs write access to commit and push to master. Leave
other jobs or permissions unchanged.

Source: Linters/SAST tools


jobs:
bump:
name: Bump nginx-stable/angie/nginx-tests pins
runs-on: [self-hosted, builder02, lxc]
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: true
submodules: true
fetch-depth: 0

- name: Run bump script
id: bump
run: bash tools/bump-versions.sh

- name: Commit and push if anything changed
run: |
set -euo pipefail
if [ -z "$(git status --porcelain)" ]; then
echo "nothing changed, skipping commit"
exit 0
fi
git config user.name "myguard-bump-bot"
git config user.email "actions@users.noreply.github.com"
git add -A
git commit -m "chore: bump nginx-stable/angie/nginx-tests pins

Automated weekly version check (tools/bump-versions.sh)."
git push origin HEAD:master
76 changes: 75 additions & 1 deletion .github/workflows/ci-deep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,20 @@ name: CI Deep
# nothing on a private repo, so the SARIF-upload path is removed too — the
# scanners still run and GATE on findings, they just don't upload.
#
# Jobs: fuzz (14400s/target) · memcheck soak · helgrind soak · scanners.
# Jobs: build-flavors (nginx mainline/stable + angie) · fuzz (14400s/target) ·
# memcheck soak · helgrind soak · scanners.
# * memcheck AND helgrind run under tools/soak.sh, which already passes
# --suppressions=valgrind.suppress and --error-exitcode=99 for BOTH tools
# (see tools/soak.sh) — the drift-fix baseline for every module.
#
# build-flavors exists because build-test.yml (the fast PR gate) only builds
# ONE pinned nginx version (mainline) — the module's README documents Angie
# support and tracks nginx stable too, but nothing in CI actually built angie
# or nginx stable until this job. It is here (monthly), not in the PR gate,
# because each leg is a from-scratch configure+compile+Test::Nginx run and
# three of them would blow the PR gate's budget. Uses tools/ci-build.sh, which
# supports flavor+version args and sha256-verifies the tarball it downloads.
#
# Action pins (keep in sync with build-test.yml header):
# actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd
# actions/upload-artifact@v5 -> 330a01c490aca151604b8cf639adc76d48f6c5d4
Expand Down Expand Up @@ -42,6 +51,71 @@ permissions:
contents: read

jobs:
build-flavors:
name: Build & Test::Nginx (${{ matrix.flavor }} ${{ matrix.version }})
runs-on: [self-hosted, builder02, lxc]
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- flavor: nginx
version: "1.31.2"
label: mainline
Comment on lines +61 to +64

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

.github/workflows/ci-deep.yml:61-64 mainline should be resolved dynamically. version: "1.31.2" hardcodes the mainline leg, so this path never hits the ci-build.sh mainline-resolve branch and will eventually break when nginx.org rotates that tarball. Pass an empty version here and carry the resolved version forward for later steps.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-deep.yml around lines 61 - 64, Update the mainline
matrix entry in the workflow to use an empty version so ci-build.sh executes its
mainline-resolution branch instead of downloading a hardcoded nginx tarball.
Ensure the resolved version is propagated to subsequent steps that consume the
matrix version, while leaving the stable flavor entries unchanged.

- flavor: nginx
version: "1.30.3"
label: stable
- flavor: angie
version: "1.11.5"
label: angie
steps:
- name: Checkout module
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
Comment on lines +72 to +73

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Add persist-credentials: false.

This job only builds/tests; it never commits or pushes. Persisting git credentials in the workspace is unnecessary exposure for a job that downloads and compiles third-party source (nginx/angie tarballs).

🔒 Fix
       - name: Checkout module
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout module
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Checkout module
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 72-73: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-deep.yml around lines 72 - 73, Update the “Checkout
module” actions/checkout step to set persist-credentials to false, preventing
GitHub credentials from remaining in the workspace while preserving the existing
checkout behavior.

Source: Linters/SAST tools


- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
build-essential curl libpcre2-dev libzstd-dev pkg-config \
wget zstd libperl-dev cpanminus

- name: Build server and dynamic modules
run: bash tools/ci-build.sh "${{ matrix.flavor }}" "${{ matrix.version }}"

- name: Verify built modules
run: |
build=".build/${{ matrix.flavor }}-${{ matrix.version }}/objs"
test -f "$build/${{ matrix.flavor }}"
test -f "$build/ngx_http_zstd_filter_module.so"
test -f "$build/ngx_http_zstd_static_module.so"
echo "TEST_NGINX_BINARY=$GITHUB_WORKSPACE/$build/${{ matrix.flavor }}" >> "$GITHUB_ENV"

- name: Cache Perl modules
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/perl5
key: perl-modules-${{ runner.os }}-Test-Nginx-Socket

- name: Install Test::Nginx::Socket
run: |
cpanm -l ~/perl5 --notest Test::Nginx::Socket
echo "PERL5LIB=$HOME/perl5/lib/perl5:$PERL5LIB" >> "$GITHUB_ENV"

- name: Run t/ (filter + static + conf-warn)
env:
# See build-test.yml's identical setting for why this must be 20,
# not the ~2s Test::Nginx::Socket default.
TEST_NGINX_TIMEOUT: "20"
run: |
export PERL5LIB="$HOME/perl5/lib/perl5:${PERL5LIB:-}"
export TEST_NGINX_SERVROOT="/tmp/nginx-servroot-${{ matrix.flavor }}-${{ matrix.version }}"
mkdir -p "$TEST_NGINX_SERVROOT"
cd "$GITHUB_WORKSPACE"
# t/01-static.t asserts on fixture mtimes (Last-Modified/If-Modified-Since);
# pin them to a fixed timestamp, same as build-test.yml's tests job.
touch -d @1541504307 t/suite/test t/suite/test.zst
prove -v t/00-filter.t t/01-static.t t/02-conf-warn.t
Comment on lines +83 to +117

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Template-injection warnings on matrix.flavor/matrix.version interpolation.

zizmor flags direct ${{ matrix.flavor }}/${{ matrix.version }} expansion into run: scripts (Lines 83, 87, 88, 91, 111). Actual risk here is low since these are static literals defined in this same workflow's matrix, not attacker-controlled input, but routing them through env: first is the standard mitigation and avoids the warning class entirely.

♻️ Example for the build step
       - name: Build server and dynamic modules
-        run: bash tools/ci-build.sh "${{ matrix.flavor }}" "${{ matrix.version }}"
+        env:
+          FLAVOR: ${{ matrix.flavor }}
+          FLAVOR_VERSION: ${{ matrix.version }}
+        run: bash tools/ci-build.sh "$FLAVOR" "$FLAVOR_VERSION"

Apply the same pattern to the "Verify built modules" and "Run t/" steps.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 83-83: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 83-83: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 88-88: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 91-91: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 111-111: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 111-111: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-deep.yml around lines 83 - 117, Route matrix.flavor and
matrix.version through step-level env variables before using them in shell
commands. Update the build step, “Verify built modules,” and “Run t/” steps to
reference those environment variables instead of directly interpolating matrix
values in run scripts, preserving the existing paths, commands, and test
behavior.

Source: Linters/SAST tools


fuzz:
name: Fuzz (Accept-Encoding, long)
runs-on: [self-hosted, builder02, lxc]
Expand Down
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@
# nginx build tree (when building out-of-tree inside this repo)
objs/

# tools/ci-build.sh persistent build tree (nginx/angie source + compiled
# binaries, one dir per flavor-version)
.build/

# Test runner working directories (nginx test::nginx servroot)
t/servroot/
t/servroot-*/
Expand Down
Loading
Loading