-
-
Notifications
You must be signed in to change notification settings - Fork 1
ci: add angie/stable build matrix to ci-deep, remove stray AGENTS.md/CI_SETUP.md #79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| name: Bump versions | ||
|
|
||
| # Weekly: check nginx.org/angie.software for newer nginx-stable/angie | ||
| # releases than what's pinned in ci-deep.yml's build-flavors matrix, and pull | ||
| # the vendored nginx-tests submodule to its upstream HEAD. nginx mainline is | ||
| # NOT touched here -- it's resolved dynamically at CI run time (see | ||
| # build-test.yml's `resolve` job / ci-deep.yml's per-job resolve steps), so | ||
| # there's no static mainline pin to bump. | ||
| # | ||
| # tools/bump-versions.sh does the actual work (also runnable locally with | ||
| # --dry-run to preview). Commits and pushes straight to master -- this repo | ||
| # has no branch protection gate for this path, and a version/digest/submodule | ||
| # bump is exactly the kind of low-risk, easily-revertable change that doesn't | ||
| # need a human in the loop before landing. The next build-test.yml run on | ||
| # master is what actually proves the bump didn't break anything. | ||
| # | ||
| # Action pins (keep in sync with build-test.yml): | ||
| # actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd | ||
|
|
||
| on: | ||
| schedule: | ||
| # Weekly, Monday 04:00 UTC. | ||
| - cron: "0 4 * * 1" | ||
| workflow_dispatch: {} | ||
|
|
||
| concurrency: | ||
| group: bump-${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| jobs: | ||
| bump: | ||
| name: Bump nginx-stable/angie/nginx-tests pins | ||
| runs-on: [self-hosted, builder02, lxc] | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| with: | ||
| persist-credentials: true | ||
| submodules: true | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run bump script | ||
| id: bump | ||
| run: bash tools/bump-versions.sh | ||
|
|
||
| - name: Commit and push if anything changed | ||
| run: | | ||
| set -euo pipefail | ||
| if [ -z "$(git status --porcelain)" ]; then | ||
| echo "nothing changed, skipping commit" | ||
| exit 0 | ||
| fi | ||
| git config user.name "myguard-bump-bot" | ||
| git config user.email "actions@users.noreply.github.com" | ||
| git add -A | ||
| git commit -m "chore: bump nginx-stable/angie/nginx-tests pins | ||
|
|
||
| Automated weekly version check (tools/bump-versions.sh)." | ||
| git push origin HEAD:master | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -9,11 +9,20 @@ name: CI Deep | |||||||||||||
| # nothing on a private repo, so the SARIF-upload path is removed too — the | ||||||||||||||
| # scanners still run and GATE on findings, they just don't upload. | ||||||||||||||
| # | ||||||||||||||
| # Jobs: fuzz (14400s/target) · memcheck soak · helgrind soak · scanners. | ||||||||||||||
| # Jobs: build-flavors (nginx mainline/stable + angie) · fuzz (14400s/target) · | ||||||||||||||
| # memcheck soak · helgrind soak · scanners. | ||||||||||||||
| # * memcheck AND helgrind run under tools/soak.sh, which already passes | ||||||||||||||
| # --suppressions=valgrind.suppress and --error-exitcode=99 for BOTH tools | ||||||||||||||
| # (see tools/soak.sh) — the drift-fix baseline for every module. | ||||||||||||||
| # | ||||||||||||||
| # build-flavors exists because build-test.yml (the fast PR gate) only builds | ||||||||||||||
| # ONE pinned nginx version (mainline) — the module's README documents Angie | ||||||||||||||
| # support and tracks nginx stable too, but nothing in CI actually built angie | ||||||||||||||
| # or nginx stable until this job. It is here (monthly), not in the PR gate, | ||||||||||||||
| # because each leg is a from-scratch configure+compile+Test::Nginx run and | ||||||||||||||
| # three of them would blow the PR gate's budget. Uses tools/ci-build.sh, which | ||||||||||||||
| # supports flavor+version args and sha256-verifies the tarball it downloads. | ||||||||||||||
| # | ||||||||||||||
| # Action pins (keep in sync with build-test.yml header): | ||||||||||||||
| # actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd | ||||||||||||||
| # actions/upload-artifact@v5 -> 330a01c490aca151604b8cf639adc76d48f6c5d4 | ||||||||||||||
|
|
@@ -42,6 +51,71 @@ permissions: | |||||||||||||
| contents: read | ||||||||||||||
|
|
||||||||||||||
| jobs: | ||||||||||||||
| build-flavors: | ||||||||||||||
| name: Build & Test::Nginx (${{ matrix.flavor }} ${{ matrix.version }}) | ||||||||||||||
| runs-on: [self-hosted, builder02, lxc] | ||||||||||||||
| timeout-minutes: 30 | ||||||||||||||
| strategy: | ||||||||||||||
| fail-fast: false | ||||||||||||||
| matrix: | ||||||||||||||
| include: | ||||||||||||||
| - flavor: nginx | ||||||||||||||
| version: "1.31.2" | ||||||||||||||
| label: mainline | ||||||||||||||
|
Comment on lines
+61
to
+64
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift
🤖 Prompt for AI Agents |
||||||||||||||
| - flavor: nginx | ||||||||||||||
| version: "1.30.3" | ||||||||||||||
| label: stable | ||||||||||||||
| - flavor: angie | ||||||||||||||
| version: "1.11.5" | ||||||||||||||
| label: angie | ||||||||||||||
| steps: | ||||||||||||||
| - name: Checkout module | ||||||||||||||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||||||||||||||
|
Comment on lines
+72
to
+73
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win Add This job only builds/tests; it never commits or pushes. Persisting git credentials in the workspace is unnecessary exposure for a job that downloads and compiles third-party source (nginx/angie tarballs). 🔒 Fix - name: Checkout module
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+ with:
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 72-73: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||
|
|
||||||||||||||
| - name: Install dependencies | ||||||||||||||
| run: | | ||||||||||||||
| sudo apt-get update | ||||||||||||||
| sudo apt-get install -y \ | ||||||||||||||
| build-essential curl libpcre2-dev libzstd-dev pkg-config \ | ||||||||||||||
| wget zstd libperl-dev cpanminus | ||||||||||||||
|
|
||||||||||||||
| - name: Build server and dynamic modules | ||||||||||||||
| run: bash tools/ci-build.sh "${{ matrix.flavor }}" "${{ matrix.version }}" | ||||||||||||||
|
|
||||||||||||||
| - name: Verify built modules | ||||||||||||||
| run: | | ||||||||||||||
| build=".build/${{ matrix.flavor }}-${{ matrix.version }}/objs" | ||||||||||||||
| test -f "$build/${{ matrix.flavor }}" | ||||||||||||||
| test -f "$build/ngx_http_zstd_filter_module.so" | ||||||||||||||
| test -f "$build/ngx_http_zstd_static_module.so" | ||||||||||||||
| echo "TEST_NGINX_BINARY=$GITHUB_WORKSPACE/$build/${{ matrix.flavor }}" >> "$GITHUB_ENV" | ||||||||||||||
|
|
||||||||||||||
| - name: Cache Perl modules | ||||||||||||||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 | ||||||||||||||
| with: | ||||||||||||||
| path: ~/perl5 | ||||||||||||||
| key: perl-modules-${{ runner.os }}-Test-Nginx-Socket | ||||||||||||||
|
|
||||||||||||||
| - name: Install Test::Nginx::Socket | ||||||||||||||
| run: | | ||||||||||||||
| cpanm -l ~/perl5 --notest Test::Nginx::Socket | ||||||||||||||
| echo "PERL5LIB=$HOME/perl5/lib/perl5:$PERL5LIB" >> "$GITHUB_ENV" | ||||||||||||||
|
|
||||||||||||||
| - name: Run t/ (filter + static + conf-warn) | ||||||||||||||
| env: | ||||||||||||||
| # See build-test.yml's identical setting for why this must be 20, | ||||||||||||||
| # not the ~2s Test::Nginx::Socket default. | ||||||||||||||
| TEST_NGINX_TIMEOUT: "20" | ||||||||||||||
| run: | | ||||||||||||||
| export PERL5LIB="$HOME/perl5/lib/perl5:${PERL5LIB:-}" | ||||||||||||||
| export TEST_NGINX_SERVROOT="/tmp/nginx-servroot-${{ matrix.flavor }}-${{ matrix.version }}" | ||||||||||||||
| mkdir -p "$TEST_NGINX_SERVROOT" | ||||||||||||||
| cd "$GITHUB_WORKSPACE" | ||||||||||||||
| # t/01-static.t asserts on fixture mtimes (Last-Modified/If-Modified-Since); | ||||||||||||||
| # pin them to a fixed timestamp, same as build-test.yml's tests job. | ||||||||||||||
| touch -d @1541504307 t/suite/test t/suite/test.zst | ||||||||||||||
| prove -v t/00-filter.t t/01-static.t t/02-conf-warn.t | ||||||||||||||
|
Comment on lines
+83
to
+117
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value Template-injection warnings on zizmor flags direct ♻️ Example for the build step - name: Build server and dynamic modules
- run: bash tools/ci-build.sh "${{ matrix.flavor }}" "${{ matrix.version }}"
+ env:
+ FLAVOR: ${{ matrix.flavor }}
+ FLAVOR_VERSION: ${{ matrix.version }}
+ run: bash tools/ci-build.sh "$FLAVOR" "$FLAVOR_VERSION"Apply the same pattern to the "Verify built modules" and "Run t/" steps. 🧰 Tools🪛 zizmor (1.26.1)[warning] 83-83: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 83-83: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 87-87: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 88-88: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 91-91: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 111-111: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) [warning] 111-111: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||
|
|
||||||||||||||
| fuzz: | ||||||||||||||
| name: Fuzz (Accept-Encoding, long) | ||||||||||||||
| runs-on: [self-hosted, builder02, lxc] | ||||||||||||||
|
|
||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Scope
contents: writeto the job, and document why.Needed here since the job commits and pushes to master (Line 63), but zizmor flags it as workflow-level and undocumented. Moving it into the
bump:job and adding a short comment keeps this workflow safe if a second job is ever added here without needing write access.♻️ Suggested fix
🧰 Tools
🪛 zizmor (1.26.1)
[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level
(excessive-permissions)
[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
🤖 Prompt for AI Agents
Source: Linters/SAST tools