diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..7568ce460de --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + labels: + - dependencies + - go + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + labels: + - dependencies + - ci diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index e8a2aa0bd88..20e4be46ad6 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -1,18 +1,29 @@ -on: [push, pull_request] name: Check + +on: + push: + branches: [master, feat/h2c-origin] + pull_request: + branches: [master, feat/h2c-origin] + jobs: check: strategy: matrix: - go-version: [1.22.x] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go-version }} - - name: Checkout code - uses: actions/checkout@v4 - - name: Test - run: make test + - name: Checkout code + uses: actions/checkout@v6 + + - name: Install Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + + - name: Allow unprivileged ICMP (Linux) + if: runner.os == 'Linux' + run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647" + + - name: Test + run: make test diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..af8fa459891 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,31 @@ +name: CodeQL + +on: + push: + branches: [master, feat/h2c-origin] + pull_request: + branches: [master, feat/h2c-origin] + schedule: + - cron: "30 5 * * 1" + +permissions: + security-events: write + contents: read + +jobs: + analyze: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: go + + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 00000000000..7bd123c8abc --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,60 @@ +name: Docker publish + +on: + push: + tags: + - "v*-h2c*" + workflow_dispatch: + +permissions: + packages: write + contents: read + +env: + REGISTRY: ghcr.io + IMAGE_NAME: inherent-design/cloudflared + +jobs: + build-and-push: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}} + type=raw,value=latest-h2c + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + push: true + platforms: linux/amd64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Trivy scan + uses: aquasecurity/trivy-action@0.34.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-h2c + format: table + exit-code: "1" + severity: CRITICAL,HIGH diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index 4090692fe0b..00000000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,24 +0,0 @@ -on: - pull_request: {} - workflow_dispatch: {} - push: - branches: - - main - - master - schedule: - - cron: '0 0 * * *' -name: Semgrep config -jobs: - semgrep: - name: semgrep/ci - runs-on: ubuntu-latest - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - SEMGREP_URL: https://cloudflare.semgrep.dev - SEMGREP_APP_URL: https://cloudflare.semgrep.dev - SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version - container: - image: semgrep/semgrep - steps: - - uses: actions/checkout@v4 - - run: semgrep ci diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml new file mode 100644 index 00000000000..61a5f9c164c --- /dev/null +++ b/.github/workflows/sync-upstream.yml @@ -0,0 +1,66 @@ +name: Sync upstream + +on: + schedule: + - cron: "0 6 * * 1" # Monday 6am UTC + workflow_dispatch: + +permissions: + contents: write + issues: write + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + - name: Add upstream remote + run: git remote add upstream https://github.com/cloudflare/cloudflared.git || true + + - name: Fetch upstream + run: git fetch upstream master + + - name: Fast-forward master + run: | + git checkout master + git merge --ff-only upstream/master + git push origin master + + - name: Rebase feature branch + id: rebase + continue-on-error: true + run: | + git checkout feat/h2c-origin + git rebase master + git push --force-with-lease origin feat/h2c-origin + + - name: Open issue on conflict + if: steps.rebase.outcome == 'failure' + uses: actions/github-script@v8 + with: + script: | + const existing = await github.rest.issues.listForRepo({ + owner: context.repo.owner, + repo: context.repo.repo, + state: 'open', + labels: 'upstream-conflict', + }); + if (existing.data.length === 0) { + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: 'Upstream sync conflict on feat/h2c-origin', + body: `The automatic rebase of \`feat/h2c-origin\` onto \`master\` failed.\n\nPlease resolve the conflict manually:\n\`\`\`bash\ngit fetch origin\ngit checkout feat/h2c-origin\ngit rebase origin/master\n# resolve conflicts\ngit push --force-with-lease origin feat/h2c-origin\n\`\`\`\n\nRun: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`, + labels: ['upstream-conflict'], + }); + } diff --git a/.gitignore b/.gitignore index 46e818f1544..f34ffc65195 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ cscope.* /packaging .DS_Store *-session.log +gotest.log ssh_server_tests/.env /.cover built_artifacts/ diff --git a/Makefile b/Makefile index 8490480eaee..207c64cca3d 100644 --- a/Makefile +++ b/Makefile @@ -128,7 +128,7 @@ endif #for FIPS compliance, FPM defaults to MD5. RPM_DIGEST := --rpm-digest sha256 -GO_TEST_LOG_OUTPUT = /tmp/gotest.log +GO_TEST_LOG_OUTPUT = gotest.log .PHONY: all all: cloudflared test @@ -164,7 +164,7 @@ generate-docker-version: test: vet $Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT) ifneq ($(FIPS), true) - @go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT) + @grep -v '"Action":"build-output"' $(GO_TEST_LOG_OUTPUT) | go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest endif .PHONY: cover