fix(ci): enable ICMP tests on Linux and fix gotestfmt on macOS/Windows

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - go
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - ci

.github/workflows/check.yaml

@@ -1,18 +1,29 @@
-on: [push, pull_request]
 name: Check
+
+on:
+  push:
+    branches: [master, feat/h2c-origin]
+  pull_request:
+    branches: [master, feat/h2c-origin]
+
 jobs:
   check:
     strategy:
       matrix:
-        go-version: [1.22.x]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Test
-      run: make test
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Allow unprivileged ICMP (Linux)
+        if: runner.os == 'Linux'
+        run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
+
+      - name: Test
+        run: make test

.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master, feat/h2c-origin]
+  pull_request:
+    branches: [master, feat/h2c-origin]
+  schedule:
+    - cron: "30 5 * * 1"
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v4

.github/workflows/docker-publish.yml

@@ -0,0 +1,60 @@
+name: Docker publish
+
+on:
+  push:
+    tags:
+      - "v*-h2c*"
+  workflow_dispatch:
+
+permissions:
+  packages: write
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: inherent-design/cloudflared
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest-h2c
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-h2c
+          format: table
+          exit-code: "1"
+          severity: CRITICAL,HIGH

.github/workflows/sync-upstream.yml

@@ -0,0 +1,66 @@
+name: Sync upstream
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Monday 6am UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  issues: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Add upstream remote
+        run: git remote add upstream https://github.com/cloudflare/cloudflared.git || true
+
+      - name: Fetch upstream
+        run: git fetch upstream master
+
+      - name: Fast-forward master
+        run: |
+          git checkout master
+          git merge --ff-only upstream/master
+          git push origin master
+
+      - name: Rebase feature branch
+        id: rebase
+        continue-on-error: true
+        run: |
+          git checkout feat/h2c-origin
+          git rebase master
+          git push --force-with-lease origin feat/h2c-origin
+
+      - name: Open issue on conflict
+        if: steps.rebase.outcome == 'failure'
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const existing = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'upstream-conflict',
+            });
+            if (existing.data.length === 0) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: 'Upstream sync conflict on feat/h2c-origin',
+                body: `The automatic rebase of \`feat/h2c-origin\` onto \`master\` failed.\n\nPlease resolve the conflict manually:\n\`\`\`bash\ngit fetch origin\ngit checkout feat/h2c-origin\ngit rebase origin/master\n# resolve conflicts\ngit push --force-with-lease origin feat/h2c-origin\n\`\`\`\n\nRun: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+                labels: ['upstream-conflict'],
+              });
+            }

.gitignore

@@ -14,6 +14,7 @@ cscope.*
 /packaging
 .DS_Store
 *-session.log
+gotest.log
 ssh_server_tests/.env
 /.cover
 built_artifacts/

Makefile

@@ -128,7 +128,7 @@ endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 
-GO_TEST_LOG_OUTPUT = /tmp/gotest.log
+GO_TEST_LOG_OUTPUT = gotest.log
 
 .PHONY: all
 all: cloudflared test
@@ -164,7 +164,7 @@ generate-docker-version:
 test: vet
 	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
 ifneq ($(FIPS), true)
-	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
+	@grep -v '"Action":"build-output"' $(GO_TEST_LOG_OUTPUT) | go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
 endif
 
 .PHONY: cover