-
Notifications
You must be signed in to change notification settings - Fork 0
192 lines (157 loc) · 6.05 KB
/
Copy pathci.yml
File metadata and controls
192 lines (157 loc) · 6.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: CI
on:
# Push covers the mainline only — feature branches are verified
# via the pull_request trigger below. Without this restriction,
# every push to a branch with an open PR fires CI twice (once
# for the push, once for the PR's merge commit), duplicating
# the entire matrix on every commit.
push:
branches:
- master
pull_request:
branches:
- master
permissions:
contents: read
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
name: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: go vet
run: go vet ./...
- name: go test -race
run: go test -race -count=1 -coverprofile=coverage.out ./...
- name: coverage summary
run: go tool cover -func=coverage.out | tail -1
- name: upload coverage
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: coverage
path: coverage.out
retention-days: 7
lint:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: v2.11.4
args: --timeout=5m
build:
name: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: static build
env:
CGO_ENABLED: '0'
# Build the root `main` package only. `./...` enumerates every
# package in the module; paired with `-o <file>` it fails with
# "cannot write multiple packages to non-directory".
run: go build -ldflags="-s -w" -o /tmp/mcp-auth-proxy ./
fuzz-smoke:
name: fuzz-smoke
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: fuzz OpenJSON (20s)
run: go test -run=^$ -fuzz=FuzzOpenJSON -fuzztime=20s ./token/
- name: fuzz Validate (20s)
run: go test -run=^$ -fuzz=FuzzValidate -fuzztime=20s ./token/
keycloak-e2e:
name: keycloak-e2e
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: generate demo env
run: bash manifests/docker-compose/scripts/generate-secrets.sh
- name: start demo stack
run: docker compose -f manifests/docker-compose/compose.yaml up -d --build
- name: wait for proxy health
run: |
for i in {1..60}; do
if curl -fs http://localhost:8080/healthz >/dev/null; then
exit 0
fi
sleep 2
done
docker compose -f manifests/docker-compose/compose.yaml logs
exit 1
- name: go test real Keycloak e2e
# Run every TestKeycloakE2E* test — happy path + the
# negative-path tests (consent denied, replayed code,
# refresh family revoke, resource mismatch). Adding new
# negative-path tests does not require a CI workflow change
# as long as they keep the TestKeycloakE2E_ prefix.
run: go test -tags=keycloak_e2e -run "^TestKeycloakE2E" -count=1 -v .
- name: dump compose logs on failure
if: failure()
run: docker compose -f manifests/docker-compose/compose.yaml logs
- name: stop demo stack
if: always()
run: docker compose -f manifests/docker-compose/compose.yaml down -v
manifest-prod:
name: manifest-prod
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: install kubectl
# Embeds kustomize >= v5; ubuntu-latest ships kubectl already
# but pinning avoids silent drift if the runner image changes.
uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0
with:
version: v1.31.1
- name: install yq
uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1
with:
version: v4.44.3
- name: production overlay posture check
# Renders the production overlay and asserts PROD_MODE,
# RENDER_CONSENT_PAGE, REDIS_REQUIRED, RATE_LIMIT_ENABLED,
# TRUSTED_PROXY_CIDRS, runAsNonRoot, replicas >= 2, and an
# explicit (non-:latest) image tag. Catches drift before rollout.
run: bash manifests/overlays/production/check.sh
vuln:
name: govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: install govulncheck
# Pinned for reproducibility — bump deliberately when a new
# release advertises a vulndb improvement we want to consume.
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
- name: govulncheck ./...
# Fails the job on any known-exploitable vulnerability in the
# module graph or the Go toolchain itself. Queries vuln.go.dev
# for the Go vulnerability database.
run: govulncheck ./...