Skip to content

Commit fb55b84

Browse files
Merge pull request #206 from bunkerity/dev
Road to 1.11 🚀
2 parents 1aa4dc5 + f2a2a8c commit fb55b84

130 files changed

Lines changed: 9585 additions & 633 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.busted

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
return {
2+
default = {
3+
-- Run from the repo root so `require("authentik/authentik_helpers")`
4+
-- resolves authentik/authentik_helpers.lua, mirroring how BunkerWeb
5+
-- requires plugins ("<id>/<id>").
6+
lpath = "./?.lua",
7+
ROOT = { "spec" },
8+
pattern = "_spec",
9+
},
10+
}

.coderabbit.yaml

Lines changed: 333 additions & 0 deletions
Large diffs are not rendered by default.

.github/dependabot.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,21 @@ updates:
1616
prefix: "deps/gha"
1717
target-branch: "dev"
1818

19+
# npm (Prettier tooling)
20+
- package-ecosystem: "npm"
21+
directory: "/"
22+
schedule:
23+
interval: "daily"
24+
time: "09:00"
25+
timezone: "Europe/Paris"
26+
assignees:
27+
- "TheophileDiot"
28+
reviewers:
29+
- "TheophileDiot"
30+
commit-message:
31+
prefix: "deps/npm"
32+
target-branch: "dev"
33+
1934
# Coraza
2035
- package-ecosystem: "docker"
2136
directory: "/coraza/api"

.github/workflows/codeql.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,13 @@ jobs:
1919
language: ["python", "go"]
2020
steps:
2121
- name: Checkout repository
22-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
22+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2323
- name: Initialize CodeQL
24-
uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
24+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
2525
with:
2626
languages: ${{ matrix.language }}
2727
config-file: ./.github/codeql.yml
2828
- name: Perform CodeQL Analysis
29-
uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
29+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
3030
with:
3131
category: "/language:${{matrix.language}}"

.github/workflows/release.yml

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
name: Release
2+
3+
# Cut a GitHub release once per plugin version bump. Mirrors the release-creation
4+
# step of bunkerity/bunkerweb (softprops/action-gh-release, pinned SHA, draft for
5+
# human review) without the heavy build matrix the plugins repo does not need.
6+
#
7+
# Fires only after the "Tests" workflow succeeds on main, and only when the
8+
# version in plugin.json does not already have a release — so a normal push to
9+
# main that does not bump the version is a no-op.
10+
11+
on:
12+
workflow_run:
13+
workflows: [Tests]
14+
types: [completed]
15+
branches: [main]
16+
17+
permissions:
18+
contents: read
19+
20+
jobs:
21+
release:
22+
if: github.event.workflow_run.conclusion == 'success'
23+
runs-on: ubuntu-latest
24+
permissions:
25+
contents: write # create the tag + release
26+
steps:
27+
- name: Checkout the tested commit
28+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
29+
with:
30+
ref: ${{ github.event.workflow_run.head_sha }}
31+
fetch-depth: 0 # full history so generated release notes are complete
32+
33+
- name: Resolve plugin version
34+
id: version
35+
run: |
36+
# All plugin.json carry the same version (kept in lockstep by
37+
# misc/update_version.sh), so any one of them is the source of truth.
38+
version="$(jq -r .version clamav/plugin.json)"
39+
case "$version" in
40+
"" | null | *[!0-9.]*)
41+
echo "::error::unexpected plugin version '$version'"
42+
exit 1
43+
;;
44+
esac
45+
echo "version=$version" >> "$GITHUB_OUTPUT"
46+
echo "tag=v$version" >> "$GITHUB_OUTPUT"
47+
48+
- name: Skip if this version is already released
49+
id: guard
50+
env:
51+
GH_TOKEN: ${{ github.token }}
52+
TAG: ${{ steps.version.outputs.tag }}
53+
run: |
54+
# Match on tag_name across ALL releases, drafts included. A draft has
55+
# no git tag until it is published, so `gh release view <tag>` would
56+
# miss an unpublished draft and we'd create a duplicate on every push.
57+
# The assignment aborts the step if `gh api` fails (no fail-open to
58+
# "create" on an auth/network error).
59+
tags="$(gh api "repos/$GITHUB_REPOSITORY/releases" --paginate --jq '.[].tag_name')"
60+
if grep -Fxq "$TAG" <<<"$tags"; then
61+
echo "exists=true" >> "$GITHUB_OUTPUT"
62+
echo "Release $TAG already exists (including drafts) — nothing to do."
63+
else
64+
echo "exists=false" >> "$GITHUB_OUTPUT"
65+
echo "No release for $TAG yet — creating a draft."
66+
fi
67+
68+
- name: Create draft release
69+
if: steps.guard.outputs.exists == 'false'
70+
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
71+
with:
72+
tag_name: ${{ steps.version.outputs.tag }}
73+
target_commitish: ${{ github.event.workflow_run.head_sha }}
74+
name: ${{ steps.version.outputs.tag }}
75+
draft: true # published by a maintainer after a quick review
76+
generate_release_notes: true # auto-changelog from merged PRs/commits
77+
body: |
78+
BunkerWeb external plugins **${{ steps.version.outputs.tag }}**.
79+
80+
Install a plugin by mounting its directory into the scheduler's `/data/plugins`
81+
(see the README). Coraza ships its WAF API as `bunkerity/bunkerweb-coraza`.

.github/workflows/tests.yml

Lines changed: 131 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
push:
55
branches: [dev, main]
66

7+
concurrency:
8+
group: tests-${{ github.ref }}
9+
cancel-in-progress: true
10+
711
jobs:
812
codeql:
913
uses: ./.github/workflows/codeql.yml
@@ -12,40 +16,143 @@ jobs:
1216
contents: read
1317
security-events: write
1418

15-
setup:
19+
tag:
20+
runs-on: ubuntu-latest
21+
outputs:
22+
bw_tag: ${{ steps.tag.outputs.bw_tag }}
23+
steps:
24+
- name: Resolve latest stable BunkerWeb tag
25+
id: tag
26+
env:
27+
GH_TOKEN: ${{ github.token }}
28+
run: |
29+
# Always test against the latest STABLE BunkerWeb release, resolved at
30+
# runtime so it never goes stale. GitHub's releases/latest endpoint
31+
# excludes drafts and pre-releases (rc/beta), giving us "stable".
32+
# Same tag on every branch (dev and main) — there is no pinned version.
33+
# `|| true`: a 404 (no stable release yet) or rate-limit makes gh exit
34+
# non-zero, which under `bash -e` would abort the step here with a raw
35+
# error. Swallow it so the empty tag falls through to the case below
36+
# and reports our own diagnostic.
37+
tag="$(gh api repos/bunkerity/bunkerweb/releases/latest --jq .tag_name || true)"
38+
tag="${tag#v}" # release tag may be "v1.6.1"; Docker tags have no "v"
39+
case "$tag" in
40+
"" | *-*)
41+
echo "::error::could not resolve a stable BunkerWeb tag (got '${tag:-<empty>}')"
42+
exit 1
43+
;;
44+
esac
45+
echo "Resolved latest stable BunkerWeb tag: $tag"
46+
echo "bw_tag=$tag" >> "$GITHUB_OUTPUT"
47+
48+
lint:
1649
runs-on: ubuntu-latest
1750
steps:
1851
- name: Checkout source code
19-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
52+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
53+
- name: Set up Python
54+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
55+
with:
56+
python-version: "3.11"
57+
- name: Install pre-commit
58+
run: pip install pre-commit
59+
- name: Install Lua toolchain
60+
# The luacheck pre-commit hook is language:lua and needs luarocks on the
61+
# runner to bootstrap its environment.
62+
run: |
63+
sudo apt-get update
64+
sudo apt-get install -y lua5.4 liblua5.4-dev luarocks
65+
- name: Set up Node
66+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
67+
with:
68+
node-version: "22"
69+
cache: "npm"
70+
- name: Install Prettier
71+
# The prettier hook is language:system and resolves prettier from the
72+
# repo's pinned package-lock.json via npx.
73+
run: npm ci
74+
- name: Run pre-commit
75+
run: pre-commit run --all-files
76+
77+
unit:
78+
runs-on: ubuntu-latest
79+
strategy:
80+
fail-fast: false
81+
matrix:
82+
lang: [go, python, lua]
83+
steps:
84+
- name: Checkout source code
85+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
86+
87+
# --- Go : coraza API service ---
88+
- name: Set up Go
89+
if: matrix.lang == 'go'
90+
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
91+
with:
92+
go-version: "1.25"
93+
- name: Run Go unit tests
94+
if: matrix.lang == 'go'
95+
working-directory: coraza/api
96+
run: |
97+
# No go.sum is committed (the Dockerfile resolves deps at build time),
98+
# so populate it before testing. Build tag must match the binary.
99+
go mod tidy
100+
go test -tags=coraza.rule.multiphase_evaluation ./...
101+
102+
# --- Python : ui/actions.py ---
103+
- name: Set up Python
104+
if: matrix.lang == 'python'
105+
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
106+
with:
107+
python-version: "3.11"
108+
- name: Run Python unit tests
109+
if: matrix.lang == 'python'
110+
run: |
111+
pip install pytest
112+
pytest tests/ -q
20113
21-
- name: Get BW tag
114+
# --- Lua : busted specs ---
115+
- name: Run Lua unit tests
116+
if: matrix.lang == 'lua'
22117
run: |
23-
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
24-
echo "BW_TAG=1.6.1" >> $GITHUB_ENV
25-
else
26-
echo "BW_TAG=dev" >> $GITHUB_ENV
27-
fi
118+
sudo apt-get update
119+
# liblua5.4-dev provides headers for busted's C deps; pin the luarocks
120+
# tree to 5.4 so the busted CLI runs against the lua5.4 we installed.
121+
sudo apt-get install -y lua5.4 liblua5.4-dev luarocks
122+
sudo luarocks --lua-version=5.4 install busted
123+
busted
28124
125+
integration:
126+
needs: [tag, lint, unit]
127+
runs-on: ubuntu-latest
128+
strategy:
129+
fail-fast: false
130+
matrix:
131+
plugin: [clamav, cloudflare, coraza, virustotal, authentik, notifier]
132+
steps:
133+
- name: Checkout source code
134+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
29135
- name: Login to Docker Hub
30-
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
136+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
31137
with:
32138
username: ${{ secrets.DOCKER_USERNAME }}
33139
password: ${{ secrets.DOCKER_TOKEN }}
34-
35140
- name: Pull and build BW
36-
run: ./.tests/bw.sh "${{ env.BW_TAG }}"
37-
38-
- name: Run ClamAV tests
39-
run: ./.tests/clamav.sh
40-
41-
- name: Run Coraza tests
42-
run: ./.tests/coraza.sh
43-
44-
- name: Run VirusTotal tests
45-
run: ./.tests/virustotal.sh
46-
env:
47-
VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}
141+
run: bash .tests/bw.sh "${{ needs.tag.outputs.bw_tag }}"
142+
- name: Run ${{ matrix.plugin }} tests
143+
run: bash .tests/${{ matrix.plugin }}.sh
48144

145+
build-push:
146+
needs: [tag, integration]
147+
if: github.ref == 'refs/heads/main'
148+
runs-on: ubuntu-latest
149+
steps:
150+
- name: Checkout source code
151+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
152+
- name: Login to Docker Hub
153+
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
154+
with:
155+
username: ${{ secrets.DOCKER_USERNAME }}
156+
password: ${{ secrets.DOCKER_TOKEN }}
49157
- name: Build and push APIs
50-
if: env.BW_TAG == '1.6.1'
51-
run: ./.tests/build-push.sh "${{ env.BW_TAG }}"
158+
run: bash .tests/build-push.sh "${{ needs.tag.outputs.bw_tag }}"

.gitignore

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,12 @@
44
env
55
node_modules
66
style.css
7+
.idea
8+
9+
# Python test artifacts
10+
__pycache__/
11+
*.pyc
12+
.pytest_cache/
13+
14+
# Go: deps are resolved at build time; go.sum is regenerated, not committed
15+
coraza/api/go.sum

0 commit comments

Comments
 (0)