ci(sdk dev): Add sdk development workflow

crowdsecurity · Nov 5, 2024 · e9d3c13 · e9d3c13
1 parent b445eb4
commit e9d3c13
Show file tree

Hide file tree

Showing 2 changed files with 274 additions and 81 deletions.
diff --git a/.github/workflows/php-sdk-development-tests.yml b/.github/workflows/php-sdk-development-tests.yml
@@ -0,0 +1,268 @@
+name: PHP SDK development tests
+on:
+  workflow_dispatch:
+    inputs:
+      php_common_json:
+        type: string
+        description: The PHP common json to use
+        required: true
+        default: '["main","crowdsecurity/php-common"]'
+      lapi_client_json:
+        type: string
+        description: The LAPI client json to use
+        required: true
+        default: '["main","crowdsecurity/php-lapi-client"]'
+      remediation_engine_json:
+        type: string
+        description: The Remediation Engine json to use
+        required: true
+        default: '["main", "crowdsecurity/php-remediation-engine"]'
+
+  workflow_call:
+    # For workflow_call, we don't allow passing a repository as input
+    inputs:
+      is_call:
+        type: boolean
+        description: "Flag to indicate if the workflow is called"
+        # @see https://github.com/actions/runner/discussions/1884
+        required: false
+        default: true
+      php_common_json:
+        type: string
+        description: The PHP common json to use
+        required: true
+        default: '["main"]'
+      lapi_client_json:
+        type: string
+        description: The LAPI client json to use
+        required: true
+        default: '["main"]'
+      remediation_engine_json:
+        type: string
+        description: The Remediation Engine json to use
+        required: true
+        default: '["main"]'
+
+permissions:
+  contents: read
+
+env:
+  # Allow ddev get to use a GitHub token to prevent rate limiting by tests
+  DDEV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  BOUNCER_LIP_REPO: crowdsecurity/php-cs-bouncer
+  PHP_COMMON_JSON: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.php_common_json || inputs.php_common_json }}
+  LAPI_CLIENT_JSON: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.lapi_client_json || inputs.lapi_client_json }}
+  REMEDIATION_ENGINE_JSON: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.remediation_engine_json || inputs.remediation_engine_json }}
+
+jobs:
+  test-suite:
+    strategy:
+      fail-fast: false
+      matrix:
+        php-version: ["7.2", "7.3", "7.4", "8.0", "8.1", "8.2", "8.3"]
+
+    name: Test suite
+    runs-on: ubuntu-20.04
+    if: ${{ !contains(github.event.head_commit.message, 'chore(') }}
+    env:
+      EXTENSION_PATH: "my-code/crowdsec-bouncer-lib"
+      DDEV_PROJECT: "crowdsec-bouncer-lib"
+      JP_TEST_IP: "210.249.74.42"
+      IPV6_TEST_IP: "2001:0db8:0000:85a3:0000:0000:ac1f:8001"
+      IPV6_TEST_PROXY_IP: "2345:0425:2CA1:0000:0000:0567:5673:23b5"
+
+    steps:
+      - name: Set PHP common variables
+        id: set-common-data
+        run: |
+          echo "major_tag=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/crowdsecurity/php-common/releases/latest | grep -oP "\/tag\/v\K(.*)$" | cut -d. -f1)" >> $GITHUB_OUTPUT
+          echo "branch=${{ fromJson(env.PHP_COMMON_JSON)[0] }}" >> $GITHUB_OUTPUT
+          if [ "${{ inputs.is_call }}" = "true" ]; then
+              echo "repo=crowdsecurity/php-common" >> $GITHUB_OUTPUT
+          else
+              echo "repo=${{ fromJson(env.PHP_COMMON_JSON)[1] }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set LAPI client variables
+        id: set-lapi-client-data
+        run: |
+          echo "major_tag=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/crowdsecurity/php-lapi-client/releases/latest | grep -oP "\/tag\/v\K(.*)$" | cut -d. -f1)" >> $GITHUB_OUTPUT
+          echo "branch=${{ fromJson(env.LAPI_CLIENT_JSON)[0] }}" >> $GITHUB_OUTPUT
+          if [ "${{ inputs.is_call }}" = "true" ]; then
+              echo "repo=crowdsecurity/php-lapi-client" >> $GITHUB_OUTPUT
+          else
+              echo "repo=${{ fromJson(env.LAPI_CLIENT_JSON)[1] }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set Remediation engine variables
+        id: set-remediation-engine-data
+        run: |
+          echo "major_tag=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/crowdsecurity/php-remediation-engine/releases/latest | grep -oP "\/tag\/v\K(.*)$" | cut -d. -f1)" >> $GITHUB_OUTPUT
+          echo "branch=${{ fromJson(env.REMEDIATION_ENGINE_JSON)[0] }}" >> $GITHUB_OUTPUT
+          if [ "${{ inputs.is_call }}" = "true" ]; then
+              echo "repo=crowdsecurity/php-remediation-engine" >> $GITHUB_OUTPUT
+          else
+              echo "repo=${{ fromJson(env.REMEDIATION_ENGINE_JSON)[1] }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Install DDEV
+        # @see https://ddev.readthedocs.io/en/stable/#installationupgrade-script-linux-and-macos-armarm64-and-amd64-architectures
+        run: |
+          curl -fsSL https://apt.fury.io/drud/gpg.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/ddev.gpg > /dev/null
+          echo "deb [signed-by=/etc/apt/trusted.gpg.d/ddev.gpg] https://apt.fury.io/drud/ * *" | sudo tee /etc/apt/sources.list.d/ddev.list
+          sudo apt-get -q update
+          sudo apt-get -q -y install libnss3-tools ddev
+          mkcert -install
+          ddev config global --instrumentation-opt-in=false --omit-containers=ddev-ssh-agent
+
+      - name: Create empty PHP DDEV project
+        run: ddev config --project-type=php --project-name=${{env.DDEV_PROJECT}}  --php-version=${{ matrix.php-version }}
+
+      - name: Add Redis, Memcached and Crowdsec
+        run: |
+          ddev add-on get ddev/ddev-redis
+          ddev add-on  get ddev/ddev-memcached
+          # override redis.conf
+          ddev add-on  get julienloizelet/ddev-tools
+          ddev add-on  get julienloizelet/ddev-crowdsec-php
+
+      - name: Start DDEV
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 5
+          max_attempts: 3
+          shell: bash
+          command: ddev start
+
+      - name: Set BOUNCER_KEY and PROXY_IP env
+        run: |
+          echo "BOUNCER_KEY=$(ddev create-bouncer)" >> $GITHUB_ENV
+          echo "PROXY_IP=$(ddev find-ip ddev-router)" >> $GITHUB_ENV
+
+      - name: Some DEBUG information
+        run: |
+          ddev --version
+          ddev exec php -v
+          ddev exec -s crowdsec crowdsec -version
+          ddev php -r "echo phpversion('memcached');"
+
+      - name: Clone bouncer lib files
+        if: inputs.is_call != true
+        uses: actions/checkout@v4
+        with:
+          path: ${{env.EXTENSION_PATH}}
+
+      - name: Clone bouncer lib files
+        if: inputs.is_call == true
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.BOUNCER_LIB_REPO }}
+          path: ${{env.EXTENSION_PATH}}
+          ref: "main"
+
+      - name: Clone PHP common files
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ steps.set-common-data.outputs.repo}}
+          ref: ${{ steps.set-common-data.outputs.branch  }}
+          path: my-code/php-common
+
+      - name: Clone PHP LAPI client
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ steps.set-lapi-client-data.outputs.repo }}
+          ref: ${{ steps.set-lapi-client-data.outputs.branch }}
+          path: my-code/php-lapi-client
+
+      - name: Clone PHP remediation engine
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ steps.set-remediation-engine-data.outputs.repo }}
+          ref: ${{ steps.set-remediation-engine-data.outputs.branch }}
+          path: my-code/php-remediation-engine
+
+      - name: Add local repositories to composer
+        run: |
+          ddev exec --raw composer config repositories.0 '{"type": "path", "url": "../php-common", "options": {"symlink": true}}' --working-dir ./${{ env.EXTENSION_PATH }}
+          ddev exec --raw composer config repositories.1 '{"type": "path", "url": "../php-lapi-client", "options": {"symlink": true}}' --working-dir ./${{ env.EXTENSION_PATH }}
+          ddev exec --raw composer config repositories.2 '{"type": "path", "url": "../php-remediation-engine", "options": {"symlink": true}}' --working-dir ./${{ env.EXTENSION_PATH }}
+
+      - name: Modify dependencies to use development aliases
+        run: |
+          composer require crowdsec/common:"dev-${{  steps.set-common-data.outputs.branch }} as ${{ steps.set-common-data.outputs.major_tag }}.999.0" --no-update --working-dir ./${{env.EXTENSION_PATH}}
+          composer require crowdsec/lapi-client:"dev-${{ steps.set-lapi-client-data.outputs.branch }} as ${{ steps.set-lapi-client-data.outputs.major_tag }}.999.0" --no-update --working-dir ./${{env.EXTENSION_PATH}}
+          composer require crowdsec/remediation-engine:"dev-${{ steps.set-remediation-engine-data.outputs.branch }} as ${{ steps.set-remediation-engine-data.outputs.major_tag }}.999.0" --no-update --working-dir ./${{env.EXTENSION_PATH}}
+
+          cat ./${{env.EXTENSION_PATH}}/composer.json
+
+      - name: Validate composer.json
+        run: ddev composer validate --strict --working-dir ./${{env.EXTENSION_PATH}}
+
+      - name: Install CrowdSec lib dependencies
+        run: |
+          ddev composer update --working-dir ./${{env.EXTENSION_PATH}}
+
+      - name: Check installed packages versions
+        run: |
+
+          PHP_COMMON_VERSION=$(ddev composer show crowdsec/common --working-dir ./${{env.EXTENSION_PATH}} | grep -oP "versions : \* \K(.*)") 
+          if [[ $PHP_COMMON_VERSION == "dev-${{ steps.set-common-data.outputs.branch  }}" ]]
+          then
+            echo "PHP_COMMON_VERSION COMPARISON OK"
+          else
+            echo "PHP_COMMON_VERSION COMPARISON KO"
+            echo $PHP_COMMON_VERSION
+            exit 1
+          fi
+          LAPI_CLIENT_VERSION=$(ddev composer show crowdsec/lapi-client --working-dir ./${{env.EXTENSION_PATH}} | grep -oP "versions : \* \K(.*)")
+          if [[ $LAPI_CLIENT_VERSION == "dev-${{ steps.set-lapi-client-data.outputs.branch  }}" ]]
+          then
+            echo "LAPI_CLIENT_VERSION COMPARISON OK"
+          else
+            echo "LAPI_CLIENT_VERSION COMPARISON KO"
+            echo $LAPI_CLIENT_VERSION
+            exit 1
+          fi
+          REMEDIATION_ENGINE_VERSION=$(ddev composer show crowdsec/remediation-engine --working-dir ./${{env.EXTENSION_PATH}} | grep -oP "versions : \* \K(.*)")
+          if [[ $REMEDIATION_ENGINE_VERSION == "dev-${{ steps.set-remediation-engine-data.outputs.branch }}" ]]
+          then
+            echo "REMEDIATION_ENGINE_VERSION COMPARISON OK"
+          else
+            echo "REMEDIATION_ENGINE_VERSION COMPARISON KO"
+            echo $REMEDIATION_ENGINE_VERSION
+            exit 1
+          fi
+
+      - name: Set excluded groups
+        id: set-excluded-groups
+        if: contains(fromJson('["7.2","7.3"]'),matrix.php-version)
+        run: echo "exclude_group=$(echo --exclude-group up-to-php74 )" >> $GITHUB_OUTPUT
+
+      - name: Run "Unit Tests"
+        run: |
+          ddev exec /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox  ${{ steps.set-excluded-groups.outputs.exclude_group }} ./${{env.EXTENSION_PATH}}/tests/Unit
+
+      - name: Prepare PHP Integration tests
+        run: |
+          mkdir ${{ github.workspace }}/cfssl
+          cp -r .ddev/okaeli-add-on/custom_files/crowdsec/cfssl/* ${{ github.workspace }}/cfssl
+          ddev maxmind-download DEFAULT GeoLite2-City /var/www/html/${{env.EXTENSION_PATH}}/tests
+          ddev maxmind-download DEFAULT GeoLite2-Country /var/www/html/${{env.EXTENSION_PATH}}/tests
+          cd ${{env.EXTENSION_PATH}}/tests
+          sha256sum -c GeoLite2-Country.tar.gz.sha256.txt
+          sha256sum -c GeoLite2-City.tar.gz.sha256.txt
+          tar -xf GeoLite2-Country.tar.gz
+          tar -xf GeoLite2-City.tar.gz
+          rm GeoLite2-Country.tar.gz GeoLite2-Country.tar.gz.sha256.txt GeoLite2-City.tar.gz GeoLite2-City.tar.gz.sha256.txt
+
+      - name: Run "IP verification" test
+        run: |
+          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} AGENT_TLS_PATH=/var/www/html/cfssl APPSEC_URL=http://crowdsec:7422 LAPI_URL=https://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./${{env.EXTENSION_PATH}}/tests/Integration/AbstractBouncerTest.php
+
+      - name: Run "IP verification with TLS" test
+        run: |
+          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} AGENT_TLS_PATH=/var/www/html/cfssl BOUNCER_TLS_PATH=/var/www/html/cfssl APPSEC_URL=http://crowdsec:7422 LAPI_URL=https://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./${{env.EXTENSION_PATH}}/tests/Integration/AbstractBouncerTest.php
+
+      - name: Run "Geolocation with cURL" test
+        run: |
+          ddev exec BOUNCER_KEY=${{ env.BOUNCER_KEY }} AGENT_TLS_PATH=/var/www/html/cfssl APPSEC_URL=http://crowdsec:7422 LAPI_URL=https://crowdsec:8080  /usr/bin/php ./${{env.EXTENSION_PATH}}/vendor/bin/phpunit --testdox --colors --exclude-group ignore ./${{env.EXTENSION_PATH}}/tests/Integration/GeolocationTest.php
diff --git a/.github/workflows/sdk-chain-tests.yml b/.github/workflows/sdk-chain-tests.yml
@@ -10,97 +10,22 @@ on:
     branches:
       - main
     paths-ignore:
-      - '**.md'
-  pull_request:
-  workflow_dispatch:
-    inputs:
-      php_common_branch:
-        type: string
-        description: The PHP common branch to use
-        required: true
-        default: "main"
-      lapi_client_branch:
-        type: string
-        description: The LAPI client branch to use
-        required: true
-        default: "main"
-      remediation_engine_branch:
-        type: string
-        description: The Remediation Engine branch to use
-        required: true
-        default: "main"
-      bouncer_lib_branch:
-        type: string
-        description: The PHP bouncer library branch to use
-        required: true
-        default: "main"
+      - "**.md"
 
 permissions:
   contents: read
 
 env:
   # Allow ddev get to use a GitHub token to prevent rate limiting by tests
   DDEV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  PHP_COMMON_BRANCH: ${{ github.event.inputs.php_common_branch }}
-  LAPI_CLIENT_BRANCH: ${{ github.event.inputs.lapi_client_branch }}
-  REMEDIATION_ENGINE_BRANCH: ${{ github.event.inputs.remediation_engine_branch }}
-  BOUNCER_LIB_BRANCH: ${{ github.event.inputs.bouncer_lib_branch }}
 
 jobs:
-  prepare-data:
-    name: Prepare data
-    outputs:
-      php_common_branch: ${{ steps.prepare-php-common.outputs.branch }}
-      lapi_client_branch: ${{ steps.prepare-lapi-client.outputs.branch }}
-      remediation_engine_branch: ${{ steps.prepare-remediation-engine.outputs.branch }}
-      bouncer_lib_branch: ${{ steps.prepare-bouncer-lib.outputs.branch }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Prepare PHP common data
-        id: prepare-php-common
-        run: |
-          if [ "${{ github.event_name }}" == "push" ] || [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo "branch=main" >> $GITHUB_OUTPUT
-          else
-            echo "branch=${{ env.PHP_COMMON_BRANCH }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Prepare LAPI client data
-        id: prepare-lapi-client
-        run: |
-          if [ "${{ github.event_name }}" == "push" ] || [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo 'branch=main' >> $GITHUB_OUTPUT
-          else
-            echo "branch=${{ env.LAPI_CLIENT_BRANCH }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Prepare Remediation Engine data
-        id: prepare-remediation-engine
-        run: |
-          if [ "${{ github.event_name }}" == "push" ] || [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo 'branch=main' >> $GITHUB_OUTPUT
-          else
-            echo "branch=${{ env.REMEDIATION_ENGINE_BRANCH }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Prepare Bouncer lib data
-        id: prepare-bouncer-lib
-        run: |
-          if [ "${{ github.event_name }}" == "push" ] || [ "${{ github.event_name }}" == "pull_request" ]; then
-            echo 'branch=${{ github.ref_name }}' >> $GITHUB_OUTPUT
-          else
-            echo "branch=${{ env.BOUNCER_LIB_BRANCH }}" >> $GITHUB_OUTPUT
-          fi
-
   test-standalone-bouncer:
-    needs: prepare-data
     name: Run Standalone Bouncer tests
     if: ${{ !contains(github.event.head_commit.message, 'chore(') }}
-    uses: crowdsecurity/cs-standalone-php-bouncer/.github/workflows/php-sdk-development-tests.yml@main
+    uses: crowdsecurity/cs-standalone-php-bouncer/.github/workflows/php-sdk-development-tests.yml@736a2971d93dc6a7e9dc3a73051986b8f7e0b41a
     with:
-      php_common_branch: ${{ needs.prepare-data.outputs.php_common_branch }}
-      lapi_client_branch: ${{ needs.prepare-data.outputs.lapi_client_branch }}
-      remediation_engine_branch: ${{ needs.prepare-data.outputs.remediation_engine_branch }}
-      bouncer_lib_branch: ${{ needs.prepare-data.outputs.bouncer_lib_branch }}
-
-
+      php_common_json: '["main"]'
+      lapi_client_json: '["main"]'
+      remediation_engine_json: '["main"]'
+      bouncer_lib_json: '["${{ github.ref_name }}"]'