chore(deps): update nginxinc/nginx-unprivileged docker tag to v1.28.0 in readme.md #578
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify Images | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| # sha256sum format: <hash><space><format (space for text)><file name> | |
| MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" | |
| GO_FTW_VERSION: '1.3.0' | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.generate.outputs.targets }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: List targets | |
| id: generate | |
| uses: docker/bake-action/subaction/list-targets@v4 | |
| - name: Check modsecurity recommended | |
| run: | | |
| curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended | |
| echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt | |
| sha256sum -c sha256sum.txt | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| matrix: | |
| target: ${{ fromJson(needs.prepare.outputs.targets) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| # https://github.com/docker/setup-qemu-action | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v9.2.0 | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build ${{ matrix.target }}-verification | |
| uses: docker/[email protected] | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| targets: ${{ matrix.target }} | |
| # Build only linux/amd64 and tag the images as verification builds. | |
| # Create a tar archive and load the image into Docker. | |
| set: | | |
| *.platform=linux/amd64 | |
| ${{ matrix.target }}.tags=${{ matrix.target }}-verification | |
| *.output=type=docker,dest=${{ matrix.target }}-verification.tar | |
| *.output=type=docker | |
| push: false | |
| - name: Upload image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.target }}-verification.tar | |
| path: ${{ matrix.target }}-verification.tar | |
| retention-days: 7 | |
| overwrite: true | |
| - name: Run ${{ matrix.target }} | |
| run: | | |
| . .github/workflows/configure-rules-for-test.sh \ | |
| src/opt/modsecurity/configure-rules.conf \ | |
| README.md \ | |
| "${{ matrix.target }}.env" | |
| echo "Starting container ${{ matrix.target }}-verification" | |
| docker run \ | |
| --pull "never" \ | |
| -d \ | |
| --name ${{ matrix.target }}-test \ | |
| --env-file "${{ matrix.target }}.env" \ | |
| "${{ matrix.target }}-verification" | |
| sleep 30 | |
| docker logs ${{ matrix.target }}-test | |
| - name: Verify ${{ matrix.target }} | |
| run: | | |
| [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] | |
| if grep -q "nginx "<<< "${{ matrix.target }}"; then | |
| curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd | |
| grep -q "HTTP/1.1 403 Forbidden" headers.txt | |
| grep -q "Access-Control-Allow-Origin: *" headers.txt | |
| grep -q "Access-Control-Max-Age: 3600" headers.txt | |
| grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt | |
| grep -q "Access-Control-Allow-Headers: *" headers.txt | |
| fi | |
| - name: Checkout CRS | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| repository: coreruleset/coreruleset | |
| path: crs | |
| - name: "Install go-ftw" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cd crs | |
| gh release download -R coreruleset/go-ftw "v${{ env.GO_FTW_VERSION }}" \ | |
| -p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw | |
| - name: Patch CRS compose file to use verification image | |
| run: | | |
| sed -i \ | |
| 's#image: owasp/modsecurity-crs:${{ contains(matrix.target, 'apache') && 'apache' || 'nginx' }}.*#image: ${{ matrix.target }}-verification#' \ | |
| crs/tests/docker-compose.yml | |
| - name: Run CRS tests for ${{ matrix.target }} | |
| # Log flushing isn't reliable enough for go-ftw (https://github.com/coreruleset/go-ftw/issues/473) | |
| if: ${{!contains(matrix.target, 'nginx-alpine')}} | |
| run: | | |
| cd crs | |
| modsec_version="${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}" | |
| backend="${{ contains(matrix.target, 'apache') && 'httpd' || 'nginx' }}" | |
| mkdir -p "tests/logs/${modsec_version}/{nginx,apache2}" | |
| docker compose -f ./tests/docker-compose.yml up -d "${modsec_version}" | |
| sleep 10 | |
| docker compose -f ./tests/docker-compose.yml logs | |
| if ! [ "$(docker inspect ${modsec_version} --format='{{.State.Running}}')" = "true" ]; then | |
| echo "Web server failed to start. Aborting." | |
| exit 1 | |
| fi | |
| ./ftw check -d tests/regression/tests | |
| ./ftw run \ | |
| -d tests/regression/tests \ | |
| --log-file "tests/logs/${modsec_version}/error.log" \ | |
| --overrides "tests/regression/${backend}-overrides.yaml" \ | |
| --show-failures-only | |
| - name: Upload logs | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: ${{ matrix.target }}-error.log | |
| path: "crs/tests/logs/${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}/error.log" | |
| retention-days: 7 | |
| overwrite: true |