mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
2bca378f17
## Changelog - Updates connlib parameter API_URL (formerly known under different names as `CONTROL_PLANE_URL`, `PORTAL_URL`, `PORTAL_WS_URL`, and friends) to be configured as an "advanced" or "hidden" feature at runtime so that we can test production builds on both staging and production. - Makes `AUTH_BASE_URL` configurable at runtime too - Moves `CONNLIB_LOG_FILTER_STRING` to be configured like this as well and simplifies its naming - Fixes a timing attack bug on Android when comparing the `csrf` token - Adds proper account ID validation to Android to prevent invalid URL parameter strings from being saved and used - Cleans up a number of UI / view issues on Android regarding typos, consistency, etc - Hides vars from from the `relay` CLI we may not want to expose just yet - `get_device_id()` is flawed for connlib components -- SMBios is rarely available. Data plane components now require a `FIREZONE_ID` now instead to use for upserting. Fixes #2482 Fixes #2471 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
186 lines
6.4 KiB
YAML
186 lines
6.4 KiB
YAML
name: Continuous Integration
|
|
on:
|
|
pull_request:
|
|
merge_group:
|
|
types: [checks_requested]
|
|
workflow_call:
|
|
|
|
# Cancel old workflow runs if new code is pushed
|
|
concurrency:
|
|
group: "ci-${{ github.workflow }}-${{ github.ref }}"
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
elixir:
|
|
uses: ./.github/workflows/_elixir.yml
|
|
rust:
|
|
uses: ./.github/workflows/_rust.yml
|
|
kotlin:
|
|
uses: ./.github/workflows/_kotlin.yml
|
|
secrets: inherit
|
|
swift:
|
|
uses: ./.github/workflows/_swift.yml
|
|
secrets: inherit
|
|
static-analysis:
|
|
uses: ./.github/workflows/_static-analysis.yml
|
|
terraform:
|
|
uses: ./.github/workflows/_terraform.yml
|
|
secrets: inherit
|
|
codeql:
|
|
uses: ./.github/workflows/_codeql.yml
|
|
secrets: inherit
|
|
|
|
# We could build these in GCP with Cloud Build, but for now it's
|
|
# less overhead to keep things in GH actions. See work on building these
|
|
# in GCP with Cloud Build: https://github.com/firezone/firezone/pull/2234
|
|
build-images:
|
|
runs-on: ubuntu-22.04-firezone-4c
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- image_name: api
|
|
target: runtime
|
|
context: elixir
|
|
build-args: |
|
|
APPLICATION_NAME=api
|
|
- image_name: web
|
|
target: runtime
|
|
context: elixir
|
|
build-args: |
|
|
APPLICATION_NAME=web
|
|
- image_name: gateway
|
|
target: debug
|
|
context: rust
|
|
build-args: |
|
|
PACKAGE=firezone-gateway
|
|
- image_name: relay
|
|
target: debug
|
|
context: rust
|
|
build-args: |
|
|
PACKAGE=firezone-relay
|
|
- image_name: client
|
|
target: debug
|
|
context: rust
|
|
build-args: |
|
|
PACKAGE=firezone-linux-client
|
|
- image_name: elixir
|
|
target: compiler
|
|
context: elixir
|
|
build-args: |
|
|
APPLICATION_NAME=api
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
env:
|
|
# mark:automatic-version
|
|
VERSION: "1.20231001.0"
|
|
APPLICATION_NAME: ${{ matrix.image_name }}
|
|
steps:
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.12.0
|
|
- uses: actions/checkout@v4
|
|
- name: Sanitize github.ref_name
|
|
run: |
|
|
REF="${{ github.ref_name }}" # `ref_name` contains `/` which is not a valid docker image tag.
|
|
CACHE_TAG="${REF//\//-}"
|
|
echo "CACHE_TAG=$CACHE_TAG" >> "$GITHUB_ENV"
|
|
echo "BRANCH_TAG=$CACHE_TAG" >> "$GITHUB_ENV"
|
|
- uses: ./.github/actions/gcp-docker-login
|
|
id: login
|
|
with:
|
|
project: firezone-staging
|
|
- name: Build Docker images
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
platforms: linux/amd64
|
|
build-args: ${{ matrix.build-args }}
|
|
context: ${{ matrix.context }}/
|
|
cache-from: |
|
|
type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}:${{ env.CACHE_TAG }}
|
|
type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.image_name }}:main
|
|
# This will write the cache on main even if integration tests fail,
|
|
# but it'll just be corrected on the next successful build.
|
|
cache-to: |
|
|
type=registry,ref=${{steps.login.outputs.registry}}/cache/${{ matrix.image_name}}:${{ env.CACHE_TAG }}
|
|
file: ${{ matrix.context }}/Dockerfile
|
|
push: true
|
|
target: ${{ matrix.target }}
|
|
tags: |
|
|
${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.VERSION }}-${{ github.sha }}
|
|
${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ env.BRANCH_TAG }}
|
|
${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}:${{ github.sha }}
|
|
|
|
integration-tests:
|
|
needs: build-images
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
env:
|
|
VERSION: ${{ github.sha }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
# TODO
|
|
# - Run control plane components as services
|
|
# - Test clients
|
|
# - Test with different NAT types
|
|
# - Test IPv6
|
|
# - Test end-to-end critical paths
|
|
- test_name: Relayed flow
|
|
setup: |
|
|
# Disallow traffic between gateway and client container
|
|
sudo iptables -I FORWARD 1 -s 172.28.0.100 -d 172.28.0.105 -j DROP
|
|
sudo iptables -I FORWARD 1 -s 172.28.0.105 -d 172.28.0.100 -j DROP
|
|
execute: |
|
|
docker compose exec -it client timeout 60 \
|
|
sh -c 'until ping -W 1 -c 1 172.20.0.100 &>/dev/null; do true; done'
|
|
- test_name: Basic flow
|
|
setup: echo 'Noop'
|
|
execute: |
|
|
docker compose exec -it client timeout 60 \
|
|
sh -c 'until ping -W 1 -c 1 172.20.0.100 &>/dev/null; do true; done'
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/gcp-docker-login
|
|
id: login
|
|
with:
|
|
project: firezone-staging
|
|
- name: Seed database
|
|
run:
|
|
docker compose run elixir /bin/sh -c 'cd apps/domain && mix ecto.seed'
|
|
- name: Start docker compose in the background
|
|
run: |
|
|
docker compose up -d \
|
|
api \
|
|
web \
|
|
client \
|
|
relay \
|
|
gateway
|
|
- name: Setup ${{ matrix.test_name }} test
|
|
run: ${{ matrix.setup }}
|
|
- name: Execute ${{ matrix.test_name }} test
|
|
run: ${{ matrix.execute }}
|
|
- name: Show Client logs
|
|
if: "!cancelled()"
|
|
run: docker compose logs client
|
|
- name: Show Relay logs
|
|
if: "!cancelled()"
|
|
run: docker compose logs relay
|
|
- name: Show Gateway logs
|
|
if: "!cancelled()"
|
|
run: docker compose logs gateway
|
|
- name: Show API logs
|
|
if: "!cancelled()"
|
|
run: docker compose logs api
|
|
- name: Show httpbin logs
|
|
if: "!cancelled()"
|
|
run: docker compose logs httpbin
|