build: Added basic CI support

.github/workflows/lint.yml

@@ -0,0 +1,44 @@
+name: Lint
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  lua-check:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
+    name: Lua Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    # Optional step to run on only changed files
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37
+      with:
+        files: |
+          **.lua
+
+    - name: Lua Check
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: Kong/public-shared-actions/code-check-actions/lua-lint@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.3.3
+      with:
+        additional_args: '--no-default-config --config .luacheckrc'
+        files: ${{ steps.changed-files.outputs.all_changed_files }}
+        action_fail: true

.github/workflows/sast.yml

@@ -0,0 +1,28 @@
+name: SAST
+
+on:
+  pull_request: {}
+  push:
+    branches:
+    - master
+    - main
+  workflow_dispatch: {}
+
+
+jobs:
+  semgrep:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Kong/public-shared-actions/security-actions/semgrep@33449c46c6766a3d3c8f167cc383381225862b36

.github/workflows/tests.yml

@@ -0,0 +1,64 @@
+name: Test
+
+on: [push, pull_request]
+
+env:
+  LIBEXPAT_DOWNLOAD_URL: https://github.com/libexpat/libexpat/releases/download/R_2_5_0/expat-2.5.0.tar.gz
+
+jobs:
+
+  tests:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
+    name: Busted Tests
+
+    strategy:
+      matrix:
+        openresty_version:
+          - 1.17.8.2
+          - 1.19.9.1
+
+    runs-on: ubuntu-latest
+    container:
+      image: openresty/openresty:${{ matrix.openresty_version }}-alpine-fat
+      # --init runs tinit as PID 1 and prevents the 'WARNING: killing the child process' spam from the test suite
+      options: --init
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install deps
+      run: |
+        apk add --no-cache curl perl bash wget git perl-dev libarchive-tools nodejs jq
+        ln -s /usr/bin/bsdtar /usr/bin/tar
+
+    - name: Build libexpat
+      if: matrix.openresty_version == '1.17.8.2'
+      run: |
+        mkdir -p /tmp/expat
+        curl -Ls $LIBEXPAT_DOWNLOAD_URL | tar -xz --strip-components=1 -f - -C /tmp/expat
+        cd /tmp/expat && ./configure && make && make install
+
+    - name: Install libexpat from package manager
+      if: matrix.openresty_version == '1.19.9.1'
+      run: |
+        apk add --no-cache expat-dev
+
+    - name: Cache
+      uses: actions/cache@v2
+      with:
+        path: |
+          ~/.cache
+        key: ${{ runner.os }}-${{ matrix.openresty_version }}-cache
+
+    - name: Install Busted
+      run: |
+        /usr/local/openresty/luajit/bin/luarocks install busted
+        /usr/local/openresty/luajit/bin/luarocks install luatz
+        /usr/local/openresty/luajit/bin/luarocks install luasocket
+
+    - uses: actions/checkout@v2
+
+    - name: Run tests
+      run: |
+        make dev
+        /usr/local/openresty/luajit/bin/luarocks make
+        busted