diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..4572df7 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,44 @@ +name: Lint + +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + lua-check: + timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} + name: Lua Check + runs-on: ubuntu-latest + permissions: + contents: read + issues: read + checks: write + pull-requests: write + if: (github.actor != 'dependabot[bot]') + + steps: + - name: Checkout source code + uses: actions/checkout@v3 + + # Optional step to run on only changed files + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@54849deb963ca9f24185fb5de2965e002d066e6b # v37 + with: + files: | + **.lua + + - name: Lua Check + if: steps.changed-files.outputs.any_changed == 'true' + uses: Kong/public-shared-actions/code-check-actions/lua-lint@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.3.3 + with: + additional_args: '--no-default-config --config .luacheckrc' + files: ${{ steps.changed-files.outputs.all_changed_files }} + action_fail: true diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 0000000..2a3c894 --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,28 @@ +name: SAST + +on: + pull_request: {} + push: + branches: + - master + - main + workflow_dispatch: {} + + +jobs: + semgrep: + timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} + name: Semgrep SAST + runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + - uses: Kong/public-shared-actions/security-actions/semgrep@33449c46c6766a3d3c8f167cc383381225862b36 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..62b06d3 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,64 @@ +name: Test + +on: [push, pull_request] + +env: + LIBEXPAT_DOWNLOAD_URL: https://github.com/libexpat/libexpat/releases/download/R_2_5_0/expat-2.5.0.tar.gz + +jobs: + + tests: + timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} + name: Busted Tests + + strategy: + matrix: + openresty_version: + - 1.17.8.2 + - 1.19.9.1 + + runs-on: ubuntu-latest + container: + image: openresty/openresty:${{ matrix.openresty_version }}-alpine-fat + # --init runs tinit as PID 1 and prevents the 'WARNING: killing the child process' spam from the test suite + options: --init + + steps: + - uses: actions/checkout@v2 + - name: Install deps + run: | + apk add --no-cache curl perl bash wget git perl-dev libarchive-tools nodejs jq + ln -s /usr/bin/bsdtar /usr/bin/tar + + - name: Build libexpat + if: matrix.openresty_version == '1.17.8.2' + run: | + mkdir -p /tmp/expat + curl -Ls $LIBEXPAT_DOWNLOAD_URL | tar -xz --strip-components=1 -f - -C /tmp/expat + cd /tmp/expat && ./configure && make && make install + + - name: Install libexpat from package manager + if: matrix.openresty_version == '1.19.9.1' + run: | + apk add --no-cache expat-dev + + - name: Cache + uses: actions/cache@v2 + with: + path: | + ~/.cache + key: ${{ runner.os }}-${{ matrix.openresty_version }}-cache + + - name: Install Busted + run: | + /usr/local/openresty/luajit/bin/luarocks install busted + /usr/local/openresty/luajit/bin/luarocks install luatz + /usr/local/openresty/luajit/bin/luarocks install luasocket + + - uses: actions/checkout@v2 + + - name: Run tests + run: | + make dev + /usr/local/openresty/luajit/bin/luarocks make + busted