chore(CI): build deps using Bazel #1720
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
push: | |
branches: | |
- master | |
- lts | |
- lts-dev | |
- current | |
- current-dev | |
pull_request: | |
schedule: | |
- cron: '0 0 * * SUN' | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
# cancel previous runs if new commits are pushed to the PR, but run for each commit on master | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
self-trigger: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'schedule' }} | |
steps: | |
- name: Trigger | |
run: | | |
curl -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ | |
-X POST \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
https://api.github.com/repos/ADD-SP/ngx_waf/actions/workflows/${{ github.workflow }}.yml/dispatches \ | |
-d '{"ref":"refs/heads/lts"}' | |
curl -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ | |
-X POST \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
https://api.github.com/repos/ADD-SP/ngx_waf/actions/workflows/${{ github.workflow }}.yml/dispatches \ | |
-d '{"ref":"refs/heads/current"}' | |
build_deps: | |
name: Build dependencies | |
runs-on: ubuntu-latest | |
env: | |
BUILD_CACHE_NONCE: 0 | |
steps: | |
- name: Set environment variables | |
run: | | |
echo "CACHE_ROOT=$HOME/cache-root" >> $GITHUB_ENV | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Checkout SpiderLabs/ModSecurity | |
uses: actions/checkout@v3 | |
with: | |
repository: SpiderLabs/ModSecurity | |
path: ModSecurity | |
- name: Get ModSecurity commit hash | |
run: | | |
cd ModSecurity | |
echo "MODSECURITY_COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV | |
- name: Lookup build cache | |
uses: actions/cache@v3 | |
id: cache-deps | |
with: | |
path: ${{ env.CACHE_ROOT }} | |
key: ${{ env.MODSECURITY_COMMIT_HASH }}-${{ env.BUILD_CACHE_NONCE }} | |
- name: Install dependencies | |
if: steps.cache-deps.outputs.cache-hit != 'true' | |
run: | | |
sudo apt-get --yes update | |
# https://github.com/actions/runner-images/issues/2139 | |
sudo apt-get remove nginx-core nginx-full nginx-light nginx-extras | |
sudo apt-get remove libgd3 | |
sudo apt-get install --yes libsodium23 libsodium-dev build-essential zlib1g-dev libpcre3 libpcre3-dev libssl-dev libxslt1-dev libxml2-dev libgeoip-dev libgd-dev libperl-dev libcurl4-openssl-dev | |
- name: Download and install ModSecurity | |
if: steps.cache-deps.outputs.cache-hit != 'true' | |
run: | | |
cd ModSecurity | |
./build.sh | |
git submodule init | |
git submodule update | |
./configure --prefix=/usr/local/modsecurity | |
make -j$(nproc) | |
sudo make install | |
- name: Package dependencies | |
if: steps.cache-deps.outputs.cache-hit != 'true' | |
run: | | |
mkdir -p ${{ env.CACHE_ROOT }} | |
mkdir -p /tmp/cache/usr/local | |
sudo cp -r /usr/local/modsecurity /tmp/cache/usr/local | |
tar -C /tmp/cache/ -cvzf ${{ env.CACHE_ROOT }}/cache.tar.gz . | |
native: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name != 'schedule' }} | |
needs: build_deps | |
env: | |
BUILD_CACHE_NONCE: 0 | |
strategy: | |
matrix: | |
nginx-version: ['stable', 'mainline'] | |
module-type: ['static', 'dynamic'] | |
pcre-version: ['pcre', 'pcre2'] | |
steps: | |
- uses: actions/setup-python@v2 | |
with: | |
python-version: '3.x' | |
architecture: 'x64' | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
submodules: true | |
- name: Install dependencies | |
run: | | |
sudo apt-get --yes update | |
# https://github.com/actions/runner-images/issues/2139 | |
sudo apt-get remove nginx-core \ | |
nginx-full \ | |
nginx-light \ | |
nginx-extrasc \ | |
libgd3 | |
sudo apt-get install --yes libsodium23 \ | |
libsodium-dev \ | |
build-essential \ | |
zlib1g-dev \ | |
libpcre3 \ | |
libpcre3-dev \ | |
libssl-dev \ | |
libxslt1-dev \ | |
libxml2-dev \ | |
libgeoip-dev \ | |
libgd-dev \ | |
libperl-dev \ | |
libcurl4-openssl-dev | |
- name: Download nginx-${{ matrix.nginx-version }} | |
run: | | |
sudo chmod 777 -R /usr/local/src | |
cd /usr/local/src | |
sudo pip install lastversion | |
lastversion download nginx:${{ matrix.nginx-version }} | |
mkdir nginx | |
tar zxf nginx-*.tar.gz --directory nginx --strip-components=1 | |
- name: Configure ${{ matrix.module-type }} | |
run: | | |
cd /usr/local/src/nginx | |
bazel build --config release --registry=file://$(realpath ngx_waf_deps) //:deps | |
pushd bazel-bin | |
tar -zxf deps.tar.gz | |
echo "$(realpath deps/libmodsecurity/lib)" | sudo tee -a /etc/ld.so.conf.d/ngx_waf.conf | |
echo "$(realpath deps/libsodium/lib)" | sudo tee -a /etc/ld.so.conf.d/ngx_waf.conf | |
echo "$(realpath deps/libcjson/lib)" | sudo tee -a /etc/ld.so.conf.d/ngx_waf.conf | |
sudo ldconfig | |
export LIB_MODSECURITY=$(realpath deps/libmodsecurity) | |
export LIB_SODIUM=$(realpath deps/libsodium) | |
export LIB_CJSON=$(realpath deps/libcjson) | |
export LIB_UTHASH=$(realpath deps/uthash) | |
popd | |
if [ ${{ matrix.module-type }} = 'static module' ] ; then \ | |
opt='--add-module' ;\ | |
else \ | |
opt='--add-dynamic-module' ;\ | |
fi | |
export LIB_MODSECURITY=/usr/local/modsecurity | |
./configure ${opt}=${{ github.workspace }} --with-http_realip_module --with-cc-opt='-Wno-unused-but-set-variable -Wno-unused-function -fstack-protector-strong' | |
- name: Install nginx-${{ matrix.nginx-version }} | |
run: | | |
cd /usr/local/src/nginx | |
make -j$(nproc) | |
sudo make install | |
sudo useradd nginx -s /sbin/nologin -M | |
sudo chmod 777 -R /usr/local/nginx | |
sudo ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx | |
- name: Install Test::Nginx | |
run: | | |
sudo cpan Test::Nginx | |
- name: Test | |
run: | | |
sudo chmod 777 -R /tmp | |
cd test/test-nginx | |
export MODULE_TEST_PATH=/tmp/module_test | |
sh ./init.sh | |
exec sudo sh start.sh t/*.t |