issues/365: Do not use IP address and TLS fingerprint to validate cookies by default. #2952
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DOCS: | |
# 1. https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
# 2. https://github.com/mvdan/github-actions-golang/issues/22 | |
# 3. https://github.com/stellar/go/blob/master/.github/actions/setup-go/action.yml | |
# 4. https://github.com/stellar/go/blob/master/.github/workflows/go.yml | |
# 5. https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds | |
# 6. https://github.com/golang/go/issues/58571 | |
name: ong ci | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
check_release_notes: | |
name: check_release_notes | |
timeout-minutes: 1 | |
strategy: | |
matrix: | |
go-version: ['>=1.21.1'] | |
platform: [ubuntu-22.04] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
# checkout main branch and the current branch so that we are able to do diff operations. | |
- name: checkout main branch too. | |
uses: actions/checkout@v3 | |
with: | |
ref: main | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
# https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions | |
- name: check if changes have release notes | |
if: ${{ github.ref != 'refs/heads/main' }} | |
env: | |
GIT_BRANCH: ${{ github.ref }} | |
GITHUB_HEAD_REF: ${{ github.head_ref }} | |
GITHUB_BASE_REF: ${{ github.base_ref }} | |
run: | | |
printf "GIT_BRANCH: $GIT_BRANCH \n" | |
printf "GITHUB_HEAD_REF: $GITHUB_HEAD_REF \n" | |
printf "GITHUB_BASE_REF: $GITHUB_BASE_REF \n" | |
printf "list git branches: \n" | |
git branch --list --all | |
if [[ "$GIT_BRANCH" == "refs/heads/main" ]] | |
then | |
printf "\n $GIT_BRANCH branch, ignoring check for relese notes \n" | |
elif [[ "$GIT_BRANCH" == *"refs/tags/"* ]] | |
then | |
printf "\n $GIT_BRANCH branch, ignoring check for relese notes \n" | |
else | |
ChangedFiles=`git diff --name-only remotes/origin/main` | |
echo $ChangedFiles | |
case "$ChangedFiles" in | |
*CHANGELOG.*) | |
printf "\n Thanks, your commits include update to release notes. \n";; | |
*) | |
printf "\n You should add release notes to CHANGELOG.md \n" && exit 77;; | |
esac | |
fi | |
run_tests: | |
name: run_tests | |
timeout-minutes: 7 | |
strategy: | |
matrix: | |
go-version: ['>=1.21.1'] | |
platform: [ubuntu-22.04] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Set up Go | |
uses: actions/setup-go@v4 # since v4, it added cache by default. | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: tests and benchmarks | |
run: | | |
ulimit -a | |
env | |
set -x | |
go test -timeout 1m -race -run=XXXX -bench=. ./... | |
go test -timeout 4m -race -cover -coverprofile=coverage.out -shuffle on ./... | |
go tool cover -html=coverage.out -o coverage.html | |
go tool cover -func=coverage.out | |
wget -nc --output-document=/tmp/codecov https://github.com/codecov/uploader/releases/download/v0.3.5/codecov-linux | |
chmod +x /tmp/codecov | |
/tmp/codecov | |
env: | |
ONG_RUNNING_IN_TESTS: 'YES' | |
run_analysis: | |
name: run_analysis | |
timeout-minutes: 8 | |
strategy: | |
matrix: | |
go-version: ['>=1.21.1'] | |
platform: [ubuntu-22.04] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: install apt and pip deps | |
run: | | |
pwd; ls -lsha | |
sudo apt -y update | |
sudo apt -y install wget | |
- name: install tools | |
run: | | |
set -x | |
go install honnef.co/go/tools/cmd/staticcheck@latest | |
go install github.com/securego/gosec/cmd/gosec@latest | |
go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@latest | |
go install github.com/orijtech/structslop/cmd/structslop@latest | |
go install github.com/orijtech/httperroryzer/cmd/httperroryzer@latest | |
go install golang.org/x/tools/cmd/stress@latest | |
go install golang.org/x/tools/cmd/goimports@latest | |
go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest | |
go install golang.org/x/tools/go/analysis/passes/nilness/cmd/nilness@latest | |
go install github.com/kisielk/errcheck@latest | |
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest | |
go install mvdan.cc/gofumpt@latest | |
go install golang.org/x/vuln/cmd/govulncheck@latest | |
go install github.com/mdempsky/unconvert@latest | |
go install github.com/zricethezav/gitleaks/v8@latest | |
# go install gvisor.dev/gvisor/tools/checklocks/cmd/checklocks@latest | |
go install gvisor.dev/gvisor/tools/checklocks/cmd/[email protected] | |
/home/runner/go/bin/staticcheck -version | |
env: | |
SOME_ENV_VAR: '2020.1.6' | |
- name: static analysis | |
run: | | |
set -x | |
diff <(gofmt -d .) <(printf "") | |
diff <(gofumpt -extra -w -d .) <(printf "") | |
diff <(goimports -d .) <(printf "") | |
go vet -all ./... | |
go vet -vettool=/home/runner/go/bin/shadow -strict ./... | |
go vet -vettool=/home/runner/go/bin/nilness -test ./... | |
/home/runner/go/bin/checklocks -test=false ./... | |
/home/runner/go/bin/staticcheck -tests ./... | |
govulncheck ./... | |
# /home/runner/go/bin/gosec ./... # does not seem to work with Go1.21 | |
# /home/runner/go/bin/structslop ./... # does not seem to work with Go1.21 | |
/home/runner/go/bin/httperroryzer ./... | |
# see: https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557 | |
/home/runner/go/bin/errcheck -ignoregenerated -ignoretests -asserts ./... | |
/home/runner/go/bin/unconvert -v ./... | |
/home/runner/go/bin/gitleaks detect . -v --no-git --baseline-path .gitleaksignore | |
# To create the gitleaksignore file, run; | |
# rm -rf .gitleaksignore; gitleaks detect . --no-git --report-path .gitleaksignore | |
# dont use golangci-lint | |
# see: https://twitter.com/dominikhonnef/status/1394766501157167112 | |
# | |
# In our case we need to use it so that we can be able to use `nolint:gocritic` in the errors package. | |
# | |
wget -nc --output-document=/tmp/semgrep-go.zip https://github.com/dgryski/semgrep-go/archive/refs/heads/master.zip | |
unzip -o /tmp/semgrep-go.zip -d /tmp/semgrep-go | |
go get github.com/quasilyte/go-ruleguard/dsl | |
golangci-lint run --config .golangci.yml ./... | |
go mod tidy | |
python -m venv /tmp/.venv | |
. /tmp/.venv/bin/activate | |
python -m pip install --trusted-host files.pythonhosted.org --trusted-host pypi.org --trusted-host pypi.python.org semgrep | |
semgrep -f /tmp/semgrep-go/semgrep-go-master/ --error . | |
deactivate | |
# An alternative it to do: | |
# semgrep -f https://semgrep.dev/r/dgryski.semgrep-go --exclude="*_test.go" . | |
# deadlock detection | |
# https://github.com/cockroachdb/cockroach/issues/7972 | |
go get github.com/sasha-s/go-deadlock | |
find . -name "*.go" | xargs -n 1 sed -i.backup 's/sync.RWMutex/deadlock.RWMutex/' | |
find . -name "*.go" | xargs -n 1 sed -i.backup 's/sync.Mutex/deadlock.Mutex/' | |
find . -name '*.backup' -delete | |
/home/runner/go/bin/goimports -w . | |
go test -timeout 4m -race ./... | |
go mod tidy | |
# TODO: add https://github.com/system-pclub/GCatch | |
env: | |
ONG_RUNNING_IN_TESTS: 'YES' | |
# https://go.dev/testing/coverage/ | |
integration_test_coverage: | |
name: integration_test_coverage | |
timeout-minutes: 3 | |
strategy: | |
matrix: | |
go-version: ['>=1.21.1'] | |
platform: [ubuntu-22.04] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: whole program coverage | |
run: | | |
set -x | |
pwd; ls -lsha | |
sudo apt -y update | |
sudo apt -y install libnss3-tools jq # certutil | |
mkdir -p coverage/ | |
rm -rf coverage/* ongExample | |
go build -cover -o ongExample github.com/komuw/ong/example | |
GOCOVERDIR=coverage/ ./ongExample > logs_one.json 2>&1 & | |
sleep 10 && kill -15 $(pidof ongExample) | |
{ # try | |
kill -9 $(pidof ongExample) | |
} || { # catch | |
echo -n "" | |
} | |
cat logs_one.json | |
GOCOVERDIR=coverage/ ./ongExample > logs_two.json 2>&1 & | |
sleep 10 | |
cat logs_two.json | |
ls -lsha coverage/ | |
ss --listening --processes --query=tcp,udp | |
go test -timeout 4m -race --tags=integration github.com/komuw/ong/example -v | |
kill -15 $(pidof ongExample) | |
{ # try | |
kill -9 $(pidof ongExample) | |
} || { # catch | |
echo -n "" | |
} | |
ls -lsha coverage/ | |
go tool covdata percent -i=coverage | |
env: | |
ONG_RUNNING_IN_TESTS: 'YES' | |
ONG_EXAMPLE_TESTS_BASIC_AUTH: "super-h@rd-Pas1word" # Ought to be same value as used in /example/main.go | |
# run_stress_test: | |
# name: run_stress_test | |
# timeout-minutes: 2 | |
# strategy: | |
# matrix: | |
# go-version: ['>=1.21.1'] | |
# platform: [ubuntu-22.04] | |
# runs-on: ${{ matrix.platform }} | |
# steps: | |
# - name: Set up Go | |
# uses: actions/setup-go@v4 | |
# with: | |
# go-version: ${{ matrix.go-version }} | |
# - name: stress test | |
# run: | | |
# go install golang.org/x/tools/cmd/stress@latest | |
# go test -o ong.test -c -race | |
# /home/runner/go/bin/stress -timeout 10s ./ong.test |