actions/cache
1
0
Fork 0
mirror of https://github.com/actions/cache.git synced 2026-03-07 10:13:07 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:2e9cddfa69039bd3d8d0ab9f27a246fd8c4f4de2
Branches Tags
actions:main
actions:dependabot/npm_and_yarn/fast-xml-parser-5.4.2
actions:dependabot/github_actions/minor-actions-dependencies-e5c33472d6
actions:dependabot/github_actions/github/codeql-action-4
actions:dependabot/github_actions/actions/checkout-6
actions:dependabot/github_actions/actions/setup-node-6
actions:dependabot/github_actions/actions/stale-10
actions:dependabot/npm_and_yarn/multi-770cfcd984
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.54.0
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/multi-a28ee524ce
actions:dependabot/npm_and_yarn/actions/cache-6.0.0
actions:dependabot/npm_and_yarn/eslint-config-prettier-10.1.8
actions:copilot/triage-open-pull-requests
actions:alert-autofix-51
actions:v3.5.0-working
actions:v3.4.3-working
actions:v3.4.2-working
actions:v3.4.1-working
actions:v3.4.0-working
actions:Link-/blobcache-spike
actions:yacaovsnc/update_readme
actions:robherley/v3.3.3
actions:releases/v1
actions:bishal/debug-sdk-batch
actions:pdotl-patch-1
actions:anuragc617/update_v2
actions:update_v2
actions:bishal-pdMSFT-patch-4
actions:kotewar/update-readme-for-lookup
actions:kotewar/updating-cache-dependency
actions:pdotl/zstd-hotfix
actions:t-dedah-patch-1
actions:phantsure/v3.2.5
actions:pallavx-patch-1
actions:pallavx-patch-1-1
actions:vsvipul/dep-fix
actions:kotewar/states-input-provider
actions:phantsure/releaae-symlink
actions:phantsure/symlink
actions:phantsure/revert-compression-changes
actions:phantsure/cross-doc
actions:Phantsure-patch-1
actions:phantsure/compression-release
actions:releases/v3-beta
actions:bishal-pdMSFT-patch-3
actions:tanuj077/save-changes
actions:kotewar/adding-support-for-http-client
actions:phantsure/v3-beta
actions:bishal/outputter
actions:t-dedah/new-node
actions:tanuj077/cache-control-save
actions:phantsure/npm-fix
actions:revert-998-dependabot/npm_and_yarn/minimatch-3.1.2
actions:master
actions:vsvipul/change-assignee-logic
actions:t-dedah/cache-eviction
actions:bishal/readme-cache-version
actions:bishal-pdMSFT-patch-2
actions:pdotl-version-bump
actions:vsvipul/new-release
actions:vsvipul/fix-sort
actions:tiwarishub/release-3.0.9
actions:tiwarishub/ghes_wanr_msg_update
actions:vsvipul/add-anurag
actions:vsvipul-patch-2
actions:vsvipul-patch-1
actions:vsvipul/add-reviewers
actions:vsvipul/fix-dep
actions:bishal-pdMSFT-patch-1
actions:tiwarishub/hackyTimeout
actions:tiwarishub/cache-3-0-5
actions:tiwarishub/cache-3-0
actions:fix-345
actions:vsvipul/fix-auto-assign
actions:vsvipul/alert-fix
actions:vsvipul/test-assign-pr
actions:t-dedah/updatePackage
actions:t-dedah/cacheSize
actions:t-dedah/test
actions:testGheswithACFlag
actions:v3_fix
actions:2gb_issue_fix
actions:users/ashwinsangem/update_whats_new
actions:revert-173-add-stack-example
actions:node-update
actions:test-fast
actions:up-dep2
actions:resolve-dep
actions:up-dep
actions:enableForGHES
actions:testEnableForGHES.v1
actions:dhadka/fix-fd-errors
actions:dhadka/update-deps
actions:dhadka/update-1.0.7
actions:aiqiaoy/windows-cache-path
actions:dhadka/bump-cache
actions:dhadka/update-core
actions:dhadka/update-cache-module
actions:dhadka/upload-chunk-size
actions:dhadka/cache-1.0.1
actions:dhadka/exit-after-run
actions:improve-string-split
actions:releases/v2
actions:add-retries
actions:timeout-env-var
actions:joshmgross/sudo-tar
actions:joshmgross/chunked-upload-testing
actions:joshmgross/windows-bsd-tar-release
actions:preview
actions:v5.0.3
actions:v5
actions:v5.0.2
actions:v5.0.1
actions:v5.0.0
actions:v4.3.0
actions:v4
actions:v3.5.0
actions:v3
actions:v4.2.4
actions:v4.2.3
actions:v3.4.3
actions:v4.2.2
actions:v3.4.2
actions:v4.2.1
actions:v3.4.1
actions:v4.2.0
actions:v3.4.0
actions:v4.1.2
actions:v4.1.1
actions:v4.1.0
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.3.3
actions:v3.3.2
actions:v1
actions:v1.2.1
actions:v2.1.8
actions:v2
actions:v3.3.1
actions:v3.3.0
actions:v3.2.6
actions:v3.2.5
actions:v3.2.4
actions:v3.2.3
actions:v3.2.2
actions:v3.2.1
actions:v3.2.0
actions:v3.2.0-beta
actions:v3.2.0-beta.1
actions:v3.1.0-beta
actions:v3.1.0-beta.3
actions:v3.1.0-beta.2
actions:v3.1.0-beta.1
actions:v3.0.11
actions:v3.0.10
actions:v3.0.9
actions:v3.0.8
actions:v3.0.7
actions:v3.0.6
actions:v3.0.5
actions:v3.0.4
actions:v3.0.3
actions:v3.0.2
actions:v3.0.1
actions:v3.0.0
actions:testEnableForGHES
actions:v2.1.7
actions:v2.1.6
actions:v2.1.5
actions:v2.1.4
actions:v2.1.3
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.0.2
actions:v0.0.1
...
compare: actions:d59cb79a26a8d74630c22cbb08feabe65fc8e099
Branches Tags
actions:dependabot/npm_and_yarn/fast-xml-parser-5.4.2
actions:dependabot/github_actions/minor-actions-dependencies-e5c33472d6
actions:dependabot/github_actions/github/codeql-action-4
actions:dependabot/github_actions/actions/checkout-6
actions:dependabot/github_actions/actions/setup-node-6
actions:dependabot/github_actions/actions/stale-10
actions:dependabot/npm_and_yarn/multi-770cfcd984
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.54.0
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/multi-a28ee524ce
actions:dependabot/npm_and_yarn/actions/cache-6.0.0
actions:dependabot/npm_and_yarn/eslint-config-prettier-10.1.8
actions:main
actions:copilot/triage-open-pull-requests
actions:alert-autofix-51
actions:v3.5.0-working
actions:v3.4.3-working
actions:v3.4.2-working
actions:v3.4.1-working
actions:v3.4.0-working
actions:Link-/blobcache-spike
actions:yacaovsnc/update_readme
actions:robherley/v3.3.3
actions:releases/v1
actions:bishal/debug-sdk-batch
actions:pdotl-patch-1
actions:anuragc617/update_v2
actions:update_v2
actions:bishal-pdMSFT-patch-4
actions:kotewar/update-readme-for-lookup
actions:kotewar/updating-cache-dependency
actions:pdotl/zstd-hotfix
actions:t-dedah-patch-1
actions:phantsure/v3.2.5
actions:pallavx-patch-1
actions:pallavx-patch-1-1
actions:vsvipul/dep-fix
actions:kotewar/states-input-provider
actions:phantsure/releaae-symlink
actions:phantsure/symlink
actions:phantsure/revert-compression-changes
actions:phantsure/cross-doc
actions:Phantsure-patch-1
actions:phantsure/compression-release
actions:releases/v3-beta
actions:bishal-pdMSFT-patch-3
actions:tanuj077/save-changes
actions:kotewar/adding-support-for-http-client
actions:phantsure/v3-beta
actions:bishal/outputter
actions:t-dedah/new-node
actions:tanuj077/cache-control-save
actions:phantsure/npm-fix
actions:revert-998-dependabot/npm_and_yarn/minimatch-3.1.2
actions:master
actions:vsvipul/change-assignee-logic
actions:t-dedah/cache-eviction
actions:bishal/readme-cache-version
actions:bishal-pdMSFT-patch-2
actions:pdotl-version-bump
actions:vsvipul/new-release
actions:vsvipul/fix-sort
actions:tiwarishub/release-3.0.9
actions:tiwarishub/ghes_wanr_msg_update
actions:vsvipul/add-anurag
actions:vsvipul-patch-2
actions:vsvipul-patch-1
actions:vsvipul/add-reviewers
actions:vsvipul/fix-dep
actions:bishal-pdMSFT-patch-1
actions:tiwarishub/hackyTimeout
actions:tiwarishub/cache-3-0-5
actions:tiwarishub/cache-3-0
actions:fix-345
actions:vsvipul/fix-auto-assign
actions:vsvipul/alert-fix
actions:vsvipul/test-assign-pr
actions:t-dedah/updatePackage
actions:t-dedah/cacheSize
actions:t-dedah/test
actions:testGheswithACFlag
actions:v3_fix
actions:2gb_issue_fix
actions:users/ashwinsangem/update_whats_new
actions:revert-173-add-stack-example
actions:node-update
actions:test-fast
actions:up-dep2
actions:resolve-dep
actions:up-dep
actions:enableForGHES
actions:testEnableForGHES.v1
actions:dhadka/fix-fd-errors
actions:dhadka/update-deps
actions:dhadka/update-1.0.7
actions:aiqiaoy/windows-cache-path
actions:dhadka/bump-cache
actions:dhadka/update-core
actions:dhadka/update-cache-module
actions:dhadka/upload-chunk-size
actions:dhadka/cache-1.0.1
actions:dhadka/exit-after-run
actions:improve-string-split
actions:releases/v2
actions:add-retries
actions:timeout-env-var
actions:joshmgross/sudo-tar
actions:joshmgross/chunked-upload-testing
actions:joshmgross/windows-bsd-tar-release
actions:preview
actions:v5.0.3
actions:v5
actions:v5.0.2
actions:v5.0.1
actions:v5.0.0
actions:v4.3.0
actions:v4
actions:v3.5.0
actions:v3
actions:v4.2.4
actions:v4.2.3
actions:v3.4.3
actions:v4.2.2
actions:v3.4.2
actions:v4.2.1
actions:v3.4.1
actions:v4.2.0
actions:v3.4.0
actions:v4.1.2
actions:v4.1.1
actions:v4.1.0
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.3.3
actions:v3.3.2
actions:v1
actions:v1.2.1
actions:v2.1.8
actions:v2
actions:v3.3.1
actions:v3.3.0
actions:v3.2.6
actions:v3.2.5
actions:v3.2.4
actions:v3.2.3
actions:v3.2.2
actions:v3.2.1
actions:v3.2.0
actions:v3.2.0-beta
actions:v3.2.0-beta.1
actions:v3.1.0-beta
actions:v3.1.0-beta.3
actions:v3.1.0-beta.2
actions:v3.1.0-beta.1
actions:v3.0.11
actions:v3.0.10
actions:v3.0.9
actions:v3.0.8
actions:v3.0.7
actions:v3.0.6
actions:v3.0.5
actions:v3.0.4
actions:v3.0.3
actions:v3.0.2
actions:v3.0.1
actions:v3.0.0
actions:testEnableForGHES
actions:v2.1.7
actions:v2.1.6
actions:v2.1.5
actions:v2.1.4
actions:v2.1.3
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.0.2
actions:v0.0.1

3 Commits
2e9cddfa69 ... d59cb79a26

Author SHA1 Message Date
Bassem Dghaidi
d59cb79a26 Fix the proxy config 2026-01-29 08:55:40 -08:00
Bassem Dghaidi
d19411273c Simplify 2026-01-29 08:52:36 -08:00
Bassem Dghaidi
eaa29f93a6 Fix 2026-01-29 08:41:53 -08:00
1 changed files with 128 additions and 68 deletions
Show Stats Expand all files Collapse all files

196
.github/workflows/workflow.yml vendored
View File

@ -91,29 +91,45 @@ jobs:
container: container:
image: ubuntu:latest image: ubuntu:latest
options: --privileged options: --privileged
services:
squid-proxy:
image: ubuntu/squid:latest
ports:
- 3128:3128
env:
http_proxy: http://squid-proxy:3128
https_proxy: http://squid-proxy:3128
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v5 uses: actions/checkout@v5
- name: Install dependencies - name: Install dependencies and setup Squid proxy
run: | run: |
apt-get update apt-get update
apt-get install -y iptables dnsutils curl jq ipset apt-get install -y iptables dnsutils curl jq ipset squid
# Configure squid for forward proxy
cat >> /etc/squid/squid.conf << 'EOF'
# Allow all traffic through proxy
http_access allow all
# Enable SSL bumping for HTTPS CONNECT
http_port 3128
EOF
# Start squid
service squid start
sleep 2
# Verify squid is running
if service squid status; then
echo "Squid proxy started successfully"
else
echo "Failed to start squid"
cat /var/log/squid/cache.log
exit 1
fi
- name: Fetch GitHub meta and configure firewall - name: Fetch GitHub meta and configure firewall
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
# Fetch GitHub meta API to get all IP ranges # Fetch GitHub meta API to get all IP ranges
echo "Fetching GitHub meta API..." echo "Fetching GitHub meta API..."
curl -sS https://api.github.com/meta > /tmp/github-meta.json curl -sS https://api.github.com/meta > /tmp/github-meta.json
# Get squid-proxy IP address # Proxy is on localhost
PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }') PROXY_IP="127.0.0.1"
echo "Proxy IP: $PROXY_IP" echo "Proxy IP: $PROXY_IP"
# Allow established connections # Allow established connections
@ -159,10 +175,15 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block productionresultssa*.blob.core.windows.net (cache blob storage) # Block known blob storage endpoints used by cache
# We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts # Resolve and block common productionresultssa*.blob.core.windows.net endpoints
# The proxy will handle these requests for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do
echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy" BLOB_HOST="productionresultssa${i}.blob.core.windows.net"
for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Blocking direct access to $BLOB_HOST: $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done
done
# Block all other outbound HTTP/HTTPS traffic # Block all other outbound HTTP/HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j REJECT iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@ -173,12 +194,15 @@ jobs:
echo "" echo ""
echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries" echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
- name: Verify proxy enforcement - name: Verify proxy enforcement
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
echo "=== Testing proxy enforcement ===" echo "=== Testing proxy enforcement ==="
# Test 1: Direct connection to github.com should work (it's in allowed IPs) # Test 1: Direct connection to github.com should work (it's in allowed IPs)
echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)" echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://api.github.com/zen 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then
echo "✓ Direct GitHub API access works (expected)" echo "✓ Direct GitHub API access works (expected)"
else else
echo "✗ Direct GitHub API access failed (unexpected but not critical)" echo "✗ Direct GitHub API access failed (unexpected but not critical)"
@ -187,7 +211,7 @@ jobs:
# Test 2: Direct connection to blob storage should FAIL # Test 2: Direct connection to blob storage should FAIL
echo "" echo ""
echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)" echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!" echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
exit 1 exit 1
else else
@ -197,14 +221,19 @@ jobs:
# Test 3: Connection through proxy should work # Test 3: Connection through proxy should work
echo "" echo ""
echo "Test 3: Connection through proxy to blob storage (should SUCCEED)" echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
if curl --connect-timeout 5 --max-time 10 -sS https://productionresultssa0.blob.core.windows.net 2>&1 | head -5; then # Using proxy (from env vars), we should be able to connect even if we get an HTTP error
echo "✓ Proxy connection works (expected - even if 4xx/5xx response, connection succeeded)" HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000")
if [ "$HTTP_CODE" != "000" ]; then
echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)"
else else
echo "Note: Proxy connection may have failed, but that's OK if it's not a network block" echo "Note: Proxy connection may have failed, but that's OK if it's not a network block"
fi fi
- name: Generate files - name: Generate files
run: __tests__/create-cache-files.sh proxy test-cache run: __tests__/create-cache-files.sh proxy test-cache
- name: Save cache - name: Save cache
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
uses: ./ uses: ./
with: with:
key: test-proxy-${{ github.run_id }} key: test-proxy-${{ github.run_id }}
@ -213,28 +242,24 @@ jobs:
run: | run: |
echo "=== Verifying cache traffic went through proxy ===" echo "=== Verifying cache traffic went through proxy ==="
# Get the squid container ID # Read squid access log directly
SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1) SQUID_LOG="/var/log/squid/access.log"
if [ -z "$SQUID_CONTAINER" ]; then
SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
fi
# Initialize summary # Initialize summary
echo "## 🔒 Proxy Traffic Verification - Cache Save" >> $GITHUB_STEP_SUMMARY echo "## 🔒 Proxy Traffic Verification - Cache Save" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
if [ -n "$SQUID_CONTAINER" ]; then if [ -f "$SQUID_LOG" ]; then
echo "Found Squid container: $SQUID_CONTAINER" echo "Found Squid access log at: $SQUID_LOG"
# Get the full access log # Get the full access log
ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "") ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
# Extract traffic details # Extract traffic details
RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true) RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true) BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true)
RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" || echo "0") RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0")
BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" || echo "0") BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0")
# Build summary table # Build summary table
echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
@ -315,10 +340,15 @@ jobs:
echo "Blob storage requests: $BLOB_COUNT" echo "Blob storage requests: $BLOB_COUNT"
echo "Verification status: $VERIFY_STATUS" echo "Verification status: $VERIFY_STATUS"
else else
echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
echo "Could not access squid container logs" echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "Could not find squid access log"
ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
fi fi
test-proxy-restore: test-proxy-restore:
@ -327,29 +357,45 @@ jobs:
container: container:
image: ubuntu:latest image: ubuntu:latest
options: --privileged options: --privileged
services:
squid-proxy:
image: ubuntu/squid:latest
ports:
- 3128:3128
env:
http_proxy: http://squid-proxy:3128
https_proxy: http://squid-proxy:3128
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v5 uses: actions/checkout@v5
- name: Install dependencies - name: Install dependencies and setup Squid proxy
run: | run: |
apt-get update apt-get update
apt-get install -y iptables dnsutils curl jq ipset apt-get install -y iptables dnsutils curl jq ipset squid
# Configure squid for forward proxy
cat >> /etc/squid/squid.conf << 'EOF'
# Allow all traffic through proxy
http_access allow all
# Enable SSL bumping for HTTPS CONNECT
http_port 3128
EOF
# Start squid
service squid start
sleep 2
# Verify squid is running
if service squid status; then
echo "Squid proxy started successfully"
else
echo "Failed to start squid"
cat /var/log/squid/cache.log
exit 1
fi
- name: Fetch GitHub meta and configure firewall - name: Fetch GitHub meta and configure firewall
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
# Fetch GitHub meta API to get all IP ranges # Fetch GitHub meta API to get all IP ranges
echo "Fetching GitHub meta API..." echo "Fetching GitHub meta API..."
curl -sS https://api.github.com/meta > /tmp/github-meta.json curl -sS https://api.github.com/meta > /tmp/github-meta.json
# Get squid-proxy IP address # Proxy is on localhost
PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }') PROXY_IP="127.0.0.1"
echo "Proxy IP: $PROXY_IP" echo "Proxy IP: $PROXY_IP"
# Allow established connections # Allow established connections
@ -395,10 +441,15 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block productionresultssa*.blob.core.windows.net (cache blob storage) # Block known blob storage endpoints used by cache
# We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts # Resolve and block common productionresultssa*.blob.core.windows.net endpoints
# The proxy will handle these requests for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do
echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy" BLOB_HOST="productionresultssa${i}.blob.core.windows.net"
for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Blocking direct access to $BLOB_HOST: $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done
done
# Block all other outbound HTTP/HTTPS traffic # Block all other outbound HTTP/HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j REJECT iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@ -409,12 +460,15 @@ jobs:
echo "" echo ""
echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries" echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
- name: Verify proxy enforcement - name: Verify proxy enforcement
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
echo "=== Testing proxy enforcement ===" echo "=== Testing proxy enforcement ==="
# Test 1: Direct connection to github.com should work (it's in allowed IPs) # Test 1: Direct connection to github.com should work (it's in allowed IPs)
echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)" echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://api.github.com/zen 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then
echo "✓ Direct GitHub API access works (expected)" echo "✓ Direct GitHub API access works (expected)"
else else
echo "✗ Direct GitHub API access failed (unexpected but not critical)" echo "✗ Direct GitHub API access failed (unexpected but not critical)"
@ -423,7 +477,7 @@ jobs:
# Test 2: Direct connection to blob storage should FAIL # Test 2: Direct connection to blob storage should FAIL
echo "" echo ""
echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)" echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!" echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
exit 1 exit 1
else else
@ -433,12 +487,17 @@ jobs:
# Test 3: Connection through proxy should work # Test 3: Connection through proxy should work
echo "" echo ""
echo "Test 3: Connection through proxy to blob storage (should SUCCEED)" echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
if curl --connect-timeout 5 --max-time 10 -sS https://productionresultssa0.blob.core.windows.net 2>&1 | head -5; then # Using proxy (from env vars), we should be able to connect even if we get an HTTP error
echo "✓ Proxy connection works (expected - even if 4xx/5xx response, connection succeeded)" HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000")
if [ "$HTTP_CODE" != "000" ]; then
echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)"
else else
echo "Note: Proxy connection may have failed, but that's OK if it's not a network block" echo "Note: Proxy connection may have failed, but that's OK if it's not a network block"
fi fi
- name: Restore cache - name: Restore cache
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
uses: ./ uses: ./
with: with:
key: test-proxy-${{ github.run_id }} key: test-proxy-${{ github.run_id }}
@ -447,28 +506,24 @@ jobs:
run: | run: |
echo "=== Verifying cache restore traffic went through proxy ===" echo "=== Verifying cache restore traffic went through proxy ==="
# Get the squid container ID # Read squid access log directly
SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1) SQUID_LOG="/var/log/squid/access.log"
if [ -z "$SQUID_CONTAINER" ]; then
SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
fi
# Initialize summary # Initialize summary
echo "## 🔒 Proxy Traffic Verification - Cache Restore" >> $GITHUB_STEP_SUMMARY echo "## 🔒 Proxy Traffic Verification - Cache Restore" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
if [ -n "$SQUID_CONTAINER" ]; then if [ -f "$SQUID_LOG" ]; then
echo "Found Squid container: $SQUID_CONTAINER" echo "Found Squid access log at: $SQUID_LOG"
# Get the full access log # Get the full access log
ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "") ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
# Extract traffic details # Extract traffic details
RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true) RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true) BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true)
RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" || echo "0") RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0")
BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" || echo "0") BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0")
# Build summary table # Build summary table
echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
@ -548,10 +603,15 @@ jobs:
echo "Blob storage requests: $BLOB_COUNT" echo "Blob storage requests: $BLOB_COUNT"
echo "Verification status: $VERIFY_STATUS" echo "Verification status: $VERIFY_STATUS"
else else
echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
echo "Could not access squid container logs" echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "Could not find squid access log"
ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
fi fi
- name: Verify cache - name: Verify cache
run: __tests__/verify-cache-files.sh proxy test-cache run: __tests__/verify-cache-files.sh proxy test-cache