actions/cache
1
0
Fork 0
mirror of https://github.com/actions/cache.git synced 2026-03-07 10:13:07 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:d59cb79a26a8d74630c22cbb08feabe65fc8e099
Branches Tags
actions:main
actions:dependabot/npm_and_yarn/fast-xml-parser-5.4.2
actions:dependabot/github_actions/minor-actions-dependencies-e5c33472d6
actions:dependabot/github_actions/github/codeql-action-4
actions:dependabot/github_actions/actions/checkout-6
actions:dependabot/github_actions/actions/setup-node-6
actions:dependabot/github_actions/actions/stale-10
actions:dependabot/npm_and_yarn/multi-770cfcd984
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.54.0
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/multi-a28ee524ce
actions:dependabot/npm_and_yarn/actions/cache-6.0.0
actions:dependabot/npm_and_yarn/eslint-config-prettier-10.1.8
actions:copilot/triage-open-pull-requests
actions:alert-autofix-51
actions:v3.5.0-working
actions:v3.4.3-working
actions:v3.4.2-working
actions:v3.4.1-working
actions:v3.4.0-working
actions:Link-/blobcache-spike
actions:yacaovsnc/update_readme
actions:robherley/v3.3.3
actions:releases/v1
actions:bishal/debug-sdk-batch
actions:pdotl-patch-1
actions:anuragc617/update_v2
actions:update_v2
actions:bishal-pdMSFT-patch-4
actions:kotewar/update-readme-for-lookup
actions:kotewar/updating-cache-dependency
actions:pdotl/zstd-hotfix
actions:t-dedah-patch-1
actions:phantsure/v3.2.5
actions:pallavx-patch-1
actions:pallavx-patch-1-1
actions:vsvipul/dep-fix
actions:kotewar/states-input-provider
actions:phantsure/releaae-symlink
actions:phantsure/symlink
actions:phantsure/revert-compression-changes
actions:phantsure/cross-doc
actions:Phantsure-patch-1
actions:phantsure/compression-release
actions:releases/v3-beta
actions:bishal-pdMSFT-patch-3
actions:tanuj077/save-changes
actions:kotewar/adding-support-for-http-client
actions:phantsure/v3-beta
actions:bishal/outputter
actions:t-dedah/new-node
actions:tanuj077/cache-control-save
actions:phantsure/npm-fix
actions:revert-998-dependabot/npm_and_yarn/minimatch-3.1.2
actions:master
actions:vsvipul/change-assignee-logic
actions:t-dedah/cache-eviction
actions:bishal/readme-cache-version
actions:bishal-pdMSFT-patch-2
actions:pdotl-version-bump
actions:vsvipul/new-release
actions:vsvipul/fix-sort
actions:tiwarishub/release-3.0.9
actions:tiwarishub/ghes_wanr_msg_update
actions:vsvipul/add-anurag
actions:vsvipul-patch-2
actions:vsvipul-patch-1
actions:vsvipul/add-reviewers
actions:vsvipul/fix-dep
actions:bishal-pdMSFT-patch-1
actions:tiwarishub/hackyTimeout
actions:tiwarishub/cache-3-0-5
actions:tiwarishub/cache-3-0
actions:fix-345
actions:vsvipul/fix-auto-assign
actions:vsvipul/alert-fix
actions:vsvipul/test-assign-pr
actions:t-dedah/updatePackage
actions:t-dedah/cacheSize
actions:t-dedah/test
actions:testGheswithACFlag
actions:v3_fix
actions:2gb_issue_fix
actions:users/ashwinsangem/update_whats_new
actions:revert-173-add-stack-example
actions:node-update
actions:test-fast
actions:up-dep2
actions:resolve-dep
actions:up-dep
actions:enableForGHES
actions:testEnableForGHES.v1
actions:dhadka/fix-fd-errors
actions:dhadka/update-deps
actions:dhadka/update-1.0.7
actions:aiqiaoy/windows-cache-path
actions:dhadka/bump-cache
actions:dhadka/update-core
actions:dhadka/update-cache-module
actions:dhadka/upload-chunk-size
actions:dhadka/cache-1.0.1
actions:dhadka/exit-after-run
actions:improve-string-split
actions:releases/v2
actions:add-retries
actions:timeout-env-var
actions:joshmgross/sudo-tar
actions:joshmgross/chunked-upload-testing
actions:joshmgross/windows-bsd-tar-release
actions:preview
actions:v5.0.3
actions:v5
actions:v5.0.2
actions:v5.0.1
actions:v5.0.0
actions:v4.3.0
actions:v4
actions:v3.5.0
actions:v3
actions:v4.2.4
actions:v4.2.3
actions:v3.4.3
actions:v4.2.2
actions:v3.4.2
actions:v4.2.1
actions:v3.4.1
actions:v4.2.0
actions:v3.4.0
actions:v4.1.2
actions:v4.1.1
actions:v4.1.0
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.3.3
actions:v3.3.2
actions:v1
actions:v1.2.1
actions:v2.1.8
actions:v2
actions:v3.3.1
actions:v3.3.0
actions:v3.2.6
actions:v3.2.5
actions:v3.2.4
actions:v3.2.3
actions:v3.2.2
actions:v3.2.1
actions:v3.2.0
actions:v3.2.0-beta
actions:v3.2.0-beta.1
actions:v3.1.0-beta
actions:v3.1.0-beta.3
actions:v3.1.0-beta.2
actions:v3.1.0-beta.1
actions:v3.0.11
actions:v3.0.10
actions:v3.0.9
actions:v3.0.8
actions:v3.0.7
actions:v3.0.6
actions:v3.0.5
actions:v3.0.4
actions:v3.0.3
actions:v3.0.2
actions:v3.0.1
actions:v3.0.0
actions:testEnableForGHES
actions:v2.1.7
actions:v2.1.6
actions:v2.1.5
actions:v2.1.4
actions:v2.1.3
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.0.2
actions:v0.0.1
..
compare: actions:2e9cddfa69039bd3d8d0ab9f27a246fd8c4f4de2
Branches Tags
actions:dependabot/npm_and_yarn/fast-xml-parser-5.4.2
actions:dependabot/github_actions/minor-actions-dependencies-e5c33472d6
actions:dependabot/github_actions/github/codeql-action-4
actions:dependabot/github_actions/actions/checkout-6
actions:dependabot/github_actions/actions/setup-node-6
actions:dependabot/github_actions/actions/stale-10
actions:dependabot/npm_and_yarn/multi-770cfcd984
actions:dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-8.54.0
actions:dependabot/npm_and_yarn/eslint-9.39.2
actions:dependabot/npm_and_yarn/multi-a28ee524ce
actions:dependabot/npm_and_yarn/actions/cache-6.0.0
actions:dependabot/npm_and_yarn/eslint-config-prettier-10.1.8
actions:main
actions:copilot/triage-open-pull-requests
actions:alert-autofix-51
actions:v3.5.0-working
actions:v3.4.3-working
actions:v3.4.2-working
actions:v3.4.1-working
actions:v3.4.0-working
actions:Link-/blobcache-spike
actions:yacaovsnc/update_readme
actions:robherley/v3.3.3
actions:releases/v1
actions:bishal/debug-sdk-batch
actions:pdotl-patch-1
actions:anuragc617/update_v2
actions:update_v2
actions:bishal-pdMSFT-patch-4
actions:kotewar/update-readme-for-lookup
actions:kotewar/updating-cache-dependency
actions:pdotl/zstd-hotfix
actions:t-dedah-patch-1
actions:phantsure/v3.2.5
actions:pallavx-patch-1
actions:pallavx-patch-1-1
actions:vsvipul/dep-fix
actions:kotewar/states-input-provider
actions:phantsure/releaae-symlink
actions:phantsure/symlink
actions:phantsure/revert-compression-changes
actions:phantsure/cross-doc
actions:Phantsure-patch-1
actions:phantsure/compression-release
actions:releases/v3-beta
actions:bishal-pdMSFT-patch-3
actions:tanuj077/save-changes
actions:kotewar/adding-support-for-http-client
actions:phantsure/v3-beta
actions:bishal/outputter
actions:t-dedah/new-node
actions:tanuj077/cache-control-save
actions:phantsure/npm-fix
actions:revert-998-dependabot/npm_and_yarn/minimatch-3.1.2
actions:master
actions:vsvipul/change-assignee-logic
actions:t-dedah/cache-eviction
actions:bishal/readme-cache-version
actions:bishal-pdMSFT-patch-2
actions:pdotl-version-bump
actions:vsvipul/new-release
actions:vsvipul/fix-sort
actions:tiwarishub/release-3.0.9
actions:tiwarishub/ghes_wanr_msg_update
actions:vsvipul/add-anurag
actions:vsvipul-patch-2
actions:vsvipul-patch-1
actions:vsvipul/add-reviewers
actions:vsvipul/fix-dep
actions:bishal-pdMSFT-patch-1
actions:tiwarishub/hackyTimeout
actions:tiwarishub/cache-3-0-5
actions:tiwarishub/cache-3-0
actions:fix-345
actions:vsvipul/fix-auto-assign
actions:vsvipul/alert-fix
actions:vsvipul/test-assign-pr
actions:t-dedah/updatePackage
actions:t-dedah/cacheSize
actions:t-dedah/test
actions:testGheswithACFlag
actions:v3_fix
actions:2gb_issue_fix
actions:users/ashwinsangem/update_whats_new
actions:revert-173-add-stack-example
actions:node-update
actions:test-fast
actions:up-dep2
actions:resolve-dep
actions:up-dep
actions:enableForGHES
actions:testEnableForGHES.v1
actions:dhadka/fix-fd-errors
actions:dhadka/update-deps
actions:dhadka/update-1.0.7
actions:aiqiaoy/windows-cache-path
actions:dhadka/bump-cache
actions:dhadka/update-core
actions:dhadka/update-cache-module
actions:dhadka/upload-chunk-size
actions:dhadka/cache-1.0.1
actions:dhadka/exit-after-run
actions:improve-string-split
actions:releases/v2
actions:add-retries
actions:timeout-env-var
actions:joshmgross/sudo-tar
actions:joshmgross/chunked-upload-testing
actions:joshmgross/windows-bsd-tar-release
actions:preview
actions:v5.0.3
actions:v5
actions:v5.0.2
actions:v5.0.1
actions:v5.0.0
actions:v4.3.0
actions:v4
actions:v3.5.0
actions:v3
actions:v4.2.4
actions:v4.2.3
actions:v3.4.3
actions:v4.2.2
actions:v3.4.2
actions:v4.2.1
actions:v3.4.1
actions:v4.2.0
actions:v3.4.0
actions:v4.1.2
actions:v4.1.1
actions:v4.1.0
actions:v4.0.2
actions:v4.0.1
actions:v4.0.0
actions:v3.3.3
actions:v3.3.2
actions:v1
actions:v1.2.1
actions:v2.1.8
actions:v2
actions:v3.3.1
actions:v3.3.0
actions:v3.2.6
actions:v3.2.5
actions:v3.2.4
actions:v3.2.3
actions:v3.2.2
actions:v3.2.1
actions:v3.2.0
actions:v3.2.0-beta
actions:v3.2.0-beta.1
actions:v3.1.0-beta
actions:v3.1.0-beta.3
actions:v3.1.0-beta.2
actions:v3.1.0-beta.1
actions:v3.0.11
actions:v3.0.10
actions:v3.0.9
actions:v3.0.8
actions:v3.0.7
actions:v3.0.6
actions:v3.0.5
actions:v3.0.4
actions:v3.0.3
actions:v3.0.2
actions:v3.0.1
actions:v3.0.0
actions:testEnableForGHES
actions:v2.1.7
actions:v2.1.6
actions:v2.1.5
actions:v2.1.4
actions:v2.1.3
actions:v2.1.2
actions:v2.1.1
actions:v2.1.0
actions:v2.0.0
actions:v1.2.0
actions:v1.1.2
actions:v1.1.1
actions:v1.1.0
actions:v1.0.3
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.0.2
actions:v0.0.1

8 Commits
d59cb79a26 ... 2e9cddfa69

Author SHA1 Message Date
Bassem Dghaidi
2e9cddfa69 Use wernight/squid (permissive proxy) and fix verification tests
Some checks failed
Code scanning / CodeQL-Build (push) Has been cancelled
Details 
- Switch from ubuntu/squid to wernight/squid which allows all HTTPS CONNECT
- Fix verification tests to explicitly use -x flag to prove proxy works
- Tests now verify:
  1. Proxy accepts and forwards requests (using curl -x)
  2. Direct blob storage access is blocked by iptables
  3. Blob storage access through proxy succeeds

The cache action should now fail because it doesn't use the proxy,
not because the proxy rejects the connection.
 2026-01-29 09:41:44 -08:00
Bassem Dghaidi
34472f2415 Add explicit iptables rules to block blob storage IPs 
The previous firewall setup relied on a catch-all REJECT rule for blob
storage, but it wasn't blocking traffic. Now we explicitly resolve and
block the IPs for productionresultssa0-3.blob.core.windows.net using
iptables -I OUTPUT 1 to insert rules at the top of the chain.
 2026-01-29 09:31:15 -08:00
Bassem Dghaidi
e0d51ac399 Switch to sameersbn/squid image and simplify verification 
- Replace ubuntu/squid with sameersbn/squid:latest (more reliable)
- Remove shared volume mounts that may cause permission issues
- Simplify verification steps since we can't access service container logs
- The test validates proxy works by verifying cache operations succeed
  when direct access is blocked by iptables
 2026-01-29 09:27:29 -08:00
Bassem Dghaidi
26cd8c103b Add wait loop for squid-proxy service to be resolvable 2026-01-29 09:22:42 -08:00
Bassem Dghaidi
0d4af5e74f Remove proxy env from Fetch GitHub meta step - must run before firewall setup 2026-01-29 09:20:18 -08:00
Bassem Dghaidi
61ba4b9b0a Merge branch 'Link-/fix-proxy-integration-tests' of github.com:actions/cache into Link-/fix-proxy-integration-tests 2026-01-29 09:18:24 -08:00
Bassem Dghaidi
2f8c9d682d Use shared volume between job container and squid service for log access 2026-01-29 09:17:52 -08:00
Bassem Dghaidi
56cc052f4d Use shared volume between job container and squid service for log access 2026-01-29 09:13:07 -08:00
1 changed files with 160 additions and 329 deletions
Show Stats Expand all files Collapse all files

489
.github/workflows/workflow.yml vendored
View File

@ -91,46 +91,55 @@ jobs:
container: container:
image: ubuntu:latest image: ubuntu:latest
options: --privileged options: --privileged
services:
squid-proxy:
image: wernight/squid
ports:
- 3128:3128
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v5 uses: actions/checkout@v5
- name: Install dependencies and setup Squid proxy - name: Install dependencies
run: | run: |
apt-get update apt-get update
apt-get install -y iptables dnsutils curl jq ipset squid apt-get install -y iptables dnsutils curl jq ipset
# Configure squid for forward proxy
cat >> /etc/squid/squid.conf << 'EOF'
# Allow all traffic through proxy
http_access allow all
# Enable SSL bumping for HTTPS CONNECT
http_port 3128
EOF
# Start squid
service squid start
sleep 2
# Verify squid is running
if service squid status; then
echo "Squid proxy started successfully"
else
echo "Failed to start squid"
cat /var/log/squid/cache.log
exit 1
fi
- name: Fetch GitHub meta and configure firewall - name: Fetch GitHub meta and configure firewall
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
# Fetch GitHub meta API to get all IP ranges # Fetch GitHub meta API to get all IP ranges
echo "Fetching GitHub meta API..." echo "Fetching GitHub meta API..."
curl -sS https://api.github.com/meta > /tmp/github-meta.json curl -sS https://api.github.com/meta > /tmp/github-meta.json
# Proxy is on localhost # Wait for squid-proxy service to be resolvable and accepting connections
PROXY_IP="127.0.0.1" echo "Waiting for squid-proxy service..."
echo "Proxy IP: $PROXY_IP" for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
if [ -n "$PROXY_IP" ]; then
echo "squid-proxy resolved to: $PROXY_IP"
# Test that proxy is actually accepting connections
if curl --connect-timeout 2 --max-time 5 -x http://squid-proxy:3128 -sS https://api.github.com/zen 2>/dev/null; then
echo "Proxy is working!"
break
else
echo "Attempt $i: Proxy resolved but not ready yet, waiting..."
fi
else
echo "Attempt $i: squid-proxy not resolvable yet, waiting..."
fi
sleep 2
done
if [ -z "$PROXY_IP" ]; then
echo "ERROR: Could not resolve squid-proxy after 15 attempts"
exit 1
fi
# Verify proxy works before locking down firewall
echo "Final proxy connectivity test..."
if ! curl --connect-timeout 5 --max-time 10 -x http://squid-proxy:3128 -sS https://api.github.com/zen; then
echo "ERROR: Proxy is not working properly"
exit 1
fi
echo "Proxy verified working!"
# Allow established connections # Allow established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -175,12 +184,10 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block known blob storage endpoints used by cache # Block blob.core.windows.net (Azure blob storage used for cache)
# Resolve and block common productionresultssa*.blob.core.windows.net endpoints for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
BLOB_HOST="productionresultssa${i}.blob.core.windows.net" echo "Blocking direct access to blob storage ($host): $ip"
for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Blocking direct access to $BLOB_HOST: $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
done done
@ -194,162 +201,70 @@ jobs:
echo "" echo ""
echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries" echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
- name: Verify proxy enforcement - name: Verify proxy enforcement
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
echo "=== Testing proxy enforcement ===" echo "=== Testing proxy enforcement ==="
# Test 1: Direct connection to github.com should work (it's in allowed IPs) # Test 1: Verify proxy is working by explicitly using it
echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)" echo "Test 1: Connection through proxy (should SUCCEED)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then if curl --connect-timeout 10 --max-time 15 -x http://squid-proxy:3128 -sS -o /dev/null -w "%{http_code}" https://api.github.com/zen; then
echo "✓ Direct GitHub API access works (expected)" echo ""
echo "✓ Proxy connection works"
else else
echo "✗ Direct GitHub API access failed (unexpected but not critical)" echo "✗ ERROR: Proxy is not working!"
exit 1
fi fi
# Test 2: Direct connection to blob storage should FAIL # Test 2: Direct connection to blob storage should FAIL (blocked by iptables)
echo "" echo ""
echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)" echo "Test 2: Direct connection to blob storage (should FAIL - blocked by iptables)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!" echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
exit 1 exit 1
else else
echo "✓ Direct blob storage correctly blocked" echo "✓ Direct blob storage correctly blocked by iptables"
fi fi
# Test 3: Connection through proxy should work # Test 3: Connection to blob storage THROUGH proxy should work
echo "" echo ""
echo "Test 3: Connection through proxy to blob storage (should SUCCEED)" echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
# Using proxy (from env vars), we should be able to connect even if we get an HTTP error HTTP_CODE=$(curl --connect-timeout 10 --max-time 15 -x http://squid-proxy:3128 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>&1) || true
HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000") echo "HTTP response code: $HTTP_CODE"
if [ "$HTTP_CODE" != "000" ]; then if [ "$HTTP_CODE" = "400" ] || [ "$HTTP_CODE" = "409" ] || [ "$HTTP_CODE" = "200" ]; then
echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)" echo "✓ Proxy successfully forwarded request to blob storage (got HTTP $HTTP_CODE)"
else else
echo "Note: Proxy connection may have failed, but that's OK if it's not a network block" echo "✗ ERROR: Proxy failed to forward request (got: $HTTP_CODE)"
exit 1
fi fi
echo ""
echo "=== All proxy enforcement tests passed ==="
echo "The proxy is working. If cache operations fail, it's because the action doesn't use the proxy."
- name: Generate files - name: Generate files
run: __tests__/create-cache-files.sh proxy test-cache run: __tests__/create-cache-files.sh proxy test-cache
- name: Save cache - name: Save cache
env: env:
http_proxy: http://127.0.0.1:3128 http_proxy: http://squid-proxy:3128
https_proxy: http://127.0.0.1:3128 https_proxy: http://squid-proxy:3128
uses: ./ uses: ./
with: with:
key: test-proxy-${{ github.run_id }} key: test-proxy-${{ github.run_id }}
path: test-cache path: test-cache
- name: Verify cache traffic went through proxy - name: Verify proxy setup
run: | run: |
echo "=== Verifying cache traffic went through proxy ===" echo "## 🔒 Proxy Integration Test - Cache Save" >> $GITHUB_STEP_SUMMARY
# Read squid access log directly
SQUID_LOG="/var/log/squid/access.log"
# Initialize summary
echo "## 🔒 Proxy Traffic Verification - Cache Save" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
echo "### ✅ Test Configuration" >> $GITHUB_STEP_SUMMARY
if [ -f "$SQUID_LOG" ]; then echo "" >> $GITHUB_STEP_SUMMARY
echo "Found Squid access log at: $SQUID_LOG" echo "- **Proxy**: squid-proxy:3128" >> $GITHUB_STEP_SUMMARY
echo "- **Firewall**: iptables blocking direct access to cache endpoints" >> $GITHUB_STEP_SUMMARY
# Get the full access log echo "- **Test**: Cache save operation completed successfully through proxy" >> $GITHUB_STEP_SUMMARY
ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "") echo "" >> $GITHUB_STEP_SUMMARY
echo "If the cache save step succeeded, it means:" >> $GITHUB_STEP_SUMMARY
# Extract traffic details echo "1. Direct access to results-receiver.actions.githubusercontent.com was blocked" >> $GITHUB_STEP_SUMMARY
RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true) echo "2. Direct access to *.blob.core.windows.net was blocked" >> $GITHUB_STEP_SUMMARY
BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true) echo "3. Cache operations were routed through the squid proxy" >> $GITHUB_STEP_SUMMARY
RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0") echo "" >> $GITHUB_STEP_SUMMARY
BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0") echo "✅ **SUCCESS**: Proxy integration test passed!" >> $GITHUB_STEP_SUMMARY
# Build summary table
echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Endpoint | Requests | Status |" >> $GITHUB_STEP_SUMMARY
echo "|----------|----------|--------|" >> $GITHUB_STEP_SUMMARY
if [ "$RESULTS_RECEIVER_COUNT" -gt 0 ]; then
echo "| results-receiver.actions.githubusercontent.com | $RESULTS_RECEIVER_COUNT | ✅ Proxied |" >> $GITHUB_STEP_SUMMARY
else
echo "| results-receiver.actions.githubusercontent.com | 0 | ⚠️ Not detected |" >> $GITHUB_STEP_SUMMARY
fi
if [ "$BLOB_COUNT" -gt 0 ]; then
echo "| *.blob.core.windows.net | $BLOB_COUNT | ✅ Proxied |" >> $GITHUB_STEP_SUMMARY
else
echo "| *.blob.core.windows.net | 0 | ⚠️ Not detected |" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
# Verification result
echo "### 🎯 Verification Result" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "$RESULTS_RECEIVER_COUNT" -gt 0 ] && [ "$BLOB_COUNT" -gt 0 ]; then
echo "✅ **SUCCESS**: All cache save traffic verified going through proxy!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- ✅ CreateCacheEntry API call routed through proxy" >> $GITHUB_STEP_SUMMARY
echo "- ✅ FinalizeCacheEntryUpload API call routed through proxy" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Blob storage upload routed through proxy" >> $GITHUB_STEP_SUMMARY
VERIFY_STATUS="success"
else
echo "⚠️ **WARNING**: Some expected cache traffic not found in proxy logs" >> $GITHUB_STEP_SUMMARY
VERIFY_STATUS="warning"
fi
# Detailed traffic logs
echo "" >> $GITHUB_STEP_SUMMARY
echo "<details>" >> $GITHUB_STEP_SUMMARY
echo "<summary>📋 Detailed Proxy Traffic Logs</summary>" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Results Receiver Traffic (Cache API)" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$RESULTS_RECEIVER_LINES" ]; then
echo "$RESULTS_RECEIVER_LINES" >> $GITHUB_STEP_SUMMARY
else
echo "(no results-receiver traffic found)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Blob Storage Traffic (Cache Upload)" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$BLOB_LINES" ]; then
echo "$BLOB_LINES" >> $GITHUB_STEP_SUMMARY
else
echo "(no blob storage traffic found)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Full Squid Access Log" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$ACCESS_LOG" ]; then
echo "$ACCESS_LOG" >> $GITHUB_STEP_SUMMARY
else
echo "(access log empty or not accessible)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "</details>" >> $GITHUB_STEP_SUMMARY
# Also output to logs for debugging
echo ""
echo "=== Traffic Summary ==="
echo "Results-receiver requests: $RESULTS_RECEIVER_COUNT"
echo "Blob storage requests: $BLOB_COUNT"
echo "Verification status: $VERIFY_STATUS"
else
echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "Could not find squid access log"
ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
fi
test-proxy-restore: test-proxy-restore:
needs: test-proxy-save needs: test-proxy-save
@ -357,46 +272,55 @@ jobs:
container: container:
image: ubuntu:latest image: ubuntu:latest
options: --privileged options: --privileged
services:
squid-proxy:
image: wernight/squid
ports:
- 3128:3128
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v5 uses: actions/checkout@v5
- name: Install dependencies and setup Squid proxy - name: Install dependencies
run: | run: |
apt-get update apt-get update
apt-get install -y iptables dnsutils curl jq ipset squid apt-get install -y iptables dnsutils curl jq ipset
# Configure squid for forward proxy
cat >> /etc/squid/squid.conf << 'EOF'
# Allow all traffic through proxy
http_access allow all
# Enable SSL bumping for HTTPS CONNECT
http_port 3128
EOF
# Start squid
service squid start
sleep 2
# Verify squid is running
if service squid status; then
echo "Squid proxy started successfully"
else
echo "Failed to start squid"
cat /var/log/squid/cache.log
exit 1
fi
- name: Fetch GitHub meta and configure firewall - name: Fetch GitHub meta and configure firewall
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
# Fetch GitHub meta API to get all IP ranges # Fetch GitHub meta API to get all IP ranges
echo "Fetching GitHub meta API..." echo "Fetching GitHub meta API..."
curl -sS https://api.github.com/meta > /tmp/github-meta.json curl -sS https://api.github.com/meta > /tmp/github-meta.json
# Proxy is on localhost # Wait for squid-proxy service to be resolvable and accepting connections
PROXY_IP="127.0.0.1" echo "Waiting for squid-proxy service..."
echo "Proxy IP: $PROXY_IP" for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
if [ -n "$PROXY_IP" ]; then
echo "squid-proxy resolved to: $PROXY_IP"
# Test that proxy is actually accepting connections
if curl --connect-timeout 2 --max-time 5 -x http://squid-proxy:3128 -sS https://api.github.com/zen 2>/dev/null; then
echo "Proxy is working!"
break
else
echo "Attempt $i: Proxy resolved but not ready yet, waiting..."
fi
else
echo "Attempt $i: squid-proxy not resolvable yet, waiting..."
fi
sleep 2
done
if [ -z "$PROXY_IP" ]; then
echo "ERROR: Could not resolve squid-proxy after 15 attempts"
exit 1
fi
# Verify proxy works before locking down firewall
echo "Final proxy connectivity test..."
if ! curl --connect-timeout 5 --max-time 10 -x http://squid-proxy:3128 -sS https://api.github.com/zen; then
echo "ERROR: Proxy is not working properly"
exit 1
fi
echo "Proxy verified working!"
# Allow established connections # Allow established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -441,12 +365,10 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block known blob storage endpoints used by cache # Block blob.core.windows.net (Azure blob storage used for cache)
# Resolve and block common productionresultssa*.blob.core.windows.net endpoints for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
BLOB_HOST="productionresultssa${i}.blob.core.windows.net" echo "Blocking direct access to blob storage ($host): $ip"
for ip in $(getent ahosts "$BLOB_HOST" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Blocking direct access to $BLOB_HOST: $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
done done
@ -460,158 +382,67 @@ jobs:
echo "" echo ""
echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries" echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
- name: Verify proxy enforcement - name: Verify proxy enforcement
env:
http_proxy: http://127.0.0.1:3128
https_proxy: http://127.0.0.1:3128
run: | run: |
echo "=== Testing proxy enforcement ===" echo "=== Testing proxy enforcement ==="
# Test 1: Direct connection to github.com should work (it's in allowed IPs) # Test 1: Verify proxy is working by explicitly using it
echo "Test 1: Direct connection to github.com (should SUCCEED - GitHub IP allowed)" echo "Test 1: Connection through proxy (should SUCCEED)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://api.github.com/zen 2>/dev/null; then if curl --connect-timeout 10 --max-time 15 -x http://squid-proxy:3128 -sS -o /dev/null -w "%{http_code}" https://api.github.com/zen; then
echo "✓ Direct GitHub API access works (expected)" echo ""
echo "✓ Proxy connection works"
else else
echo "✗ Direct GitHub API access failed (unexpected but not critical)" echo "✗ ERROR: Proxy is not working!"
exit 1
fi fi
# Test 2: Direct connection to blob storage should FAIL # Test 2: Direct connection to blob storage should FAIL (blocked by iptables)
echo "" echo ""
echo "Test 2: Direct connection to blob storage (should FAIL - must use proxy)" echo "Test 2: Direct connection to blob storage (should FAIL - blocked by iptables)"
if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sSf -o /dev/null https://productionresultssa0.blob.core.windows.net 2>/dev/null; then if curl --connect-timeout 5 --max-time 10 --noproxy '*' -sS https://productionresultssa0.blob.core.windows.net 2>/dev/null; then
echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!" echo "✗ ERROR: Direct blob storage connection succeeded but should have been blocked!"
exit 1 exit 1
else else
echo "✓ Direct blob storage correctly blocked" echo "✓ Direct blob storage correctly blocked by iptables"
fi fi
# Test 3: Connection through proxy should work # Test 3: Connection to blob storage THROUGH proxy should work
echo "" echo ""
echo "Test 3: Connection through proxy to blob storage (should SUCCEED)" echo "Test 3: Connection through proxy to blob storage (should SUCCEED)"
# Using proxy (from env vars), we should be able to connect even if we get an HTTP error HTTP_CODE=$(curl --connect-timeout 10 --max-time 15 -x http://squid-proxy:3128 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>&1) || true
HTTP_CODE=$(curl --connect-timeout 5 --max-time 10 -sS -o /dev/null -w "%{http_code}" https://productionresultssa0.blob.core.windows.net 2>/dev/null || echo "000") echo "HTTP response code: $HTTP_CODE"
if [ "$HTTP_CODE" != "000" ]; then if [ "$HTTP_CODE" = "400" ] || [ "$HTTP_CODE" = "409" ] || [ "$HTTP_CODE" = "200" ]; then
echo "✓ Proxy connection works (HTTP $HTTP_CODE - connection succeeded through proxy)" echo "✓ Proxy successfully forwarded request to blob storage (got HTTP $HTTP_CODE)"
else else
echo "Note: Proxy connection may have failed, but that's OK if it's not a network block" echo "✗ ERROR: Proxy failed to forward request (got: $HTTP_CODE)"
exit 1
fi fi
echo ""
echo "=== All proxy enforcement tests passed ==="
echo "The proxy is working. If cache operations fail, it's because the action doesn't use the proxy."
- name: Restore cache - name: Restore cache
env: env:
http_proxy: http://127.0.0.1:3128 http_proxy: http://squid-proxy:3128
https_proxy: http://127.0.0.1:3128 https_proxy: http://squid-proxy:3128
uses: ./ uses: ./
with: with:
key: test-proxy-${{ github.run_id }} key: test-proxy-${{ github.run_id }}
path: test-cache path: test-cache
- name: Verify cache traffic went through proxy - name: Verify proxy setup
run: | run: |
echo "=== Verifying cache restore traffic went through proxy ===" echo "## 🔒 Proxy Integration Test - Cache Restore" >> $GITHUB_STEP_SUMMARY
# Read squid access log directly
SQUID_LOG="/var/log/squid/access.log"
# Initialize summary
echo "## 🔒 Proxy Traffic Verification - Cache Restore" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
echo "### ✅ Test Configuration" >> $GITHUB_STEP_SUMMARY
if [ -f "$SQUID_LOG" ]; then echo "" >> $GITHUB_STEP_SUMMARY
echo "Found Squid access log at: $SQUID_LOG" echo "- **Proxy**: squid-proxy:3128" >> $GITHUB_STEP_SUMMARY
echo "- **Firewall**: iptables blocking direct access to cache endpoints" >> $GITHUB_STEP_SUMMARY
# Get the full access log echo "- **Test**: Cache restore operation completed successfully through proxy" >> $GITHUB_STEP_SUMMARY
ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "") echo "" >> $GITHUB_STEP_SUMMARY
echo "If the cache restore step succeeded, it means:" >> $GITHUB_STEP_SUMMARY
# Extract traffic details echo "1. Direct access to results-receiver.actions.githubusercontent.com was blocked" >> $GITHUB_STEP_SUMMARY
RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true) echo "2. Direct access to *.blob.core.windows.net was blocked" >> $GITHUB_STEP_SUMMARY
BLOB_LINES=$(echo "$ACCESS_LOG" | grep -i "blob.core.windows.net" || true) echo "3. Cache operations were routed through the squid proxy" >> $GITHUB_STEP_SUMMARY
RESULTS_RECEIVER_COUNT=$(echo "$ACCESS_LOG" | grep -ci "results-receiver" 2>/dev/null || echo "0") echo "" >> $GITHUB_STEP_SUMMARY
BLOB_COUNT=$(echo "$ACCESS_LOG" | grep -ci "blob.core.windows.net" 2>/dev/null || echo "0") echo "✅ **SUCCESS**: Proxy integration test passed!" >> $GITHUB_STEP_SUMMARY
# Build summary table
echo "### 📊 Traffic Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Endpoint | Requests | Status |" >> $GITHUB_STEP_SUMMARY
echo "|----------|----------|--------|" >> $GITHUB_STEP_SUMMARY
if [ "$RESULTS_RECEIVER_COUNT" -gt 0 ]; then
echo "| results-receiver.actions.githubusercontent.com | $RESULTS_RECEIVER_COUNT | ✅ Proxied |" >> $GITHUB_STEP_SUMMARY
else
echo "| results-receiver.actions.githubusercontent.com | 0 | ⚠️ Not detected |" >> $GITHUB_STEP_SUMMARY
fi
if [ "$BLOB_COUNT" -gt 0 ]; then
echo "| *.blob.core.windows.net | $BLOB_COUNT | ✅ Proxied |" >> $GITHUB_STEP_SUMMARY
else
echo "| *.blob.core.windows.net | 0 | ⚠️ Not detected |" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
# Verification result
echo "### 🎯 Verification Result" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "$RESULTS_RECEIVER_COUNT" -gt 0 ] && [ "$BLOB_COUNT" -gt 0 ]; then
echo "✅ **SUCCESS**: All cache restore traffic verified going through proxy!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- ✅ GetCacheEntryDownloadURL API call routed through proxy" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Blob storage download routed through proxy" >> $GITHUB_STEP_SUMMARY
VERIFY_STATUS="success"
else
echo "⚠️ **WARNING**: Some expected cache traffic not found in proxy logs" >> $GITHUB_STEP_SUMMARY
VERIFY_STATUS="warning"
fi
# Detailed traffic logs
echo "" >> $GITHUB_STEP_SUMMARY
echo "<details>" >> $GITHUB_STEP_SUMMARY
echo "<summary>📋 Detailed Proxy Traffic Logs</summary>" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Results Receiver Traffic (Cache API)" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$RESULTS_RECEIVER_LINES" ]; then
echo "$RESULTS_RECEIVER_LINES" >> $GITHUB_STEP_SUMMARY
else
echo "(no results-receiver traffic found)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Blob Storage Traffic (Cache Download)" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$BLOB_LINES" ]; then
echo "$BLOB_LINES" >> $GITHUB_STEP_SUMMARY
else
echo "(no blob storage traffic found)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Full Squid Access Log" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
if [ -n "$ACCESS_LOG" ]; then
echo "$ACCESS_LOG" >> $GITHUB_STEP_SUMMARY
else
echo "(access log empty or not accessible)" >> $GITHUB_STEP_SUMMARY
fi
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "</details>" >> $GITHUB_STEP_SUMMARY
# Also output to logs for debugging
echo ""
echo "=== Traffic Summary ==="
echo "Results-receiver requests: $RESULTS_RECEIVER_COUNT"
echo "Blob storage requests: $BLOB_COUNT"
echo "Verification status: $VERIFY_STATUS"
else
echo "⚠️ **WARNING**: Could not find Squid access log at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Checking squid log directory..." >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
ls -la /var/log/squid/ 2>&1 >> $GITHUB_STEP_SUMMARY || echo "Directory not found" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "Could not find squid access log"
ls -la /var/log/squid/ 2>&1 || echo "Directory /var/log/squid not found"
fi
- name: Verify cache - name: Verify cache
run: __tests__/verify-cache-files.sh proxy test-cache run: __tests__/verify-cache-files.sh proxy test-cache