Try dynamic-use #26
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration Tests | |
on: | |
push: | |
branches: | |
- main | |
- larose/use-action-by-name | |
pull_request: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
jobs: | |
audit: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
- name: Make HTTP requests | |
run: | | |
curl https://www.google.com --output /dev/null | |
curl https://www.bing.com --max-time 3 --output /dev/null | |
block: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
egress-policy: block | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: | | |
if dig example.com; then | |
echo 'Expected 'dig example.com' to fail, but it succeeded'; | |
exit 1; | |
fi; | |
if dig www.wikipedia.org; then | |
echo 'Expected 'dig www.wikipedia.org' to fail, but it succeeded'; | |
exit 1; | |
fi; | |
block-but-allow-any-dns-requests: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
dns-policy: any | |
egress-policy: block | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: | | |
dig example.com | |
dig www.wikipedia.org | |
docker: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-ips: | | |
172.17.0.0/16 | |
allowed-domains: | | |
production.cloudflare.docker.com | |
docker.io | |
*.docker.io | |
www.google.com | |
egress-policy: block | |
- name: Test curl calls within Docker | |
run: | | |
docker run --rm --entrypoint sh alpine/curl:8.7.1 -c " | |
if ! curl https://www.google.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if curl https://www.bing.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; | |
" | |
- name: Nginx | |
run: source test/docker_nginx.sh | |
- name: Nginx with port forwarding | |
run: source test/docker_nginx_port_forwarding.sh | |
use-by-name: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
# DO NOT use `actions/checkout`, we should run as if it was used in another workflow. This is to make sure the action doesn't assume its source code is at the root of the working directory. See https://github.com/bullfrogsec/bullfrog/commit/3a3e5e03112ef726b3079d402415760c9021fa39 | |
- uses: jenseng/dynamic-uses@02f544690a931f3967153cd5f14679cfeb61f830 | |
with: | |
uses: bullfrogsec/bullfrog@${{ github.sha }} | |
with: '{"allowed-domains": "www.google.com", "egress-policy": "block"}' | |
- name: Make HTTP requests | |
run: | | |
if ! curl https://www.google.com --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if curl https://www.bing.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; |