Enable testing action as if it were called from another workflow #28
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration Tests | |
on: | |
push: | |
branches: | |
- main | |
- larose/use-action-by-name | |
pull_request: | |
branches: | |
- main | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
jobs: | |
audit: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
- name: Make HTTP requests | |
run: | | |
curl https://www.google.com --output /dev/null | |
curl https://www.bing.com --max-time 3 --output /dev/null | |
block: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
egress-policy: block | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: | | |
if dig example.com; then | |
echo 'Expected 'dig example.com' to fail, but it succeeded'; | |
exit 1; | |
fi; | |
if dig www.wikipedia.org; then | |
echo 'Expected 'dig www.wikipedia.org' to fail, but it succeeded'; | |
exit 1; | |
fi; | |
block-but-allow-any-dns-requests: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-domains: | | |
*.google.com | |
dns-policy: any | |
egress-policy: block | |
- name: Make HTTP requests | |
run: source test/make_http_requests.sh | |
- name: Make DNS requests | |
run: | | |
dig example.com | |
dig www.wikipedia.org | |
docker: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Enable egress filtering | |
uses: ./ | |
with: | |
allowed-ips: | | |
172.17.0.0/16 | |
allowed-domains: | | |
production.cloudflare.docker.com | |
docker.io | |
*.docker.io | |
www.google.com | |
egress-policy: block | |
- name: Test curl calls within Docker | |
run: | | |
docker run --rm --entrypoint sh alpine/curl:8.7.1 -c " | |
if ! curl https://www.google.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if curl https://www.bing.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; | |
" | |
- name: Nginx | |
run: source test/docker_nginx.sh | |
- name: Nginx with port forwarding | |
run: source test/docker_nginx_port_forwarding.sh | |
simulate-usage-in-another-workflow: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, ubuntu-24.04] | |
timeout-minutes: 2 | |
steps: | |
# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow. Refer to https://github.com/bullfrogsec/bullfrog/commit/3a3e5e03112ef726b3079d402415760c9021fa39 for details. | |
- uses: jenseng/dynamic-uses@02f544690a931f3967153cd5f14679cfeb61f830 | |
with: | |
uses: bullfrogsec/bullfrog@${{ github.sha }} | |
with: '{"allowed-domains": "www.google.com", "egress-policy": "block"}' | |
- name: Make HTTP requests | |
run: | | |
if ! curl https://www.google.com --output /dev/null; then | |
echo 'Expected curl to www.google.com to succeed, but it failed'; | |
exit 1; | |
fi; | |
if curl https://www.bing.com --max-time 5 --output /dev/null; then | |
echo 'Expected curl to www.bing.com to fail, but it succeeded'; | |
exit 1; | |
fi; |