chore: update QEMU to v9.2.0 #533
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify Images | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| # In the case of a PR we want to push to the registry of the forked repository | |
| REPO: "ghcr.io/${{ github.repository }}" | |
| # sha256sum format: <hash><space><format (space for text)><file name> | |
| MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.generate.outputs.targets }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: List targets | |
| id: generate | |
| uses: docker/bake-action/subaction/list-targets@v4 | |
| - name: Check modsecurity recommended | |
| run: | | |
| curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended | |
| echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt | |
| sha256sum -c sha256sum.txt | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| matrix: | |
| target: ${{ fromJson(needs.prepare.outputs.targets) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| # https://github.com/docker/setup-qemu-action | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v9.2.0 | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push verification images | |
| uses: docker/[email protected] | |
| env: | |
| # push only to GHCR | |
| REPOS: "${REPO}" | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| targets: ${{ matrix.target }} | |
| # Build only linux/amd64 and tag the images as verification builds. | |
| # This way we can pull images after verification and test them manually, if we need to. | |
| set: | | |
| *.platform=linux/amd64 | |
| ${{ matrix.target }}.tags=${{ env.REPO }}:${{ matrix.target }}-verification | |
| load: true | |
| push: true | |
| - name: Run ${{ matrix.target }} | |
| run: | | |
| . .github/workflows/configure-rules-for-test.sh \ | |
| src/opt/modsecurity/configure-rules.conf \ | |
| README.md \ | |
| "${{ matrix.target }}.env" | |
| echo "Starting container ${{ matrix.target }}-verification" | |
| docker run \ | |
| --pull "never" \ | |
| -d \ | |
| --name ${{ matrix.target }}-test \ | |
| --env-file "${{ matrix.target }}.env" \ | |
| "${REPO}:${{ matrix.target }}-verification" | |
| sleep 30 | |
| docker logs ${{ matrix.target }}-test | |
| - name: Verify ${{ matrix.target }} | |
| run: | | |
| [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] | |
| if grep -q "nginx "<<< "${{ matrix.target }}"; then | |
| curl -q -D headers.txt http://localhost:8080/?test=../../etc/passwd | |
| grep -q "HTTP/1.1 403 Forbidden" headers.txt | |
| grep -q "Access-Control-Allow-Origin: *" headers.txt | |
| grep -q "Access-Control-Max-Age: 3600" headers.txt | |
| grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt | |
| grep -q "Access-Control-Allow-Headers: *" headers.txt | |
| fi |