AppSec Tests #1900
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: AppSec Tests | |
| on: | |
| workflow_call: # allows to reuse this workflow | |
| inputs: | |
| ref: | |
| description: 'The branch to run the workflow on' | |
| required: true | |
| type: string | |
| workflow_dispatch: # manually | |
| schedule: # nightly | |
| - cron: "0 0 * * *" | |
| pull_request: # on pull requests touching appsec files | |
| paths: | |
| - '.github/workflows/appsec.yml' | |
| - 'internal/appsec/**' | |
| - 'appsec/**' | |
| - 'contrib/**/appsec.go' | |
| merge_group: # on merge groups touching appsec files | |
| paths: | |
| - '.github/workflows/appsec.yml' | |
| - 'internal/appsec/**' | |
| - 'appsec/**' | |
| - 'contrib/**/appsec.go' | |
| push: | |
| branches: release-v* | |
| env: | |
| DD_APPSEC_WAF_TIMEOUT: 5s | |
| JUNIT_REPORT: /tmp/gotestsum-report | |
| jobs: | |
| native: | |
| strategy: | |
| matrix: | |
| runs-on: [ macos-13, macos-12, macos-11, ubuntu-22.04, ubuntu-20.04 ] | |
| go-version: [ "1.21", "1.20", "1.19" ] | |
| cgo_enabled: [ "0", "1" ] # test it compiles with and without cgo | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - DD_APPSEC_ENABLED=true | |
| - DD_APPSEC_ENABLED=false | |
| - "" # the env var is not defined so that the remote-config path can be taken | |
| include: | |
| - cgocheck: | |
| GODEBUG=cgocheck=2 | |
| - go-version: "1.21" | |
| cgocheck: # 1.21 deprecates the GODEBUG=cgocheck=2 value, replacing it with GOEXPERIMENT=cgocheck2 | |
| GOEXPERIMENT=cgocheck2 | |
| fail-fast: false | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ inputs.ref || github.ref }} | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: go test | |
| shell: bash | |
| run: | | |
| go install gotest.tools/gotestsum@latest | |
| # Run the tests with gotestsum | |
| env ${{ matrix.cgocheck }} CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} ./.github/workflows/apps/appsec-test-contrib-submodules.sh | |
| - name: Upload the results to Datadog CI App | |
| uses: ./.github/actions/dd-ci-upload | |
| with: | |
| dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
| files: ${{ env.JUNIT_REPORT }}*.xml | |
| tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }} | |
| # Tests cases were appsec end up being disable | |
| waf-disabled: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| go-args: [ "-tags datadog.no_waf", "-tags go1.22" ] | |
| runs-on: [ macos-13, ubuntu-latest ] | |
| appsec_enabled: | |
| - DD_APPSEC_ENABLED=true | |
| - "" # the env var is not defined so that the remote-config path can be taken | |
| include: | |
| - runs-on: windows-latest | |
| go-args: "" | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 # TODO: rely on v4 which now provides github caching by default | |
| with: | |
| go-version: stable | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: go test | |
| shell: bash | |
| run: | | |
| go install gotest.tools/gotestsum@latest | |
| # Run the tests with gotestsum | |
| env ${{ matrix.appsec_enabled }} ./.github/workflows/apps/appsec-test-contrib-submodules.sh | |
| - name: Upload the results to Datadog CI App | |
| uses: ./.github/actions/dd-ci-upload | |
| with: | |
| dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
| files: ${{ env.JUNIT_REPORT }}*.xml | |
| tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }} | |
| # Same tests but on the official golang container for linux | |
| golang-linux-container: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:${{ matrix.go-version }}-${{ matrix.distribution }} | |
| strategy: | |
| matrix: | |
| go-version: [ "1.21", "1.20", "1.19" ] | |
| distribution: [ bookworm, bullseye, buster, alpine ] | |
| cgo_enabled: # test it compiles with and without cgo | |
| - 0 | |
| - 1 | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - DD_APPSEC_ENABLED=true | |
| - DD_APPSEC_ENABLED=false | |
| - "" # the env var is not defined so that the remote-config path can be taken | |
| exclude: | |
| - go-version: "1.21" | |
| distribution: buster | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ inputs.ref || github.ref }} | |
| # Install gcc and the libc headers on alpine images | |
| - if: ${{ matrix.distribution == 'alpine' }} | |
| run: apk add gcc musl-dev libc6-compat git bash | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: go test | |
| run: | | |
| # Install gotestsum to get the results in a junit file | |
| go install gotest.tools/gotestsum@latest | |
| # Run the tests with gotestsum | |
| env CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} /bin/bash ./.github/workflows/apps/appsec-test-contrib-submodules.sh | |
| - name: Upload the results to Datadog CI App | |
| if: matrix.distribution != 'alpine' # datadog-ci CLI doesn't work on alpine | |
| uses: ./.github/actions/dd-ci-upload | |
| with: | |
| dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
| files: ${{ env.JUNIT_REPORT }}*.xml | |
| tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }},distribution:${{ matrix.distribution }} | |
| linux-arm64: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| cgo_enabled: # test it compiles with and without the cgo | |
| - 0 | |
| - 1 | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - true | |
| - false | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ inputs.ref || github.ref }} | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| with: | |
| platforms: arm64 | |
| - run: | | |
| env CGO_ENABLED=${{ matrix.cgo_enabled }} DD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} DD_APPSEC_WAF_TIMEOUT=$DD_APPSEC_WAF_TIMEOUT ./.github/workflows/apps/appsec-test-contrib-submodules.sh docker linux/arm64 | |
| smoke-tests: | |
| uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@main | |
| with: | |
| dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} |