AppSec Tests #1258
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: AppSec Tests | |
| on: | |
| workflow_dispatch: # manually | |
| schedule: # nightly | |
| - cron: "0 0 * * *" | |
| pull_request: # on pull requests touching appsec files | |
| paths: | |
| - '.github/workflows/appsec.yml' | |
| - 'internal/appsec/**' | |
| - 'appsec/**' | |
| - 'contrib/**/appsec.go' | |
| merge_group: # on merge groups touching appsec files | |
| paths: | |
| - '.github/workflows/appsec.yml' | |
| - 'internal/appsec/**' | |
| - 'appsec/**' | |
| - 'contrib/**/appsec.go' | |
| push: | |
| branches: release-v* | |
| env: | |
| DD_APPSEC_WAF_TIMEOUT: 5s | |
| JUNIT_REPORT: gotestsum-report.xml | |
| TO_TEST: ./appsec/... ./internal/appsec/... ./contrib/google.golang.org/grpc/... ./contrib/net/http/... ./contrib/gorilla/mux/... ./contrib/go-chi/... ./contrib/labstack/echo.v4/... ./contrib/gin-gonic/gin/... | |
| jobs: | |
| native: | |
| strategy: | |
| matrix: | |
| runs-on: [ macos-13, macos-12, macos-11, ubuntu-22.04, ubuntu-20.04, windows-latest ] | |
| go-version: [ "1.21", "1.20", "1.19" ] | |
| cgo_enabled: # test it compiles with and without cgo | |
| - 0 | |
| - 1 | |
| build_tags: # test it compiles with and without the appsec build tag | |
| - "" | |
| - "appsec" | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - true | |
| - false | |
| fail-fast: false | |
| runs-on: ${{ matrix.runs-on }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v3 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: go test | |
| shell: bash | |
| run: | | |
| # 1.21 deprecates the GODEBUG=cgocheck=2 value, replacing it with GOEXPERIMENT=cgocheck2 | |
| # https://go.dev/doc/go1.21 (runtime section) | |
| if [[ ${{matrix['go-version']}} == '1.21' ]]; then | |
| export GOEXPERIMENT=cgocheck2 | |
| else | |
| export GODEBUG=cgocheck=2 | |
| fi | |
| # Install gotestsum to get the results in a junit file | |
| env GOBIN=$PWD go install gotest.tools/gotestsum@latest | |
| # Run the tests with gotestsum | |
| env CGO_ENABLED=${{ matrix.cgo_enabled }} DD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} ./gotestsum --junitfile $JUNIT_REPORT -- -v -tags="${{matrix.build_tags}}" $TO_TEST | |
| - name: Upload the results to Datadog CI App | |
| uses: ./.github/actions/dd-ci-upload | |
| with: | |
| dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
| files: ${{ env.JUNIT_REPORT }} | |
| tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }} | |
| # Same tests but on the official golang container for linux | |
| golang-linux-container: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:${{ matrix.go-version }}-${{ matrix.distribution }} | |
| strategy: | |
| matrix: | |
| go-version: [ "1.21", "1.20", "1.19" ] | |
| distribution: [ bookworm, bullseye, buster, alpine ] | |
| build_tags: # test it compiles with and without the appsec build tag | |
| - "" | |
| - "appsec" | |
| cgo_enabled: # test it compiles with and without cgo | |
| - 0 | |
| - 1 | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - DD_APPSEC_ENABLED=true | |
| - DD_APPSEC_ENABLED=false | |
| - "" # the env var is not defined so that the remote-config path can be taken | |
| exclude: | |
| - go-version: "1.21" | |
| distribution: buster | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| # Install gcc and the libc headers on alpine images | |
| - if: ${{ matrix.distribution == 'alpine' }} | |
| run: apk add gcc musl-dev libc6-compat git | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: go test | |
| run: | | |
| # Install gotestsum to get the results in a junit file | |
| env GOBIN=$PWD go install gotest.tools/gotestsum@latest | |
| # Run the tests with gotestsum | |
| env CGO_ENABLED=${{ matrix.cgo_enabled }} DD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} ./gotestsum --junitfile $JUNIT_REPORT -- -v -tags="${{matrix.build_tags}}" $TO_TEST | |
| - name: Upload the results to Datadog CI App | |
| if: matrix.distribution != 'alpine' # datadog-ci CLI doesn't work on alpine | |
| uses: ./.github/actions/dd-ci-upload | |
| with: | |
| dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
| files: ${{ env.JUNIT_REPORT }} | |
| tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }},distribution:${{ runner.distribution }} | |
| linux-arm64: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| cgo_enabled: # test it compiles with and without the cgo | |
| - 0 | |
| - 1 | |
| appsec_enabled: # test it compiles with and without appsec enabled | |
| - true | |
| - false | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Go modules cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
| restore-keys: go-pkg-mod- | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| with: | |
| platforms: arm64 | |
| - run: docker run --platform=linux/arm64 -v $PWD:$PWD -w $PWD -eCGO_ENABLED=${{ matrix.cgo_enabled }} -eDD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} -eDD_APPSEC_WAF_TIMEOUT=$DD_APPSEC_WAF_TIMEOUT golang go test -v -tags appsec $TO_TEST | |
| smoke-tests: | |
| uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@main | |
| with: | |
| dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} |