appsec/graphql: add support for Threat Monitoring #1599
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: AppSec Tests | |
on: | |
workflow_call: # allows to reuse this workflow | |
inputs: | |
ref: | |
description: 'The branch to run the workflow on' | |
required: true | |
type: string | |
workflow_dispatch: # manually | |
schedule: # nightly | |
- cron: "0 0 * * *" | |
pull_request: # on pull requests touching appsec files | |
paths: | |
- '.github/workflows/appsec.yml' | |
- 'internal/appsec/**' | |
- 'appsec/**' | |
- 'contrib/**/appsec.go' | |
merge_group: # on merge groups touching appsec files | |
paths: | |
- '.github/workflows/appsec.yml' | |
- 'internal/appsec/**' | |
- 'appsec/**' | |
- 'contrib/**/appsec.go' | |
push: | |
branches: release-v* | |
env: | |
DD_APPSEC_WAF_TIMEOUT: 5s | |
JUNIT_REPORT: gotestsum-report.xml | |
TO_TEST: ./appsec/... ./internal/appsec/... ./contrib/google.golang.org/grpc/... ./contrib/net/http/... ./contrib/gorilla/mux/... ./contrib/go-chi/... ./contrib/labstack/echo.v4/... ./contrib/gin-gonic/gin/... | |
jobs: | |
native: | |
strategy: | |
matrix: | |
runs-on: [ macos-13, macos-12, macos-11, ubuntu-22.04, ubuntu-20.04 ] | |
go-version: [ "1.21", "1.20", "1.19" ] | |
cgo_enabled: [ "0", "1" ] # test it compiles with and without cgo | |
appsec_enabled: # test it compiles with and without appsec enabled | |
- DD_APPSEC_ENABLED=true | |
- DD_APPSEC_ENABLED=false | |
- "" # the env var is not defined so that the remote-config path can be taken | |
include: | |
- cgocheck: | |
GODEBUG=cgocheck=2 | |
- go-version: "1.21" | |
cgocheck: # 1.21 deprecates the GODEBUG=cgocheck=2 value, replacing it with GOEXPERIMENT=cgocheck2 | |
GOEXPERIMENT=cgocheck2 | |
fail-fast: false | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ inputs.ref || github.ref }} | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Go modules cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
restore-keys: go-pkg-mod- | |
- name: go test | |
shell: bash | |
run: | | |
env GOBIN=$PWD go install gotest.tools/gotestsum@latest | |
# Run the tests with gotestsum | |
env ${{ matrix.cgocheck }} CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} ./gotestsum --junitfile $JUNIT_REPORT -- -v $TO_TEST | |
- name: Upload the results to Datadog CI App | |
uses: ./.github/actions/dd-ci-upload | |
with: | |
dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
files: ${{ env.JUNIT_REPORT }} | |
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }} | |
# Tests cases were appsec end up being disable | |
waf-disabled: | |
strategy: | |
fail-fast: false | |
matrix: | |
go-args: [ "-tags datadog.no_waf", "-tags go1.22" ] | |
runs-on: [ macos-13, ubuntu-latest ] | |
appsec_enabled: | |
- DD_APPSEC_ENABLED=true | |
- "" # the env var is not defined so that the remote-config path can be taken | |
include: | |
- runs-on: windows-latest | |
go-args: "" | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-go@v3 # TODO: rely on v4 which now provides github caching by default | |
with: | |
go-version: stable | |
- name: Go modules cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
restore-keys: go-pkg-mod- | |
- name: go test | |
shell: bash | |
run: | | |
env GOBIN=$PWD go install gotest.tools/gotestsum@latest | |
# Run the tests with gotestsum | |
env ${{ matrix.appsec_enabled }} ./gotestsum --junitfile $JUNIT_REPORT -- -v $TO_TEST | |
- name: Upload the results to Datadog CI App | |
uses: ./.github/actions/dd-ci-upload | |
with: | |
dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
files: ${{ env.JUNIT_REPORT }} | |
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }} | |
# Same tests but on the official golang container for linux | |
golang-linux-container: | |
runs-on: ubuntu-latest | |
container: | |
image: golang:${{ matrix.go-version }}-${{ matrix.distribution }} | |
strategy: | |
matrix: | |
go-version: [ "1.21", "1.20", "1.19" ] | |
distribution: [ bookworm, bullseye, buster, alpine ] | |
cgo_enabled: # test it compiles with and without cgo | |
- 0 | |
- 1 | |
appsec_enabled: # test it compiles with and without appsec enabled | |
- DD_APPSEC_ENABLED=true | |
- DD_APPSEC_ENABLED=false | |
- "" # the env var is not defined so that the remote-config path can be taken | |
exclude: | |
- go-version: "1.21" | |
distribution: buster | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ inputs.ref || github.ref }} | |
# Install gcc and the libc headers on alpine images | |
- if: ${{ matrix.distribution == 'alpine' }} | |
run: apk add gcc musl-dev libc6-compat git | |
- name: Go modules cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
restore-keys: go-pkg-mod- | |
- name: go test | |
run: | | |
# Install gotestsum to get the results in a junit file | |
env GOBIN=$PWD go install gotest.tools/gotestsum@latest | |
# Run the tests with gotestsum | |
env CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} ./gotestsum --junitfile $JUNIT_REPORT -- -v $TO_TEST | |
- name: Upload the results to Datadog CI App | |
if: matrix.distribution != 'alpine' # datadog-ci CLI doesn't work on alpine | |
uses: ./.github/actions/dd-ci-upload | |
with: | |
dd-api-key: ${{ secrets.DD_CI_API_KEY }} | |
files: ${{ env.JUNIT_REPORT }} | |
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }},distribution:${{ matrix.distribution }} | |
linux-arm64: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
cgo_enabled: # test it compiles with and without the cgo | |
- 0 | |
- 1 | |
appsec_enabled: # test it compiles with and without appsec enabled | |
- true | |
- false | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ inputs.ref || github.ref }} | |
- name: Go modules cache | |
uses: actions/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: go-pkg-mod-${{ hashFiles('**/go.sum') }} | |
restore-keys: go-pkg-mod- | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
with: | |
platforms: arm64 | |
- run: docker run --platform=linux/arm64 -v $PWD:$PWD -w $PWD -eCGO_ENABLED=${{ matrix.cgo_enabled }} -eDD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} -eDD_APPSEC_WAF_TIMEOUT=$DD_APPSEC_WAF_TIMEOUT golang go test -v $TO_TEST | |
smoke-tests: | |
uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@main | |
if: inputs.ref != 'refs/heads/v2-dev' | |
with: | |
dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} | |
smoke-tests-v2: | |
# TODO(darccio): change to main branch on v2 release | |
uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@dario.castane/AIT-3705/dd-trace-go.v2 | |
if: inputs.ref == 'refs/heads/v2-dev' | |
with: | |
dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} |