curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ci: add fork CI/CD workflows and security config 

- Add upstream sync workflow (weekly Monday 6am UTC, ff-only + rebase)
- Add Docker publish workflow (tag v*-h2c* → ghcr.io, Trivy scan)
- Add CodeQL analysis workflow for Go
- Add Dependabot config for Go modules and GitHub Actions
- Update check.yaml: Go 1.24 via go-version-file, actions to v6
- Remove semgrep.yml (requires Cloudflare private server)
This commit is contained in:
mannie-exe 2026-02-23 19:44:30 -08:00
parent 1415c1bc1b
commit 8850297df7
6 changed files with 195 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,17 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
labels:
- dependencies
- go
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
labels:
- dependencies
- ci

34
.github/workflows/check.yaml vendored
View File

@ -1,21 +1,29 @@
on: [push, pull_request]
name: Check
on:
push:
branches: [master, feat/h2c-origin]
pull_request:
branches: [master, feat/h2c-origin]
jobs:
check:
strategy:
matrix:
go-version: [1.22.x]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v4
- name: Allow unprivileged ICMP (Linux)
if: runner.os == 'Linux'
run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
- name: Test
run: make test
- name: Checkout code
uses: actions/checkout@v6
- name: Install Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: Allow unprivileged ICMP (Linux)
if: runner.os == 'Linux'
run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
- name: Test
run: make test

31
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,31 @@
name: CodeQL
on:
push:
branches: [master, feat/h2c-origin]
pull_request:
branches: [master, feat/h2c-origin]
schedule:
- cron: "30 5 * * 1"
permissions:
security-events: write
contents: read
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: go
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4

60
.github/workflows/docker-publish.yml vendored Normal file
View File

@ -0,0 +1,60 @@
name: Docker publish
on:
push:
tags:
- "v*-h2c*"
workflow_dispatch:
permissions:
packages: write
contents: read
env:
REGISTRY: ghcr.io
IMAGE_NAME: inherent-design/cloudflared
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}}
type=raw,value=latest-h2c
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/amd64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Trivy scan
uses: aquasecurity/trivy-action@0.34.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-h2c
format: table
exit-code: "1"
severity: CRITICAL,HIGH

24
.github/workflows/semgrep.yml vendored
View File

@ -1,24 +0,0 @@
on:
pull_request: {}
workflow_dispatch: {}
push:
branches:
- main
- master
schedule:
- cron: '0 0 * * *'
name: Semgrep config
jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-latest
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
SEMGREP_URL: https://cloudflare.semgrep.dev
SEMGREP_APP_URL: https://cloudflare.semgrep.dev
SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
container:
image: semgrep/semgrep
steps:
- uses: actions/checkout@v4
- run: semgrep ci

66
.github/workflows/sync-upstream.yml vendored Normal file
View File

@ -0,0 +1,66 @@
name: Sync upstream
on:
schedule:
- cron: "0 6 * * 1" # Monday 6am UTC
workflow_dispatch:
permissions:
contents: write
issues: write
jobs:
sync:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Add upstream remote
run: git remote add upstream https://github.com/cloudflare/cloudflared.git || true
- name: Fetch upstream
run: git fetch upstream master
- name: Fast-forward master
run: |
git checkout master
git merge --ff-only upstream/master
git push origin master
- name: Rebase feature branch
id: rebase
continue-on-error: true
run: |
git checkout feat/h2c-origin
git rebase master
git push --force-with-lease origin feat/h2c-origin
- name: Open issue on conflict
if: steps.rebase.outcome == 'failure'
uses: actions/github-script@v8
with:
script: |
const existing = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
labels: 'upstream-conflict',
});
if (existing.data.length === 0) {
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Upstream sync conflict on feat/h2c-origin',
body: `The automatic rebase of \`feat/h2c-origin\` onto \`master\` failed.\n\nPlease resolve the conflict manually:\n\`\`\`bash\ngit fetch origin\ngit checkout feat/h2c-origin\ngit rebase origin/master\n# resolve conflicts\ngit push --force-with-lease origin feat/h2c-origin\n\`\`\`\n\nRun: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
labels: ['upstream-conflict'],
});
}