feat: added Github CI workflow

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector

Apache License 2.0

1.48k stars 274 forks source link

feat: added Github CI workflow #317

Closed airween closed 2 months ago

airween commented 3 months ago

Added .github/workflow/ci.yml and necessary files with a complex test workflow for each PR.

A brief summary about how does it work:

set up dependencies (required packages)
install latest ModSecurity3 release
get ModSecurity-nginx source
get latest Nginx soure
build Nginx with ModSecurity module
start Nginx with ModSecurity
there are two virtual hosts
there is only one rule
run a valid request (expected code is 200) and an attack (expected code is 403) against both vhosts

airween commented 2 months ago

@theseion many thanks for your suggestion. Please take a review again, if everything is fine I'm going to merge it.

theseion commented 2 months ago

Looks to me like you were trying to set environment variables from scripts, but scripts are isolated, so export will have no effect on the next script (neither will a cd at the end of a script block btw). What you should do instead is setting the environment variable for the step, like so:

      - name: Build nginx with ModSecurity-nginx module
        working-directory: nginx
        env:
          CC: "${{ matrix.compiler }}"
        run: |
          echo "Compiler: ${CC}"

          ./auto/configure --with-ld-opt="-Wl,-rpath,/usr/local/lib" --without-pcre2 --add-module=/home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx
          make
          make modules
          sudo make install

airween commented 2 months ago

What you should do instead is setting the environment variable for the step, like so:

Thanks!

How can I use environment variables in evaluation, eg. in an if statement?

    if [ matrix.compiler == "gcc" ]; then
        ...

${{ matrix.compiler }} it's not good, because it's the evaluated value (literally "gcc").

theseion commented 2 months ago

By passing it through an environment variable like so:

- name: a script
  env:
    COMPILER: "${{ matrix.compiler }}"
  run: |
    if [ "${COMPILER}" == "gcc" ]; then
      ...

airween commented 2 months ago

By passing it through an environment variable like so:
- name: a script
  env:
    COMPILER: "${{ matrix.compiler }}"
  run: |
    if [ "${COMPILER}" == "gcc" ]; then
      ...

I'm afraid in this case the evaluated code will be something similar:

    if [ "gcc" == "gcc" ]; then

which is always true.

sonarcloud[bot] commented 2 months ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

airween commented 2 months ago

See the newest clear version: #318.