ci: add fork CI/CD workflows and security config

mannie-exe · mannie-exe · commit 139a344e8f92 · 2026-02-28T09:31:41.000-08:00
- Add upstream sync workflow (weekly Monday 6am UTC, ff-only + rebase)
- Add Docker publish workflow (tag v*-h2c* → ghcr.io, Trivy scan)
- Add CodeQL analysis workflow for Go
- Add Dependabot config for Go modules and GitHub Actions
- Update check.yaml: Go 1.24 via go-version-file, actions to v6
- Remove semgrep.yml (requires Cloudflare private server)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - go
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - ci
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -1,21 +1,29 @@
-on: [push, pull_request]
 name: Check
+
+on:
+  push:
+    branches: [master, feat/h2c-origin]
+  pull_request:
+    branches: [master, feat/h2c-origin]
+
 jobs:
   check:
     strategy:
       matrix:
-        go-version: [1.22.x]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v4
-    - name: Allow unprivileged ICMP (Linux)
-      if: runner.os == 'Linux'
-      run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
-    - name: Test
-      run: make test
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Allow unprivileged ICMP (Linux)
+        if: runner.os == 'Linux'
+        run: sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"
+
+      - name: Test
+        run: make test
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [master, feat/h2c-origin]
+  pull_request:
+    branches: [master, feat/h2c-origin]
+  schedule:
+    - cron: "30 5 * * 1"
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,60 @@
+name: Docker publish
+
+on:
+  push:
+    tags:
+      - "v*-h2c*"
+  workflow_dispatch:
+
+permissions:
+  packages: write
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: inherent-design/cloudflared
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest-h2c
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-h2c
+          format: table
+          exit-code: "1"
+          severity: CRITICAL,HIGH
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
@@ -0,0 +1,66 @@
+name: Sync upstream
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Monday 6am UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  issues: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Add upstream remote
+        run: git remote add upstream https://github.com/cloudflare/cloudflared.git || true
+
+      - name: Fetch upstream
+        run: git fetch upstream master
+
+      - name: Fast-forward master
+        run: |
+          git checkout master
+          git merge --ff-only upstream/master
+          git push origin master
+
+      - name: Rebase feature branch
+        id: rebase
+        continue-on-error: true
+        run: |
+          git checkout feat/h2c-origin
+          git rebase master
+          git push --force-with-lease origin feat/h2c-origin
+
+      - name: Open issue on conflict
+        if: steps.rebase.outcome == 'failure'
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const existing = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'upstream-conflict',
+            });
+            if (existing.data.length === 0) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: 'Upstream sync conflict on feat/h2c-origin',
+                body: `The automatic rebase of \`feat/h2c-origin\` onto \`master\` failed.\n\nPlease resolve the conflict manually:\n\`\`\`bash\ngit fetch origin\ngit checkout feat/h2c-origin\ngit rebase origin/master\n# resolve conflicts\ngit push --force-with-lease origin feat/h2c-origin\n\`\`\`\n\nRun: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+                labels: ['upstream-conflict'],
+              });
+            }
