Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests

Fix proxy integration tests
Add traffic sanity check step
2026-01-31 04:54:18 +08:00 · 2026-01-30 16:37:01 +01:00 · 2026-01-30 02:05:51 -08:00 · 2026-01-30 02:03:12 -08:00 · 2026-01-30 02:00:09 -08:00 · 2026-01-30 01:56:07 -08:00
2 changed files with 144 additions and 116 deletions
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@@ -90,15 +90,86 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --dns 127.0.0.1
+      options: --cap-add=NET_ADMIN
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
+      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
+    - name: Wait for proxy to be ready
+      shell: bash
+      run: |
+        echo "Waiting for squid proxy to be ready..."
+        echo "Resolving squid-proxy hostname:"
+        getent hosts squid-proxy || echo "DNS resolution failed"
+        for i in $(seq 1 30); do
+          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
+            echo "Proxy is ready!"
+            exit 0
+          fi
+          echo "Attempt $i: Proxy not ready, waiting..."
+          sleep 2
+        done
+        echo "Proxy failed to become ready"
+        exit 1
+      env:
+        http_proxy: ""
+        https_proxy: ""
+    - name: Install dependencies
+      run: |
+        apt-get update
+        apt-get install -y iptables curl
+    - name: Verify proxy is working
+      run: |
+        echo "Testing proxy connectivity..."
+        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
+        echo "Proxy verification complete"
+    - name: Block direct traffic (enforce proxy usage)
+      run: |
+        # Get the squid-proxy container IP
+        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        echo "Proxy IP: $PROXY_IP"
+        
+        # Allow loopback traffic
+        iptables -A OUTPUT -o lo -j ACCEPT
+        
+        # Allow traffic to the proxy container
+        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
+        
+        # Allow established connections
+        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        
+        # Allow DNS (needed for initial resolution)
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        
+        # Block all other outbound traffic (HTTP/HTTPS)
+        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
+        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
+        
+        # Log the iptables rules for debugging
+        iptables -L -v -n
+    - name: Verify direct HTTPS is blocked
+      run: |
+        echo "Testing that direct HTTPS requests fail..."
+        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
+          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
+          exit 1
+        else
+          echo "SUCCESS: Direct HTTPS request was blocked as expected"
+        fi
+        
+        echo "Testing that HTTPS through proxy succeeds..."
+        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
+          echo "SUCCESS: HTTPS request through proxy succeeded"
+        else
+          echo "ERROR: HTTPS request through proxy failed!"
+          exit 1
+        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Generate files
@@ -114,15 +185,86 @@ jobs:
    runs-on: ubuntu-latest
    container:
      image: ubuntu:latest
-      options: --dns 127.0.0.1
+      options: --cap-add=NET_ADMIN
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
+      http_proxy: http://squid-proxy:3128
      https_proxy: http://squid-proxy:3128
    steps:
+    - name: Wait for proxy to be ready
+      shell: bash
+      run: |
+        echo "Waiting for squid proxy to be ready..."
+        echo "Resolving squid-proxy hostname:"
+        getent hosts squid-proxy || echo "DNS resolution failed"
+        for i in $(seq 1 30); do
+          if (echo > /dev/tcp/squid-proxy/3128) 2>/dev/null; then
+            echo "Proxy is ready!"
+            exit 0
+          fi
+          echo "Attempt $i: Proxy not ready, waiting..."
+          sleep 2
+        done
+        echo "Proxy failed to become ready"
+        exit 1
+      env:
+        http_proxy: ""
+        https_proxy: ""
+    - name: Install dependencies
+      run: |
+        apt-get update
+        apt-get install -y iptables curl
+    - name: Verify proxy is working
+      run: |
+        echo "Testing proxy connectivity..."
+        curl -s -o /dev/null -w "%{http_code}" --proxy http://squid-proxy:3128 http://github.com || true
+        echo "Proxy verification complete"
+    - name: Block direct traffic (enforce proxy usage)
+      run: |
+        # Get the squid-proxy container IP
+        PROXY_IP=$(getent hosts squid-proxy | awk '{ print $1 }')
+        echo "Proxy IP: $PROXY_IP"
+        
+        # Allow loopback traffic
+        iptables -A OUTPUT -o lo -j ACCEPT
+        
+        # Allow traffic to the proxy container
+        iptables -A OUTPUT -d $PROXY_IP -j ACCEPT
+        
+        # Allow established connections
+        iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+        
+        # Allow DNS (needed for initial resolution)
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        
+        # Block all other outbound traffic (HTTP/HTTPS)
+        iptables -A OUTPUT -p tcp --dport 80 -j REJECT
+        iptables -A OUTPUT -p tcp --dport 443 -j REJECT
+        
+        # Log the iptables rules for debugging
+        iptables -L -v -n
+    - name: Verify direct HTTPS is blocked
+      run: |
+        echo "Testing that direct HTTPS requests fail..."
+        if curl --noproxy '*' -s --connect-timeout 5 https://github.com > /dev/null 2>&1; then
+          echo "ERROR: Direct HTTPS request succeeded - blocking is not working!"
+          exit 1
+        else
+          echo "SUCCESS: Direct HTTPS request was blocked as expected"
+        fi
+        
+        echo "Testing that HTTPS through proxy succeeds..."
+        if curl --proxy http://squid-proxy:3128 -s --connect-timeout 10 https://github.com > /dev/null 2>&1; then
+          echo "SUCCESS: HTTPS request through proxy succeeded"
+        else
+          echo "ERROR: HTTPS request through proxy failed!"
+          exit 1
+        fi
    - name: Checkout
      uses: actions/checkout@v5
    - name: Restore cache
--- a/PR_TRIAGE_REPORT.md
+++ b/PR_TRIAGE_REPORT.md
@@ -1,114 +0,0 @@
-# Pull Request Triage Report for actions/cache
-
-*Generated: 2026-01-29*
-
-| PR Link | Author | Date Opened | Days Open | Category |
-|---------|--------|-------------|-----------|----------|
-| [#1700](https://github.com/actions/cache/pull/1700) | Copilot | 2026-01-29 | 0 | Other |
-| [#1689](https://github.com/actions/cache/pull/1689) | StephenHodgson | 2025-12-13 | 47 | New feature |
-| [#1683](https://github.com/actions/cache/pull/1683) | salmanmkc | 2025-12-11 | 49 | Documentation |
-| [#1672](https://github.com/actions/cache/pull/1672) | alinernunes15-a11y | 2025-11-07 | 83 | Documentation |
-| [#1671](https://github.com/actions/cache/pull/1671) | dulcekarma7u7-netizen | 2025-10-28 | 93 | Documentation |
-| [#1654](https://github.com/actions/cache/pull/1654) | timbaverstock-bmbl | 2025-09-22 | 129 | Documentation |
-| [#1639](https://github.com/actions/cache/pull/1639) | atoulme | 2025-08-08 | 174 | Documentation |
-| [#1638](https://github.com/actions/cache/pull/1638) | TNGBBK | 2025-08-07 | 175 | Documentation |
-| [#1605](https://github.com/actions/cache/pull/1605) | loic-bellinger | 2025-05-14 | 260 | Documentation |
-| [#1604](https://github.com/actions/cache/pull/1604) | stuartleeks | 2025-05-08 | 266 | New feature |
-| [#1587](https://github.com/actions/cache/pull/1587) | Yury-Fridlyand | 2025-04-06 | 298 | Documentation |
-| [#1571](https://github.com/actions/cache/pull/1571) | helly25 | 2025-03-11 | 324 | New feature |
-| [#1567](https://github.com/actions/cache/pull/1567) | KtorZ | 2025-03-07 | 328 | Documentation |
-| [#1536](https://github.com/actions/cache/pull/1536) | KyFaSt | 2025-01-22 | 372 | Security fix |
-| [#1516](https://github.com/actions/cache/pull/1516) | vorburger | 2024-12-12 | 413 | Documentation |
-| [#1514](https://github.com/actions/cache/pull/1514) | lima-limon-inc | 2024-12-11 | 414 | Documentation |
-| [#1493](https://github.com/actions/cache/pull/1493) | EnricoMi | 2024-11-04 | 451 | New feature |
-| [#1472](https://github.com/actions/cache/pull/1472) | mustafacco7 | 2024-10-18 | 468 | Documentation |
-| [#1451](https://github.com/actions/cache/pull/1451) | karlhorky | 2024-08-13 | 534 | Documentation |
-| [#1439](https://github.com/actions/cache/pull/1439) | rusty-key | 2024-07-23 | 555 | Documentation |
-| [#1436](https://github.com/actions/cache/pull/1436) | llakala | 2024-07-19 | 559 | New feature |
-| [#1378](https://github.com/actions/cache/pull/1378) | Olegt0rr | 2024-04-16 | 653 | Other |
-| [#1374](https://github.com/actions/cache/pull/1374) | itchyny | 2024-04-14 | 655 | Other |
-| [#1337](https://github.com/actions/cache/pull/1337) | marco-cpd | 2024-02-23 | 706 | Bug fix |
-| [#1328](https://github.com/actions/cache/pull/1328) | vorburger | 2024-02-16 | 713 | Documentation |
-| [#1312](https://github.com/actions/cache/pull/1312) | Mogyuchi | 2024-01-28 | 732 | Documentation |
-| [#1308](https://github.com/actions/cache/pull/1308) | PrinsFrank | 2024-01-22 | 738 | New feature |
-| [#1290](https://github.com/actions/cache/pull/1290) | joseluisq | 2023-12-01 | 790 | Documentation |
-| [#1283](https://github.com/actions/cache/pull/1283) | IanButterworth | 2023-11-18 | 803 | Documentation |
-| [#1282](https://github.com/actions/cache/pull/1282) | jlanga | 2023-11-17 | 804 | New feature |
-| [#1252](https://github.com/actions/cache/pull/1252) | Magnus167 | 2023-10-01 | 851 | Documentation |
-| [#1248](https://github.com/actions/cache/pull/1248) | Fishrock123 | 2023-09-25 | 857 | Documentation |
-| [#1231](https://github.com/actions/cache/pull/1231) | kbdharun | 2023-09-05 | 877 | Other |
-| [#1222](https://github.com/actions/cache/pull/1222) | dsame | 2023-08-23 | 890 | Documentation |
-| [#1191](https://github.com/actions/cache/pull/1191) | Yakiyo | 2023-06-15 | 959 | Documentation |
-| [#1185](https://github.com/actions/cache/pull/1185) | jorendorff | 2023-06-12 | 962 | Documentation |
-| [#1184](https://github.com/actions/cache/pull/1184) | byrgulle12 | 2023-06-09 | 965 | Spam candidate |
-| [#1183](https://github.com/actions/cache/pull/1183) | pgrange | 2023-06-08 | 966 | Bug fix |
-| [#1167](https://github.com/actions/cache/pull/1167) | tommy-gilligan | 2023-05-04 | 1001 | Documentation |
-| [#1160](https://github.com/actions/cache/pull/1160) | rikhuijzer | 2023-04-24 | 1011 | Documentation |
-| [#1159](https://github.com/actions/cache/pull/1159) | rodrigoalcarazdelaosa | 2023-04-23 | 1012 | Documentation |
-| [#1096](https://github.com/actions/cache/pull/1096) | Lord-Kamina | 2023-01-31 | 1094 | New feature |
-| [#876](https://github.com/actions/cache/pull/876) | bchen1029 | 2022-07-26 | 1283 | Bug fix |
-| [#726](https://github.com/actions/cache/pull/726) | robinp | 2022-02-05 | 1454 | Documentation |
-| [#717](https://github.com/actions/cache/pull/717) | jsoref | 2022-01-23 | 1467 | New feature |
-| [#677](https://github.com/actions/cache/pull/677) | planetmarshall | 2021-11-14 | 1537 | Documentation |
-| [#673](https://github.com/actions/cache/pull/673) | TimoRoth | 2021-11-08 | 1543 | New feature |
-| [#557](https://github.com/actions/cache/pull/557) | melvyn-apryl | 2021-03-27 | 1769 | Documentation |
-| [#498](https://github.com/actions/cache/pull/498) | eyal0 | 2021-01-04 | 1851 | New feature |
-| [#402](https://github.com/actions/cache/pull/402) | vlsi | 2020-08-19 | 1989 | Documentation |
-| [#325](https://github.com/actions/cache/pull/325) | mzabaluev | 2020-05-24 | 2076 | Documentation |
-| [#268](https://github.com/actions/cache/pull/268) | FinalDes | 2020-04-21 | 2109 | Documentation |
-| [#234](https://github.com/actions/cache/pull/234) | evandrocoan | 2020-03-27 | 2134 | Documentation |
-
-## Summary by Category
-
-| Category | Count |
-|----------|-------|
-| Documentation | 31 |
-| New feature | 11 |
-| Bug fix | 3 |
-| Other | 4 |
-| Security fix | 1 |
-| Spam candidate | 1 |
-| **Total** | **51** |
-
-## Category Definitions
-
- **New feature**: PRs that add new functionality or capabilities to the cache action
- **Bug fix**: PRs that fix issues or incorrect behavior in the existing code
- **Security fix**: PRs that address security concerns or add security-related documentation
- **Documentation**: PRs that add/update README, examples, or other documentation
- **Spam candidate**: PRs with unclear purpose, incomplete/garbled content, or no meaningful changes
- **Other**: PRs that don't fit into the above categories (e.g., refactoring, dependency updates)
-
-## Detailed Analysis Notes
-
-### Documentation PRs (31)
-Most open PRs are documentation improvements, including:
- New caching examples (pnpm, opam, Docker, ASDF, Bazel, Hugo, Dart, etc.)
- Clarifications on existing behavior (path matching, cache-hit output, key rendering)
- Updated links and references
- README improvements
-
-### New Feature PRs (11)
-Feature requests include:
- Conditional save options (`save-on-success`, `save` input)
- Force-overwrite capability for existing caches
- New outputs (cachePath, cache-primary-key)
- Compression level control
- Cache refresh/update mechanisms
-
-### Bug Fix PRs (3)
- #1337: Adjusts storage warning message with incorrect limit
- #1183: Fixes cabal store path for Ubuntu
- #876: Fixes cache-hit value when cache not found
-
-### Security Fix PRs (1)
- #1536: Adds recommended minimum permissions to README (by GitHub staff member)
-
-### Spam Candidate PRs (1)
- #1184: Unclear PR with garbled Turkish text in title, renames file with no meaningful changes
-
-### Other PRs (4)
- #1700: This current WIP triage PR
- #1378: Bumps action versions in examples
- #1374: Code refactoring (avoids re-evaluation of key input)
- #1231: Updates actions/checkout to v4 in workflows
Author	SHA1	Message	Date
Bassem Dghaidi	b7e8d49f17	Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests Some checks failed Check dist content / Check dist/ (push) Failing after 0s Details Tests / build (macOS-latest) (push) Waiting to run Details Tests / build (windows-latest) (push) Waiting to run Details Tests / test-save (macOS-latest) (push) Waiting to run Details Tests / test-save (windows-latest) (push) Waiting to run Details Tests / test-restore (macOS-latest) (push) Blocked by required conditions Details Tests / test-restore (ubuntu-latest) (push) Blocked by required conditions Details Tests / test-restore (windows-latest) (push) Blocked by required conditions Details Tests / test-save (ubuntu-latest) (push) Successful in 6s Details Code scanning / CodeQL-Build (push) Failing after 14s Details Tests / build (ubuntu-latest) (push) Successful in 37s Details Tests / test-proxy-save (push) Failing after 50s Details Tests / test-proxy-restore (push) Has been skipped Details License check / Check licenses (push) Failing after 1m8s Details Fix proxy integration tests	2026-01-30 16:37:01 +01:00
Bassem Dghaidi	984a21b1cb	Add traffic sanity check step Some checks failed Code scanning / CodeQL-Build (push) Failing after 11s Details	2026-01-30 02:05:51 -08:00
Bassem Dghaidi	acf2f1f76a	Fix resolution	2026-01-30 02:03:12 -08:00
Bassem Dghaidi	95a07c5132	Add wait for proxy	2026-01-30 02:00:09 -08:00
Bassem Dghaidi	90e4fae240	Rewrite and simplify	2026-01-30 01:56:07 -08:00