dash14
diff --git a/‎.github/workflows/docker-publish.yml‎
Lines changed: 63 additions & 0 deletions b/‎.github/workflows/docker-publish.yml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.github/workflows/example-audit.yml‎
Lines changed: 41 additions & 0 deletions b/‎.github/workflows/example-audit.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/workflows/example-restrict.yml‎
Lines changed: 45 additions & 0 deletions b/‎.github/workflows/example-restrict.yml‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 75 additions & 0 deletions b/‎.github/workflows/test.yml‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎.github/workflows/update-major-tag.yml‎
Lines changed: 27 additions & 0 deletions b/‎.github/workflows/update-major-tag.yml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 66 additions & 0 deletions b/‎Makefile‎
Lines changed: 66 additions & 0 deletions
@@ -0,0 +1,63 @@
+name: Build and Push Docker Image
+run-name: Build and Push Docker Image (${{ github.ref_name }})
+
+on:
+  push:
+    tags:
+      - "v*.*"
+
+env:
+  DOCKERHUB_IMAGE: dash14/buildcage
+  GHCR_IMAGE: ghcr.io/dash14/buildcage
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKERHUB_IMAGE }}
+            ${{ env.GHCR_IMAGE }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: docker
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
@@ -0,0 +1,41 @@
+name: Example (audit mode)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Start buildcage builder
+        id: buildcage
+        uses: dash14/buildcage/setup@v1
+        with:
+          proxy_mode: audit
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: ${{ steps.buildcage.outputs.endpoint }}
+
+      - name: Create test Dockerfile
+        run: |
+          mkdir -p /tmp/build-context
+          cat <<'EOF' > /tmp/build-context/Dockerfile
+          FROM node:24-alpine
+          WORKDIR /app
+          RUN npm init -y && npm install express
+          EOF
+
+      - name: Build test image
+        uses: docker/build-push-action@v6
+        with:
+          context: /tmp/build-context
+          push: false
+          no-cache: true
+
+      - name: Show proxy report
+        if: always()
+        uses: dash14/buildcage/report@v1
@@ -0,0 +1,45 @@
+name: Example (restrict mode)
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Start buildcage builder
+        id: buildcage
+        uses: dash14/buildcage/setup@v1
+        with:
+          proxy_mode: restrict
+          allowed_https_domains: registry.npmjs.org
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: ${{ steps.buildcage.outputs.endpoint }}
+
+      - name: Create test Dockerfile
+        run: |
+          mkdir -p /tmp/build-context
+          cat <<'EOF' > /tmp/build-context/Dockerfile
+          FROM node:24-alpine
+          WORKDIR /app
+          RUN npm init -y && npm install express
+          RUN wget -q -O /dev/null --timeout=5 https://example.com/ || true
+          EOF
+
+      - name: Build test image
+        uses: docker/build-push-action@v6
+        with:
+          context: /tmp/build-context
+          push: false
+          no-cache: true
+
+      - name: Show proxy report
+        if: always()
+        uses: dash14/buildcage/report@v1
+        with:
+          fail_on_blocked: false
@@ -0,0 +1,75 @@
+name: Test
+run-name: Test (${{ github.ref_name }})
+
+on:
+  workflow_dispatch:
+
+  # push:
+  #   branches:
+  #     - main
+  # pull_request:
+  #   branches:
+  #     - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mode: audit
+            proxy_mode: audit
+            test_dockerfile: test/Dockerfile.audit
+            assert_script: ./test/assert-audit-mode.sh
+          - mode: restrict
+            proxy_mode: restrict
+            test_dockerfile: test/Dockerfile.restrict
+            assert_script: ./test/assert-restrict-mode.sh
+
+    name: test (${{ matrix.mode }})
+
+    env:
+      COMPOSE_FILE: compose.yml:compose.test.yml
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build containers
+        run: docker compose build
+
+      - name: Start containers
+        env:
+          PROXY_MODE: ${{ matrix.proxy_mode }}
+        run: docker compose up -d --wait
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: remote
+          endpoint: tcp://localhost:1234
+
+      - name: Build test image
+        uses: docker/build-push-action@v6
+        with:
+          context: test
+          file: ${{ matrix.test_dockerfile }}
+          push: false
+          no-cache: true
+          load: true
+          tags: buildcage-test
+
+      - name: Show logs
+        if: always()
+        run: ./report/report.sh || true
+
+      - name: Run assertions
+        run: ${{ matrix.assert_script }}
+
+      - name: Cleanup
+        if: always()
+        run: docker compose down -v --rmi all 2>/dev/null || true
@@ -0,0 +1,27 @@
+name: Update major version tag
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+
+jobs:
+  update-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Extract major version
+        id: version
+        run: |
+          TAG="${GITHUB_REF_NAME}"            # e.g. v0.0.2
+          MAJOR="${TAG%%.*}"                   # e.g. v0
+          echo "major=$MAJOR" >> "$GITHUB_OUTPUT"
+
+      - name: Update major version tag
+        run: |
+          git tag -fa "${{ steps.version.outputs.major }}" -m "Update ${{ steps.version.outputs.major }} to ${{ github.ref_name }}"
+          git push origin "${{ steps.version.outputs.major }}" --force
@@ -0,0 +1,66 @@
+COMPOSE_FILE ?= compose.yml
+
+# Self-Documented Makefile
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z_0-9-]+(-%)?:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
+
+clean: ## Clean up all resources
+	@echo "Stopping and removing all containers..."
+	@docker buildx rm buildcage 2>/dev/null || true
+	@docker compose -f compose.yml -f compose.test.yml down -v --rmi all
+	@docker rmi buildcage-test 2>/dev/null || true
+
+run_audit_mode: ## Start in audit mode
+	@echo "Starting buildcage in AUDIT mode..."
+	@COMPOSE_FILE=$(COMPOSE_FILE) \
+	  PROXY_MODE=audit \
+	  ALLOWED_HTTP_DOMAINS="" \
+	  ALLOWED_HTTPS_DOMAINS="" \
+	  docker compose up -d --wait --build
+	@docker buildx rm buildcage 2>/dev/null || true
+	@echo "Creating buildx builder..."
+	@docker buildx create --bootstrap \
+		--name buildcage \
+		--driver remote tcp://localhost:1234
+
+run_restrict_mode: ## Start in restrict mode
+	@echo "Starting buildcage in RESTRICT mode..."
+	@COMPOSE_FILE=$(COMPOSE_FILE) \
+	  PROXY_MODE=restrict \
+	  ALLOWED_HTTP_DOMAINS="$${ALLOWED_HTTP_DOMAINS:-}" \
+	  ALLOWED_HTTPS_DOMAINS="$${ALLOWED_HTTPS_DOMAINS:-github.com,registry.npmjs.org,api.github.com,objects.githubusercontent.com,httpbin.org,deb.debian.org,*.githubusercontent.com}" \
+	  docker compose up -d --wait --build
+	@docker buildx rm buildcage 2>/dev/null || true
+	@echo "Creating buildx builder..."
+	@docker buildx create --bootstrap \
+		--name buildcage \
+		--driver remote tcp://localhost:1234
+
+.PHONY: test_restrict_mode
+test_restrict_mode: ## Run restrict mode tests
+	@echo "Running restrict mode tests..."
+	@COMPOSE_FILE=compose.yml:compose.test.yml \
+	  $(MAKE) run_restrict_mode
+	@docker buildx build --no-cache \
+	  --builder buildcage \
+	  --platform linux/arm64 \
+	  --progress=plain -f test/Dockerfile.restrict test/ \
+	  --load -t buildcage-test
+	@./report/report.sh || true
+	@./test/assert-restrict-mode.sh
+	@$(MAKE) clean
+
+.PHONY: test_audit_mode
+test_audit_mode: ## Run audit mode tests
+	@echo "Running audit mode tests..."
+	@COMPOSE_FILE=compose.yml:compose.test.yml \
+	  $(MAKE) run_audit_mode
+	@docker buildx build --no-cache \
+	  --builder buildcage \
+	  --platform linux/arm64 \
+	  --progress=plain -f test/Dockerfile.audit test/ \
+	  --load -t buildcage-test
+	@./report/report.sh || true
+	@./test/assert-audit-mode.sh
+	@$(MAKE) clean