Commit Graph

46 Commits

Author SHA1 Message Date
Matthew Holt 6d25261c22
Expand and clarify security policy
While the Caddy project has had very few valid security bug reports over the years, we have a low signal-to-noise ratio with them (lots of invalid reports). Most are out of scope, and it can take too much valuable time for us to determine that. We would prefer researchers do this first. Hopefully these paragraphs spell out much more clearly what we do and don't accept.
2021-06-14 14:00:43 -06:00
Francis Lavoie 37718560c1
ci: Run CI on PRs targeting minor version branches (#4164)
We decided that we'll use branches like `2.4` as the target for any changes that we might want to release in a `2.4.x` version like `2.4.1`, so that we can continue to merge changes targeting the next minor release (e.g. `2.5.0`) on master.

Our CI config wasn't set up for this to work properly though, since it was only running checks on PRs targeting master. This should fix it.

I couldn't find a way to do a pattern to only match digits for the branch names from Github's docs, it just looks like a pretty generic glob syntax. But this should do until we get to 3.0
2021-05-12 00:26:16 -04:00
Simão Gomes Viana 28a4159933
CONTRIBUTING: fix spelling (#4070)
Minor spelling fixes to make this document even better
2021-03-19 07:37:43 -04:00
Francis Lavoie 5376e5113e
ci: Build and test on Go 1.16, bump minimum to 1.15 (#4024)
* ci: Build and test on Go 1.16

* ci: Drop Go 1.14 support
2021-02-18 07:09:49 -05:00
Mohammed Al Sahaf e2940c8c03
ci: update the command to run tests on the s390x machine (#3995) 2021-01-28 22:40:36 +00:00
Matthew Holt 4f64105fbb
Update docs 2021-01-08 16:00:36 -07:00
Mohammed Al Sahaf 1b453dd4fb
ci: force fetch the upstream tags (#3947) 2020-12-30 21:02:54 +00:00
Francis Lavoie 79f3af9927
ci: Add pushing to cloudsmith (#3941)
* ci: Add pushing to cloudsmith

* ci: Update comments, remove env TODO

* ci: Fix Cloudsmith installation by setting PATH

* docs: Add Cloudsmith attribution to README

* ci: Switch to keeping armv7 as the armhf .deb
2020-12-30 10:54:58 -07:00
Mohammed Al Sahaf 2b90cdba52
ci: reject tags if not signed by Matthew Holt's key (#3932)
* ci: reject tags if not signed by Matthew Holt's key

* ci: don't reject tags if an intermediate commits are not signed
2020-12-29 12:52:13 -07:00
Dave Henderson bd17eb205d
ci: Use golangci's github action for linting (#3794)
* ci: Use golangci's github action for linting

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix most of the staticcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the prealloc lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the misspell lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the varcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the errcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the bodyclose lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the deadcode lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the unused lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the gosec lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the gosimple lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the ineffassign lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the staticcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Revert the misspell change, use a neutral English

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Remove broken golangci-lint CI job

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Re-add errantly-removed weakrand initialization

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* don't break the loop and return

* Removing extra handling for null rootKey

* unignore RegisterModule/RegisterAdapter

Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* single-line log message

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Revert ticker change, ignore it instead

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Ignore some of the write errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Remove blank line

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Use lifetime

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* close immediately

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Preallocate configVals

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Update modules/caddytls/distributedstek/distributedstek.go

Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-11-22 14:50:29 -07:00
Matthew Holt 3db60e6cba Update contact info 2020-11-12 15:03:07 -07:00
Mohammed Al Sahaf 9e28f60aab
ci: remove the continuous fuzzing job (#3845)
Between Github Actions deprecting a command we use[0] and Fuzzit planning to deprecate their standalone service after being acquired by Gitlab[1][2], there are no reasons to keep this job.

[0] https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

[1] https://about.gitlab.com/press/releases/2020-06-11-gitlab-acquires-peach-tech-and-fuzzit-to-expand-devsecops-offering.html

[2] https://fuzzit.dev/2020/06/11/news-fuzzit-is-acquired-by-gitlab/
2020-11-04 16:32:07 +00:00
Matt Holt 023d702f30
Update SECURITY.md 2020-10-01 17:11:10 -06:00
Francis Lavoie ecbc1f85c5
ci: Tweaks for multi go version tests (#3673) 2020-08-20 22:40:26 -04:00
Francis Lavoie 0279a57ac4
ci: Upgrade to Go 1.15 (#3642)
* ci: Try Go 1.15 RC1 out of curiosity

* Go 1.15 was released; let's try it

* Update to latest quic-go

* Attempt at fixing broken test

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-08-20 14:04:10 -06:00
Matthew Holt e385be9225
Update comment and Caddy 1 EOL 2020-08-11 11:26:19 -06:00
Matt Holt 4accf737a6
ci: Ignore s390x failures (#3644)
As of early August 2020 the VM has been down for several days due to
lack of power due related to bad weather at the data center... sigh.
2020-08-06 14:17:40 -06:00
Mohammed Al Sahaf 399eff415c
ci: Include tracking of GOOS for which Caddy fails to build (#3617)
* ci: include tracking of GOOS for which Caddy fails to build

* ci: split cross-build check into separate workflow

* ci: cross-build check: make it clear the cross-build check is not a blocker

* ci: cross-build check: set annotation instead of failing the build

* ci: cross-build check: explicitly set continue-on-error to force success marker

* ci: cross-build check: send stderr to /dev/null

* ci: Simplify workflow names

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-08-01 20:23:22 +00:00
Francis Lavoie 2d0f8831f8
ci: Fix another oops with publish workflow (#3536) 2020-06-30 15:36:17 -04:00
Francis Lavoie caca55e582
ci: Fix release publish trigger (#3524)
Looks like event payloads need to be prefixed with `github.event` to get the actual payload contents. Didn't dig deep enough.

https://help.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
2020-06-26 16:00:54 -04:00
Francis Lavoie 61b7002d26
ci: Apparently only single-quote strings are supported (#3523)
https://help.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#literals

https://github.com/caddyserver/caddy/actions/runs/147953515
2020-06-25 21:58:44 +00:00
Mohammed Al Sahaf 5b48f784ae
ci: don't run s390x tests on PRs of forks (#3494)
* ci: don't run s390x tests on PRs of forks

* ci: check if fork by matchinging name from event against name of repo
2020-06-12 19:51:04 +00:00
Mohammed Al Sahaf 7da32f493a
ci: skip s390x tests on forks (#3493) 2020-06-12 18:03:29 +00:00
Mohammed Al Sahaf 99dcc10f31
ci: add CI on s390x (#3463)
* ci: lay out foundation for s390x tests

* ci: uncomment the s390x test script & replace placeholders with real values

* ci: amend the s390x test job name to be more consistent with others
2020-06-12 17:11:46 +00:00
Francis Lavoie 7211101c52
ci: Fix gemfury upload condition, move triggers to publish event (#3483) 2020-06-08 12:21:20 -06:00
Francis Lavoie 21c1da101c
ci: Disable publishing .deb on beta tags (#3473) 2020-06-05 10:23:15 -06:00
Matt Holt 452d4726f7
Update SECURITY.md 2020-05-20 14:24:47 -06:00
Francis Lavoie 07c6076ea0
ci: Add release tagged event triggers to sister repos (#3321) 2020-05-06 16:42:55 -04:00
Dave Henderson 9408dacc27
Fixing goreleaser syntax error (#3355)
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-05-06 00:50:30 +00:00
Francis Lavoie 5ae1a5617c
caddyhttp: Add split_path to file matcher (used by php_fastcgi) (#3302)
* matcher: Add `split_path` option to file matcher; used in php_fastcgi

* matcher: Skip try_files split if not the final part of the filename

* matcher: Add MatchFile tests

* matcher: Clarify SplitPath godoc
2020-04-27 14:46:46 -06:00
Francis Lavoie 768383a610
ci: Enable GoReleaser .deb support (#3309)
* ci: Enable GoReleaser .deb support

* ci: Test .deb build

* ci: Fix typo

* ci: Turn off snapshot (breaks due to go mod edit)

* ci: Force the tag to rc3 for now

* ci: Let's try to publish the .debs

* ci: Attempt to enable build cache, rebuild after fixed line endings

* ci: Fix yml dupe ID issue, add caddy-api.service

* ci: Split cache keys between files so they're separate

* ci: Fix bindir

* ci: Update the script files

* ci: Retrigger

* ci: Push to gemfury

* ci: Use loop, fix bad env var

* ci: Retrigger

* ci: Try to force blank password?

* ci: Check if the token is actually present

* ci: Cleanup, remove debugging stuff

* ci: Remove useless comment
2020-04-26 20:20:14 -06:00
Mohammed Al Sahaf bae4f15fad
ci: fuzz: remove the fuzzer of the Caddyfile parser (#3288) 2020-04-20 15:21:19 -06:00
Francis Lavoie 6963a72a63
ci: Cache the GOCACHE directory to speed up builds and tests (#3273)
* ci: Let's see if caching GOCACHE helps...

* ci: Use GOCACHE env instead (fixes windows), remove build -a

* ci: Hack to pull the GOCACHE env up to CI vars

* ci: Change cache key (mainly to wipe cache now)
2020-04-17 11:54:35 -06:00
Francis Lavoie 3c70950fa1
docs: Pull contributing document from v1 branch (#3270)
* docs: Pull contributing document from v1 branch

* Update .github/CONTRIBUTING.md

Co-Authored-By: Matt Holt <mholt@users.noreply.github.com>

* docs: [Responsible -> Coordinated] Disclosure

* docs: Link to the new security policy page

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-04-16 18:32:42 -06:00
Matthew Holt 7c171542ed
Add security policy 2020-04-16 17:20:03 -06:00
Matt Holt 20f6795413
Create FUNDING.yml
I guess this got left in the v1 branch when we switched, oops
2020-04-03 09:07:14 -06:00
Mohammed Al Sahaf fdfe2ae53b
chore: ci: fix release action script (#3216)
* chore: ci: fixing the step name that captures the pushed tag

* chrore: ci: exclude commits prefixed with `ci:` from changelog
2020-04-02 16:44:44 -06:00
Mohammed Al Sahaf d2c15bea1b
ci: fuzz: remove fuzzing trigger on PR (#3195) 2020-03-26 18:34:12 -06:00
Mohammed Al Sahaf 8da9eaee34
ci: fuzz: switch engine from libfuzzer to native go-fuzz (#3194) 2020-03-26 18:20:34 -06:00
Mark Sargent ba08833b2a
ci: exclude integration tests for now (#3188)
A workaround for inconsistent results on Windows
2020-03-25 08:55:14 -06:00
Matthew Holt 9eecd698da Merge branch 'v2' of https://github.com/caddyserver/caddy 2020-03-24 23:14:27 -06:00
Mohammed Al Sahaf 0fa1a3b630
ci: preliminary CD with goreleaser (#3173)
* chore: ci: preliminary CD support

* chore: ci: split release process into its own workflow

* chore: ci: cleanup the ci.yml and .goreleaser.yml

* chore: ci: unshallowify the clone before searching for the closes tag

* chore: tidy up goreleaser config & the release githubaction

* chore: add --no-tty to gpg args

* chore: more gpg args

* chore: try with default gpg args by goreleaser

* chore: gpg...

* chore: set GPG_TTY

* chore: preset gpg conf

* Apply suggestions from code review

chore: tidy up the .goreleaser.yml

Co-Authored-By: Dave Henderson <dhenderson@gmail.com>

* chore: gpg debugging

* chore: set and export the tty for gpg

* chore: gpg..

* chore: use the exact same line from goreleaser-action README for singing

* chore: remove signing stanzas from ymls

* chore: clean up the release action for final submission

* quote the arguments of echo

Co-Authored-By: Francis Lavoie <lavofr@gmail.com>

Co-authored-by: Dave Henderson <dhenderson@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-03-24 23:13:36 -06:00
Francis Lavoie 2491336c11
ci: Update branches to master (#3177)
* Update ci.yml

* Update fuzzing.yml
2020-03-23 14:26:53 -06:00
Francis Lavoie 2cab475ba5
ci: Improve build artifact file names (#3168) 2020-03-21 17:44:51 -06:00
Francis Lavoie c32f383a01
ci: Use matrix to set per-os variables (#3166)
Simplify cross-platform
2020-03-21 16:53:42 -06:00
Francis Lavoie 76ac28a624
ci: Switch to Github Actions (#3152)
* WIP: Trying to make a new branch

* Create fuzzing.yml

* Update ci.yml

* Try using reviewdog for golangci-lint

* Only run lint on ubuntu

* Whoops, wrong matrix variable

* Let's try just ubuntu for the moment

* Remove integration tests

* Let's see what the tree looks like (where's the binary)

* Let's plant a tree

* Let's look at another tree

* Burn the tree

* Let's build in the right dir

* Turn on publishing artifacts

* Add gobin to path

* Try running golangci-lint earlier

* Try running golangci-lint on its own, with checkout@v1

* Try moving golangci-lint back into ci.yml as a separate job

* Turn off azure-pipelines

* Remove the redundant name, see how it looks

* Trim down the naming some more

* Turn on windows and mac

* Try to fix windows build, cleanup

* Try to fix strange failure on windows

* Print our the coerce reason

* Apparently $? is 'True' on Windows, not 1 or 0

* Try setting CGO_ENABLED as an env in yml

* Try enabling/fixing the fuzzer

* Print out github event to check, fix step name

* Fuzzer needs the code

* Add GOBIN to PATH for fuzzer

* Comment out fork condition, left in-case we want it again

* Remove obsolete comment

* Comment out the coverage/test conversions for now

* Set continue-on-error: true for fuzzer, it runs out of mem

* Add some clarification to the retained commented sections
2020-03-20 08:38:44 -06:00