AikidoSec · hansott · Dec 15, 2025 · Dec 12, 2025 · Dec 15, 2025
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -1,12 +1,15 @@
 name: 📊 Benchmark
+
 on:
-  push: {}
   workflow_call: {}
+
 permissions:
   contents: read
+
 jobs:
   benchmark:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     services:
       mongodb:
         image: mongo:5
@@ -23,54 +26,68 @@ jobs:
           "POSTGRES_DB": "main_db"
         ports:
           - "27016:5432"
-    timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:
         node-version: [20.x, 24.x]
+
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
+
       - name: Setup Aikido safe-chain
         run: |
           npm i -g @aikidosec/safe-chain
           safe-chain setup-ci
+
       - name: Downgrade npm for v24 and v25
         # https://github.com/npm/cli/issues/8669
         if: ${{ matrix.node-version == '24.x' || matrix.node-version == '25.x' }}
         run: npm i -g [email protected]
+
       - name: Install K6
         uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1
+
       - name: Install wrk
         run: |
           sudo apt-get update
           sudo apt-get install -y wrk
-      - name: Set up Rust
-        run: |
-          rustup toolchain install stable
-          rustup default stable
-          cargo install wasm-pack
-      - run: npm install
-      - run: npm run build
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: firewall-node-library-${{ github.sha }}
+
+      - name: Install dependencies for benchmarks
+        run: npm run install-benchmarks-only
+
       - name: Run NoSQL Injection Benchmark
         run: cd benchmarks/nosql-injection && AIKIDO_CI=true node benchmark.js
+
       - name: Run SQL Injection Benchmark
         run: cd benchmarks/sql-injection && node benchmark.js
+
       - name: Run shell injection Benchmark
         run: cd benchmarks/shell-injection && node benchmark.js
+
       - name: Run Hono with Postgres Benchmark
         run: cd benchmarks/hono-pg && node benchmark.js
+
       - name: Run API Discovery Benchmark
         run: cd benchmarks/api-discovery && node benchmark.js
+
       - name: Run Express Benchmark
         # Skip on Node 24.x because benchmark currently fails.
         # Big performance improve in comparison to older Node.js versions, but higher difference between usage with and without Zen
         if: matrix.node-version != '24.x'
         run: cd benchmarks/express && node benchmark.js
+
       - name: Check Rate Limiter memory usage
         run: cd benchmarks/rate-limiting && node --expose-gc memory.js
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -26,8 +26,8 @@ jobs:
       id-token: write
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: "24.x"
           registry-url: "https://registry.npmjs.org"

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,61 @@
+name: ⚙️ Build library
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+env:
+  node_version: 24.x
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Use Node.js ${{ env.node_version }}
+
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.node_version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+
+      - name: Setup Aikido safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
+      - name: Downgrade npm for v24 and v25
+        # https://github.com/npm/cli/issues/8669
+        if: ${{ env.node_version == '24.x' || env.node_version == '25.x' }}
+        run: npm i -g [email protected]
+
+      - name: Set up Rust
+        run: |
+          rustup toolchain install stable
+          rustup default stable
+
+      - name: Install wasm-pack
+        run: bash ./.github/workflows/utils/install-wasm-pack.sh
+
+      - name: Install dependencies (library only)
+        run: npm run install-lib-only
+
+      - name: Build complete library
+        run: npm run build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v5
+        with:
+          name: firewall-node-library-${{ github.sha }}
+          if-no-files-found: error
+          retention-days: 7
+          path: |
+            build/
+            library/internals/
+            library/agent/hooks/instrumentation/wasm/
diff --git a/.github/workflows/end-to-end-tests.yml b/.github/workflows/end-to-end-tests.yml
@@ -1,52 +1,14 @@
 name: 🕵️ End to end tests
+
 on:
-  push: {}
   workflow_call: {}
+
 permissions:
   contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
-    services:
-      mongodb:
-        image: mongo:5
-        env:
-          "MONGO_INITDB_ROOT_USERNAME": "root"
-          "MONGO_INITDB_ROOT_PASSWORD": "password"
-        ports:
-          - 27017:27017
-      postgres:
-        image: postgres:14-alpine
-        env:
-          "POSTGRES_PASSWORD": "password"
-          "POSTGRES_USER": "root"
-          "POSTGRES_DB": "main_db"
-        ports:
-          - "27016:5432"
-      mysql:
-        image: mysql:8.0
-        # NOTE: use of "mysql_native_password" is not recommended: https://dev.mysql.com/doc/refman/8.0/en/upgrading-from-previous-series.html#upgrade-caching-sha2-password
-        # We need to use this long command in order to execute the last part : mysql_native_password
-        # https://stackoverflow.com/questions/60902904/how-to-pass-mysql-native-password-to-mysql-service-in-github-actions
-        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5 -e MYSQL_ROOT_PASSWORD=mypassword -e MYSQL_DATABASE=catsdb --entrypoint sh mysql:8.0 -c "exec docker-entrypoint.sh mysqld --default-authentication-plugin=mysql_native_password"
-        ports:
-          - "27015:3306"
-      mariadb:
-        image: mariadb:11
-        env:
-          MARIADB_ROOT_PASSWORD: mypassword
-          MARIADB_DATABASE: catsdb
-        ports:
-          - "27018:3306"
-      clickhouse:
-        image: clickhouse/clickhouse-server:24
-        env:
-          "CLICKHOUSE_USER": "clickhouse"
-          "CLICKHOUSE_PASSWORD": "clickhouse"
-          "CLICKHOUSE_DB": "main_db"
-          "CLICKHOUSE_DEFAULT_ACCESS": "MANAGEMENT=1"
-        ports:
-          - "27019:8123"
     timeout-minutes: 15
     strategy:
       fail-fast: false
@@ -60,36 +22,47 @@ jobs:
             mode: "new"
           - node-version: 25.x
             mode: "new"
+
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
+
       - name: Setup Aikido safe-chain
         run: |
           npm i -g @aikidosec/safe-chain
           safe-chain setup-ci
+
       - name: Downgrade npm for v24 and v25
         # https://github.com/npm/cli/issues/8669
         if: ${{ matrix.node-version == '24.x' || matrix.node-version == '25.x' }}
         run: npm i -g [email protected]
+
       - name: Add local.aikido.io to /etc/hosts
         run: |
           sudo echo "127.0.0.1 local.aikido.io" | sudo tee -a /etc/hosts
-      - name: Build and run server
-        run: |
-          cd end2end/server && docker build -t server . && docker run -d -p 5874:3000 server
-      - name: Set up Rust
-        run: |
-          rustup toolchain install stable
-          rustup default stable
-          cargo install wasm-pack
-      - run: npm install
-      - run: npm run build
-      - if: matrix.mode == 'old'
+
+      - name: Run Containers
+        run: npm run containers
+
+      - name: Install dependencies (end-to-end only)
+        run: npm run install-e2e-only
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: firewall-node-library-${{ github.sha }}
+
+      - name: Run end-to-end tests
+        if: matrix.mode == 'old'
         run: npm run end2end
-      - if: matrix.mode == 'new'
+
+      - name: Run new end-to-end tests
+        if: matrix.mode == 'new'
         run: npm run end2end:new
diff --git a/.github/workflows/lint-code.yml b/.github/workflows/lint-code.yml
@@ -1,7 +1,11 @@
 name: 🧹 Lint code
-on: push
+
+on:
+  workflow_call: {}
+
 permissions:
   contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -10,36 +14,50 @@ jobs:
       matrix:
         node-version: [24.x]
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
+
       - name: Set up Rust
         run: |
           rustup toolchain install stable
           rustup default stable
           rustup component add rustfmt clippy
-          cargo install wasm-pack
+
       - name: Setup Aikido safe-chain
         run: |
           npm i -g @aikidosec/safe-chain
           safe-chain setup-ci
+
       - name: Downgrade npm for v24 and v25
         # https://github.com/npm/cli/issues/8669
         if: ${{ matrix.node-version == '24.x' || matrix.node-version == '25.x' }}
         run: npm i -g [email protected]
-      - run: npm run install-lib-only
-      - run: npm run build
+
+      - name: Install dependencies (library only)
+        run: npm run install-lib-only
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: firewall-node-library-${{ github.sha }}
+
       - name: Run Linter for JavaScript/TypeScript
         run: npm run lint
+
       - name: Check formatting
         run: npm run format:check
+
       - name: Check Rust formatting
         run: cargo fmt --check
         working-directory: ./instrumentation-wasm
+
       - name: Run Rust Linter
         run: cargo clippy -- -D warnings
         working-directory: ./instrumentation-wasm
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,32 @@
+name: Main Workflow
+
+on:
+  push: {}
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: ⚙️ Build library
+    uses: ./.github/workflows/build.yml
+  lint-code:
+    name: 🧹 Lint code
+    uses: ./.github/workflows/lint-code.yml
+    needs: build
+  unit-tests:
+    name: 🧪 Unit tests
+    uses: ./.github/workflows/unit-test.yml
+    needs: build
+  end-to-end-tests:
+    name: 🕵️ End to end tests
+    uses: ./.github/workflows/end-to-end-tests.yml
+    needs: build
+  benchmark:
+    name: 📊 Benchmark
+    uses: ./.github/workflows/benchmark.yml
+    needs: build
+  qa-tests:
+    name: 🧪 QA Tests
+    uses: ./.github/workflows/qa-tests.yml
+    needs: build