Improve GitHub Actions workflows

farrokhi · farrokhi · commit a6feb5fb7a1b · 2025-09-24T12:31:51.000+02:00
- Split monolithic packages.yml into separate workflows (test, build, security, release)
- Add multi-OS matrix strategy (Ubuntu, macOS, Windows)
- Add comprehensive pip caching across all platforms
- Add network-aware protocol tests with proper error handling
- Add security scanning (Bandit, Safety, CodeQL)
- Add automated PyPI and Docker publishing on releases
- Add smoke tests for built binaries
- Keep old packages.yml as backup
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,103 @@
+name: Build Packages
+
+on:
+  push:
+    branches: [ master ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.11"]  # Use single Python version for builds
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/pip
+            ~/AppData/Local/pip/Cache
+            ~/Library/Caches/pip
+          key: ${{ runner.os }}-pip-build-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-build-
+            ${{ runner.os }}-pip-
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pyinstaller
+          pip install -r requirements.txt
+
+      - name: Build packages (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          chmod +x build-pkgs.sh
+          ./build-pkgs.sh
+        shell: bash
+
+      - name: Build packages (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          ./build-pkgs.sh
+        shell: bash
+
+      - name: Test built binaries (Unix)
+        if: runner.os != 'Windows'
+        run: |
+          # Find the built package directory
+          PKG_DIR=$(find pkg -name "dnsdiag-*" -type d | head -1)
+          if [ -d "$PKG_DIR" ]; then
+            echo "Testing built binaries in $PKG_DIR"
+            $PKG_DIR/dnsping --help
+            $PKG_DIR/dnstraceroute --help
+            $PKG_DIR/dnseval --help
+          else
+            echo "No package directory found"
+            exit 1
+          fi
+        shell: bash
+
+      - name: Test built binaries (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          # Find the built package directory
+          $PKG_DIR = Get-ChildItem -Path pkg -Directory -Name "dnsdiag-*" | Select-Object -First 1
+          if ($PKG_DIR) {
+            Write-Host "Testing built binaries in pkg/$PKG_DIR"
+            & "pkg/$PKG_DIR/dnsping.exe" --help
+            & "pkg/$PKG_DIR/dnstraceroute.exe" --help
+            & "pkg/$PKG_DIR/dnseval.exe" --help
+          } else {
+            Write-Host "No package directory found"
+            exit 1
+          }
+        shell: pwsh
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dnsdiag-${{ runner.os }}-${{ runner.arch }}
+          path: pkg/dnsdiag-*.*
+          retention-days: 7
+
+      - name: Upload to release (on tag)
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v2
+        with:
+          files: pkg/dnsdiag-*.*
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/packages.yml.old b/.github/workflows/packages.yml.old
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,89 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ubuntu-latest-pip-release-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
+          restore-keys: |
+            ubuntu-latest-pip-release-
+            ubuntu-latest-pip-
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build source and wheel distributions
+        run: |
+          python -m build
+
+      - name: Check distributions
+        run: |
+          python -m twine check dist/*
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # Only publish on actual releases, not manual workflow dispatch
+        if: github.event_name == 'release'
+
+  docker-publish:
+    name: Publish Docker image
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        if: github.event_name == 'release'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: farrokhi/dnsdiag
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name == 'release' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,81 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly security scan on Mondays
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ubuntu-latest-pip-security-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
+          restore-keys: |
+            ubuntu-latest-pip-security-
+            ubuntu-latest-pip-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install bandit safety
+          pip install -r requirements.txt
+
+      - name: Run Bandit security scan
+        run: |
+          echo "Running Bandit security scan..."
+          bandit -r . -f json -o bandit-report.json -ll || true
+          bandit -r . -f txt -ll || echo "Bandit found some issues, check the detailed report"
+
+      - name: Run Safety dependency check
+        run: |
+          echo "Running Safety dependency vulnerability check..."
+          safety check --json --output safety-report.json || true
+          safety check || echo "Safety found some vulnerabilities, check the detailed report"
+
+      - name: Upload security reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-reports
+          path: |
+            bandit-report.json
+            safety-report.json
+          retention-days: 30
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,101 @@
+name: Tests
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/pip
+            ~/AppData/Local/pip/Cache
+            ~/Library/Caches/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt', 'pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install flake8 pytest pytest-cov
+          pip install -r requirements.txt
+
+      - name: Lint with flake8
+        run: |
+          # stop the build if there are Python syntax errors or undefined names
+          flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+          # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+          flake8 . --count --exit-zero --max-complexity=60 --max-line-length=127 --statistics
+
+      - name: Run unit tests (if they exist)
+        run: |
+          if [ -d "tests" ]; then
+            pytest tests/ --cov=dnsdiag --cov-report=xml --cov-report=term
+          else
+            echo "No tests directory found - skipping unit tests"
+          fi
+        shell: bash
+
+      - name: Test imports and basic functionality
+        run: |
+          python -c "import dnsdiag.dns; print('DNS module imports successfully')"
+          python -c "import dnsping; print('dnsping imports successfully')"
+          python -c "import dnstraceroute; print('dnstraceroute imports successfully')"
+          python -c "import dnseval; print('dnseval imports successfully')"
+        shell: bash
+
+      - name: Run help commands
+        run: |
+          python dnsping.py --help
+          python dnstraceroute.py --help
+          python dnseval.py --help
+        shell: bash
+
+      - name: Run basic protocol tests (Linux/Mac only)
+        if: runner.os != 'Windows'
+        run: |
+          echo "Testing basic UDP DNS functionality..."
+          timeout 15s python dnsping.py -s 8.8.8.8 -c 1 -w 3 google.com || echo "UDP test failed/timed out - may be network issue"
+
+          echo "Testing TCP DNS functionality..."
+          timeout 15s python dnsping.py -T -s 8.8.8.8 -c 1 -w 3 google.com || echo "TCP test failed/timed out - may be network issue"
+
+          echo "Testing DoT DNS functionality..."
+          timeout 15s python dnsping.py -X -s 8.8.8.8 -c 1 -w 3 google.com || echo "DoT test failed/timed out - may be network issue"
+
+          echo "Testing DoH DNS functionality..."
+          timeout 15s python dnsping.py -H -s 8.8.8.8 -c 1 -w 3 google.com || echo "DoH test failed/timed out - may be network issue"
+
+          echo "Testing DoQ DNS functionality (AdGuard)..."
+          timeout 15s python dnsping.py -Q -s 94.140.14.14 -c 1 -w 3 google.com || echo "DoQ test failed/timed out - may be network issue"
+
+          echo "Testing DoH3 DNS functionality..."
+          timeout 15s python dnsping.py -3 -s 8.8.8.8 -c 1 -w 3 google.com || echo "DoH3 test failed/timed out - may be network issue"
+        shell: bash
+
+      - name: Run dnstraceroute basic test (Linux only)
+        if: runner.os == 'Linux'
+        run: |
+          echo "Testing dnstraceroute UDP functionality..."
+          timeout 20s python dnstraceroute.py -s 8.8.8.8 -c 3 -w 2 google.com || echo "dnstraceroute test failed/timed out - may be network or permission issue"
+        shell: bash
