Revert "refactor: extract squid setup into standalone script"

This reverts commit b18aa2821d.
2026-01-22 14:24:13 +08:00 · 2025-07-23 18:57:14 -07:00
parent b18aa2821d
commit 07f6911549
2 changed files with 95 additions and 127 deletions
--- a/action.yml
+++ b/action.yml
@@ -168,10 +168,101 @@ runs:
      if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''
      shell: bash
      run: |
-        chmod +x ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-        ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-      env:
-        EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }}
+        SQUID_START_TIME=$(date +%s.%N)
+
+        # Create whitelist file
+        echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt
+
+        # Ensure each domain has proper format
+        # If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching
+        mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig
+        while IFS= read -r domain; do
+          if [ -n "$domain" ]; then
+            # Trim whitespace
+            domain=$(echo "$domain" | xargs)
+            # If it's not empty and doesn't start with a dot, add one
+            if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              echo ".$domain" >> $RUNNER_TEMP/whitelist.txt
+            else
+              echo "$domain" >> $RUNNER_TEMP/whitelist.txt
+            fi
+          fi
+        done < $RUNNER_TEMP/whitelist.txt.orig
+
+        # Create Squid config with whitelist
+        echo "http_port 3128" > $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf
+        echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf
+        echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf
+        echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf
+        echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf
+        echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf
+        echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf
+        echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf
+        echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf
+        echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf
+        echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf
+        echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf
+        echo "" >> $RUNNER_TEMP/squid.conf
+        echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf
+        echo "http_access deny all" >> $RUNNER_TEMP/squid.conf
+
+        echo "Starting Squid proxy..."
+        # First, remove any existing container
+        sudo docker rm -f squid-proxy 2>/dev/null || true
+
+        # Ensure whitelist file is not empty (Squid fails with empty files)
+        if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then
+          echo "WARNING: Whitelist file is empty, adding a dummy entry"
+          echo ".example.com" >> $RUNNER_TEMP/whitelist.txt
+        fi
+
+        # Use sudo to prevent Claude from stopping the container
+        CONTAINER_ID=$(sudo docker run -d \
+          --name squid-proxy \
+          -p 127.0.0.1:3128:3128 \
+          -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \
+          -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \
+          ubuntu/squid:latest 2>&1) || {
+          echo "ERROR: Failed to start Squid container"
+          exit 1
+        }
+
+        # Wait for proxy to be ready (usually < 1 second)
+        READY=false
+        for i in {1..30}; do
+          if nc -z 127.0.0.1 3128 2>/dev/null; then
+            TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc)
+            echo "Squid proxy ready in ${TOTAL_TIME}s"
+            READY=true
+            break
+          fi
+          sleep 0.1
+        done
+
+        if [ "$READY" != "true" ]; then
+          echo "ERROR: Squid proxy failed to start within 3 seconds"
+          echo "Container logs:"
+          sudo docker logs squid-proxy 2>&1 || true
+          echo "Container status:"
+          sudo docker ps -a | grep squid-proxy || true
+          exit 1
+        fi
+
+        # Set proxy environment variables
+        echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
+        echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
+        echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
+        echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV

    - name: Run Claude Code
      id: claude-code
--- a/scripts/setup-network-restrictions.sh
+++ b/scripts/setup-network-restrictions.sh
@@ -1,123 +0,0 @@
-#!/bin/bash
-
-# Setup Network Restrictions with Squid Proxy
-# This script sets up a Squid proxy to restrict network access to whitelisted domains only.
-
-set -e
-
-# Check if experimental_allowed_domains is provided
-if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then
-  echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required"
-  exit 1
-fi
-
-# Check required environment variables
-if [ -z "$RUNNER_TEMP" ]; then
-  echo "ERROR: RUNNER_TEMP environment variable is required"
-  exit 1
-fi
-
-if [ -z "$GITHUB_ENV" ]; then
-  echo "ERROR: GITHUB_ENV environment variable is required"
-  exit 1
-fi
-
-echo "Setting up network restrictions with Squid proxy..."
-
-SQUID_START_TIME=$(date +%s.%N)
-
-# Create whitelist file
-echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt
-
-# Ensure each domain has proper format
-# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching
-mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig
-while IFS= read -r domain; do
-  if [ -n "$domain" ]; then
-    # Trim whitespace
-    domain=$(echo "$domain" | xargs)
-    # If it's not empty and doesn't start with a dot, add one
-    if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-      echo ".$domain" >> $RUNNER_TEMP/whitelist.txt
-    else
-      echo "$domain" >> $RUNNER_TEMP/whitelist.txt
-    fi
-  fi
-done < $RUNNER_TEMP/whitelist.txt.orig
-
-# Create Squid config with whitelist
-echo "http_port 3128" > $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf
-echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf
-echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf
-echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf
-echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf
-echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf
-echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf
-echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf
-echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf
-echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf
-echo "" >> $RUNNER_TEMP/squid.conf
-echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf
-echo "http_access deny all" >> $RUNNER_TEMP/squid.conf
-
-echo "Starting Squid proxy..."
-# First, remove any existing container
-sudo docker rm -f squid-proxy 2>/dev/null || true
-
-# Ensure whitelist file is not empty (Squid fails with empty files)
-if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then
-  echo "WARNING: Whitelist file is empty, adding a dummy entry"
-  echo ".example.com" >> $RUNNER_TEMP/whitelist.txt
-fi
-
-# Use sudo to prevent Claude from stopping the container
-CONTAINER_ID=$(sudo docker run -d \
-  --name squid-proxy \
-  -p 127.0.0.1:3128:3128 \
-  -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \
-  -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \
-  ubuntu/squid:latest 2>&1) || {
-  echo "ERROR: Failed to start Squid container"
-  exit 1
-}
-
-# Wait for proxy to be ready (usually < 1 second)
-READY=false
-for i in {1..30}; do
-  if nc -z 127.0.0.1 3128 2>/dev/null; then
-    TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc)
-    echo "Squid proxy ready in ${TOTAL_TIME}s"
-    READY=true
-    break
-  fi
-  sleep 0.1
-done
-
-if [ "$READY" != "true" ]; then
-  echo "ERROR: Squid proxy failed to start within 3 seconds"
-  echo "Container logs:"
-  sudo docker logs squid-proxy 2>&1 || true
-  echo "Container status:"
-  sudo docker ps -a | grep squid-proxy || true
-  exit 1
-fi
-
-# Set proxy environment variables
-echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-
-echo "Network restrictions setup completed successfully"