From 963754fa12b38d17c5a7b5068b764e8b0cd9ff73 Mon Sep 17 00:00:00 2001 From: Ashwin Bhat Date: Wed, 23 Jul 2025 20:33:29 -0700 Subject: [PATCH] perf: optimize Squid proxy startup time (#334) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * perf: optimize Squid proxy startup time - Replace fixed 7-second sleep with dynamic readiness check - Only shutdown existing Squid if actually running - Add detailed timing logs to track each step's duration - Expected reduction: ~7-8 seconds to ~1-2 seconds startup overhead 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude * refactor: extract squid setup into standalone script Move squid proxy setup logic from action.yml inline bash script to scripts/setup-network-restrictions.sh for better maintainability and cleaner action configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude * Revert "refactor: extract squid setup into standalone script" This reverts commit b18aa2821d2156ebb3b7a8cb0058add8970eeed2. * tmp * Reapply "refactor: extract squid setup into standalone script" This reverts commit 07f69115499c4b5c1939807b2b61e13a07069b29. --------- Co-authored-by: Claude --- action.yml | 48 ++++------ scripts/setup-network-restrictions.sh | 123 ++++++++++++++++++++++++++ 2 files changed, 139 insertions(+), 32 deletions(-) create mode 100755 scripts/setup-network-restrictions.sh diff --git a/action.yml b/action.yml index ab4574e..50e7da9 100644 --- a/action.yml +++ b/action.yml @@ -155,50 +155,34 @@ runs: ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }} USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }} + - name: Install Base Action Dependencies + if: steps.prepare.outputs.contains_trigger == 'true' + shell: bash + run: | + echo "Installing base-action dependencies..." + cd ${GITHUB_ACTION_PATH}/base-action + bun install + echo "Base-action dependencies installed" + cd - + # Install Claude Code globally + bun install -g @anthropic-ai/claude-code@1.0.59 + - name: Setup Network Restrictions if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != '' shell: bash run: | - # Install and configure Squid proxy - sudo apt-get update && sudo apt-get install -y squid - - echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt - - # Configure Squid - sudo tee /etc/squid/squid.conf << EOF - http_port 127.0.0.1:3128 - acl whitelist dstdomain "$RUNNER_TEMP/whitelist.txt" - acl localhost src 127.0.0.1/32 - http_access allow localhost whitelist - http_access deny all - cache deny all - EOF - - # Stop any existing squid instance and start with our config - sudo squid -k shutdown || true - sleep 2 - sudo rm -f /run/squid.pid - sudo squid -N -d 1 & - sleep 5 - - # Set proxy environment variables - echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV - echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV - echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV - echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV + chmod +x ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh + ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh + env: + EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }} - name: Run Claude Code id: claude-code if: steps.prepare.outputs.contains_trigger == 'true' shell: bash run: | - # Install Claude Code globally - bun install -g @anthropic-ai/claude-code@1.0.59 # Run the base-action - cd ${GITHUB_ACTION_PATH}/base-action - bun install - cd - bun run ${GITHUB_ACTION_PATH}/base-action/src/index.ts env: # Base-action inputs diff --git a/scripts/setup-network-restrictions.sh b/scripts/setup-network-restrictions.sh new file mode 100755 index 0000000..2b8712f --- /dev/null +++ b/scripts/setup-network-restrictions.sh @@ -0,0 +1,123 @@ +#!/bin/bash + +# Setup Network Restrictions with Squid Proxy +# This script sets up a Squid proxy to restrict network access to whitelisted domains only. + +set -e + +# Check if experimental_allowed_domains is provided +if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then + echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required" + exit 1 +fi + +# Check required environment variables +if [ -z "$RUNNER_TEMP" ]; then + echo "ERROR: RUNNER_TEMP environment variable is required" + exit 1 +fi + +if [ -z "$GITHUB_ENV" ]; then + echo "ERROR: GITHUB_ENV environment variable is required" + exit 1 +fi + +echo "Setting up network restrictions with Squid proxy..." + +SQUID_START_TIME=$(date +%s.%N) + +# Create whitelist file +echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt + +# Ensure each domain has proper format +# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching +mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig +while IFS= read -r domain; do + if [ -n "$domain" ]; then + # Trim whitespace + domain=$(echo "$domain" | xargs) + # If it's not empty and doesn't start with a dot, add one + if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo ".$domain" >> $RUNNER_TEMP/whitelist.txt + else + echo "$domain" >> $RUNNER_TEMP/whitelist.txt + fi + fi +done < $RUNNER_TEMP/whitelist.txt.orig + +# Create Squid config with whitelist +echo "http_port 3128" > $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf +echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf +echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf +echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf +echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf +echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf +echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf +echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf +echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf +echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf +echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf +echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf +echo "" >> $RUNNER_TEMP/squid.conf +echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf +echo "http_access deny all" >> $RUNNER_TEMP/squid.conf + +echo "Starting Squid proxy..." +# First, remove any existing container +sudo docker rm -f squid-proxy 2>/dev/null || true + +# Ensure whitelist file is not empty (Squid fails with empty files) +if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then + echo "WARNING: Whitelist file is empty, adding a dummy entry" + echo ".example.com" >> $RUNNER_TEMP/whitelist.txt +fi + +# Use sudo to prevent Claude from stopping the container +CONTAINER_ID=$(sudo docker run -d \ + --name squid-proxy \ + -p 127.0.0.1:3128:3128 \ + -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \ + -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \ + ubuntu/squid:latest 2>&1) || { + echo "ERROR: Failed to start Squid container" + exit 1 +} + +# Wait for proxy to be ready (usually < 1 second) +READY=false +for i in {1..30}; do + if nc -z 127.0.0.1 3128 2>/dev/null; then + TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc) + echo "Squid proxy ready in ${TOTAL_TIME}s" + READY=true + break + fi + sleep 0.1 +done + +if [ "$READY" != "true" ]; then + echo "ERROR: Squid proxy failed to start within 3 seconds" + echo "Container logs:" + sudo docker logs squid-proxy 2>&1 || true + echo "Container status:" + sudo docker ps -a | grep squid-proxy || true + exit 1 +fi + +# Set proxy environment variables +echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV +echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV +echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV +echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV + +echo "Network restrictions setup completed successfully" \ No newline at end of file