perf: optimize Squid proxy startup time (#334)

* perf: optimize Squid proxy startup time

- Replace fixed 7-second sleep with dynamic readiness check
- Only shutdown existing Squid if actually running
- Add detailed timing logs to track each step's duration
- Expected reduction: ~7-8 seconds to ~1-2 seconds startup overhead

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: extract squid setup into standalone script

Move squid proxy setup logic from action.yml inline bash script
to scripts/setup-network-restrictions.sh for better maintainability
and cleaner action configuration.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Revert "refactor: extract squid setup into standalone script"

This reverts commit b18aa2821d.

* tmp

* Reapply "refactor: extract squid setup into standalone script"

This reverts commit 07f6911549.

---------

Co-authored-by: Claude <noreply@anthropic.com>

action.yml

@@ -155,50 +155,34 @@ runs:
         ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
         USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
 
+    - name: Install Base Action Dependencies
+      if: steps.prepare.outputs.contains_trigger == 'true'
+      shell: bash
+      run: |
+        echo "Installing base-action dependencies..."
+        cd ${GITHUB_ACTION_PATH}/base-action
+        bun install
+        echo "Base-action dependencies installed"
+        cd -
+        # Install Claude Code globally
+        bun install -g @anthropic-ai/claude-code@1.0.59
+
     - name: Setup Network Restrictions
       if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''
       shell: bash
       run: |
-        # Install and configure Squid proxy
+        chmod +x ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-        sudo apt-get update && sudo apt-get install -y squid
+        ${GITHUB_ACTION_PATH}/scripts/setup-network-restrictions.sh
-
+      env:
-        echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt
+        EXPERIMENTAL_ALLOWED_DOMAINS: ${{ inputs.experimental_allowed_domains }}
-
-        # Configure Squid
-        sudo tee /etc/squid/squid.conf << EOF
-        http_port 127.0.0.1:3128
-        acl whitelist dstdomain "$RUNNER_TEMP/whitelist.txt"
-        acl localhost src 127.0.0.1/32
-        http_access allow localhost whitelist
-        http_access deny all
-        cache deny all
-        EOF
-
-        # Stop any existing squid instance and start with our config
-        sudo squid -k shutdown || true
-        sleep 2
-        sudo rm -f /run/squid.pid
-        sudo squid -N -d 1 &
-        sleep 5
-
-        # Set proxy environment variables
-        echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
-        echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
 
     - name: Run Claude Code
       id: claude-code
       if: steps.prepare.outputs.contains_trigger == 'true'
       shell: bash
       run: |
-        # Install Claude Code globally
-        bun install -g @anthropic-ai/claude-code@1.0.59
 
         # Run the base-action
-        cd ${GITHUB_ACTION_PATH}/base-action
-        bun install
-        cd -
         bun run ${GITHUB_ACTION_PATH}/base-action/src/index.ts
       env:
         # Base-action inputs

scripts/setup-network-restrictions.sh

@@ -0,0 +1,123 @@
+#!/bin/bash
+
+# Setup Network Restrictions with Squid Proxy
+# This script sets up a Squid proxy to restrict network access to whitelisted domains only.
+
+set -e
+
+# Check if experimental_allowed_domains is provided
+if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then
+  echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required"
+  exit 1
+fi
+
+# Check required environment variables
+if [ -z "$RUNNER_TEMP" ]; then
+  echo "ERROR: RUNNER_TEMP environment variable is required"
+  exit 1
+fi
+
+if [ -z "$GITHUB_ENV" ]; then
+  echo "ERROR: GITHUB_ENV environment variable is required"
+  exit 1
+fi
+
+echo "Setting up network restrictions with Squid proxy..."
+
+SQUID_START_TIME=$(date +%s.%N)
+
+# Create whitelist file
+echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt
+
+# Ensure each domain has proper format
+# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching
+mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig
+while IFS= read -r domain; do
+  if [ -n "$domain" ]; then
+    # Trim whitespace
+    domain=$(echo "$domain" | xargs)
+    # If it's not empty and doesn't start with a dot, add one
+    if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+      echo ".$domain" >> $RUNNER_TEMP/whitelist.txt
+    else
+      echo "$domain" >> $RUNNER_TEMP/whitelist.txt
+    fi
+  fi
+done < $RUNNER_TEMP/whitelist.txt.orig
+
+# Create Squid config with whitelist
+echo "http_port 3128" > $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf
+echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf
+echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf
+echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf
+echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf
+echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf
+echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf
+echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf
+echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf
+echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf
+echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf
+echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf
+echo "" >> $RUNNER_TEMP/squid.conf
+echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf
+echo "http_access deny all" >> $RUNNER_TEMP/squid.conf
+
+echo "Starting Squid proxy..."
+# First, remove any existing container
+sudo docker rm -f squid-proxy 2>/dev/null || true
+
+# Ensure whitelist file is not empty (Squid fails with empty files)
+if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then
+  echo "WARNING: Whitelist file is empty, adding a dummy entry"
+  echo ".example.com" >> $RUNNER_TEMP/whitelist.txt
+fi
+
+# Use sudo to prevent Claude from stopping the container
+CONTAINER_ID=$(sudo docker run -d \
+  --name squid-proxy \
+  -p 127.0.0.1:3128:3128 \
+  -v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \
+  -v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \
+  ubuntu/squid:latest 2>&1) || {
+  echo "ERROR: Failed to start Squid container"
+  exit 1
+}
+
+# Wait for proxy to be ready (usually < 1 second)
+READY=false
+for i in {1..30}; do
+  if nc -z 127.0.0.1 3128 2>/dev/null; then
+    TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc)
+    echo "Squid proxy ready in ${TOTAL_TIME}s"
+    READY=true
+    break
+  fi
+  sleep 0.1
+done
+
+if [ "$READY" != "true" ]; then
+  echo "ERROR: Squid proxy failed to start within 3 seconds"
+  echo "Container logs:"
+  sudo docker logs squid-proxy 2>&1 || true
+  echo "Container status:"
+  sudo docker ps -a | grep squid-proxy || true
+  exit 1
+fi
+
+# Set proxy environment variables
+echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
+echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
+echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
+echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
+
+echo "Network restrictions setup completed successfully"