mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-22 22:44:13 +08:00
963754fa12
* perf: optimize Squid proxy startup time - Replace fixed 7-second sleep with dynamic readiness check - Only shutdown existing Squid if actually running - Add detailed timing logs to track each step's duration - Expected reduction: ~7-8 seconds to ~1-2 seconds startup overhead 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: extract squid setup into standalone script Move squid proxy setup logic from action.yml inline bash script to scripts/setup-network-restrictions.sh for better maintainability and cleaner action configuration. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Revert "refactor: extract squid setup into standalone script" This reverts commitb18aa2821d. * tmp * Reapply "refactor: extract squid setup into standalone script" This reverts commit07f6911549. --------- Co-authored-by: Claude <noreply@anthropic.com>
123 lines
4.3 KiB
Bash
Executable File
123 lines
4.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Setup Network Restrictions with Squid Proxy
|
|
# This script sets up a Squid proxy to restrict network access to whitelisted domains only.
|
|
|
|
set -e
|
|
|
|
# Check if experimental_allowed_domains is provided
|
|
if [ -z "$EXPERIMENTAL_ALLOWED_DOMAINS" ]; then
|
|
echo "ERROR: EXPERIMENTAL_ALLOWED_DOMAINS environment variable is required"
|
|
exit 1
|
|
fi
|
|
|
|
# Check required environment variables
|
|
if [ -z "$RUNNER_TEMP" ]; then
|
|
echo "ERROR: RUNNER_TEMP environment variable is required"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$GITHUB_ENV" ]; then
|
|
echo "ERROR: GITHUB_ENV environment variable is required"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Setting up network restrictions with Squid proxy..."
|
|
|
|
SQUID_START_TIME=$(date +%s.%N)
|
|
|
|
# Create whitelist file
|
|
echo "$EXPERIMENTAL_ALLOWED_DOMAINS" > $RUNNER_TEMP/whitelist.txt
|
|
|
|
# Ensure each domain has proper format
|
|
# If domain doesn't start with a dot and isn't an IP, add the dot for subdomain matching
|
|
mv $RUNNER_TEMP/whitelist.txt $RUNNER_TEMP/whitelist.txt.orig
|
|
while IFS= read -r domain; do
|
|
if [ -n "$domain" ]; then
|
|
# Trim whitespace
|
|
domain=$(echo "$domain" | xargs)
|
|
# If it's not empty and doesn't start with a dot, add one
|
|
if [[ "$domain" != .* ]] && [[ ! "$domain" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
echo ".$domain" >> $RUNNER_TEMP/whitelist.txt
|
|
else
|
|
echo "$domain" >> $RUNNER_TEMP/whitelist.txt
|
|
fi
|
|
fi
|
|
done < $RUNNER_TEMP/whitelist.txt.orig
|
|
|
|
# Create Squid config with whitelist
|
|
echo "http_port 3128" > $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Define ACLs" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl whitelist dstdomain \"/etc/squid/whitelist.txt\"" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl localnet src 127.0.0.1/32" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl localnet src 172.17.0.0/16" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl SSL_ports port 443" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl Safe_ports port 80" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl Safe_ports port 443" >> $RUNNER_TEMP/squid.conf
|
|
echo "acl CONNECT method CONNECT" >> $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Deny requests to certain unsafe ports" >> $RUNNER_TEMP/squid.conf
|
|
echo "http_access deny !Safe_ports" >> $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Only allow CONNECT to SSL ports" >> $RUNNER_TEMP/squid.conf
|
|
echo "http_access deny CONNECT !SSL_ports" >> $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Allow localhost" >> $RUNNER_TEMP/squid.conf
|
|
echo "http_access allow localhost" >> $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Allow localnet access to whitelisted domains" >> $RUNNER_TEMP/squid.conf
|
|
echo "http_access allow localnet whitelist" >> $RUNNER_TEMP/squid.conf
|
|
echo "" >> $RUNNER_TEMP/squid.conf
|
|
echo "# Deny everything else" >> $RUNNER_TEMP/squid.conf
|
|
echo "http_access deny all" >> $RUNNER_TEMP/squid.conf
|
|
|
|
echo "Starting Squid proxy..."
|
|
# First, remove any existing container
|
|
sudo docker rm -f squid-proxy 2>/dev/null || true
|
|
|
|
# Ensure whitelist file is not empty (Squid fails with empty files)
|
|
if [ ! -s "$RUNNER_TEMP/whitelist.txt" ]; then
|
|
echo "WARNING: Whitelist file is empty, adding a dummy entry"
|
|
echo ".example.com" >> $RUNNER_TEMP/whitelist.txt
|
|
fi
|
|
|
|
# Use sudo to prevent Claude from stopping the container
|
|
CONTAINER_ID=$(sudo docker run -d \
|
|
--name squid-proxy \
|
|
-p 127.0.0.1:3128:3128 \
|
|
-v $RUNNER_TEMP/squid.conf:/etc/squid/squid.conf:ro \
|
|
-v $RUNNER_TEMP/whitelist.txt:/etc/squid/whitelist.txt:ro \
|
|
ubuntu/squid:latest 2>&1) || {
|
|
echo "ERROR: Failed to start Squid container"
|
|
exit 1
|
|
}
|
|
|
|
# Wait for proxy to be ready (usually < 1 second)
|
|
READY=false
|
|
for i in {1..30}; do
|
|
if nc -z 127.0.0.1 3128 2>/dev/null; then
|
|
TOTAL_TIME=$(echo "scale=3; $(date +%s.%N) - $SQUID_START_TIME" | bc)
|
|
echo "Squid proxy ready in ${TOTAL_TIME}s"
|
|
READY=true
|
|
break
|
|
fi
|
|
sleep 0.1
|
|
done
|
|
|
|
if [ "$READY" != "true" ]; then
|
|
echo "ERROR: Squid proxy failed to start within 3 seconds"
|
|
echo "Container logs:"
|
|
sudo docker logs squid-proxy 2>&1 || true
|
|
echo "Container status:"
|
|
sudo docker ps -a | grep squid-proxy || true
|
|
exit 1
|
|
fi
|
|
|
|
# Set proxy environment variables
|
|
echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
|
|
echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
|
|
echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
|
|
echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
|
|
|
|
echo "Network restrictions setup completed successfully" |