Use shared volume between job container and squid service for log access

2026-01-30 16:04:23 +08:00 · 2026-01-29 09:04:33 -08:00 · 2026-01-29 09:04:33 -08:00 · 56cc052f4d
commit 56cc052f4d
parent ef4c2110b5
1 changed files with 46 additions and 30 deletions
--- a/.github/workflows/workflow.yml
+++ b/.github/workflows/workflow.yml
@ -91,14 +91,15 @@ jobs:
    container:
      image: ubuntu:latest
      options: --privileged
+      volumes:
+        - /tmp/squid-logs:/shared-logs
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
-    env:
-      http_proxy: http://squid-proxy:3128
-      https_proxy: http://squid-proxy:3128
+        volumes:
+          - /tmp/squid-logs:/var/log/squid
    steps:
    - name: Checkout
      uses: actions/checkout@v5
@ -107,6 +108,9 @@ jobs:
        apt-get update
        apt-get install -y iptables dnsutils curl jq ipset
    - name: Fetch GitHub meta and configure firewall
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      run: |
        # Fetch GitHub meta API to get all IP ranges
        echo "Fetching GitHub meta API..."
@ -173,6 +177,9 @@ jobs:
        echo ""
        echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
    - name: Verify proxy enforcement
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      run: |
        echo "=== Testing proxy enforcement ==="

@ -205,6 +212,9 @@ jobs:
    - name: Generate files
      run: __tests__/create-cache-files.sh proxy test-cache
    - name: Save cache
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      uses: ./
      with:
        key: test-proxy-${{ github.run_id }}
@ -213,22 +223,18 @@ jobs:
      run: |
        echo "=== Verifying cache traffic went through proxy ==="
        
-        # Get the squid container ID
-        SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1)
-        
-        if [ -z "$SQUID_CONTAINER" ]; then
-          SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
-        fi
+        # Read from shared volume where squid logs are mounted
+        SQUID_LOG="/shared-logs/access.log"
        
        # Initialize summary
        echo "## 🔒 Proxy Traffic Verification - Cache Save" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        
-        if [ -n "$SQUID_CONTAINER" ]; then
-          echo "Found Squid container: $SQUID_CONTAINER"
+        if [ -f "$SQUID_LOG" ]; then
+          echo "Found Squid access log at $SQUID_LOG"
          
          # Get the full access log
-          ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "")
+          ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
          
          # Extract traffic details
          RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
@ -315,10 +321,12 @@ jobs:
          echo "Blob storage requests: $BLOB_COUNT"
          echo "Verification status: $VERIFY_STATUS"
        else
-          echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY
+          echo "⚠️ **WARNING**: Could not access Squid proxy logs" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY
-          echo "Could not access squid container logs"
+          echo "The shared log volume may not be accessible at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
+          echo "Checking what's in /shared-logs/:"
+          ls -la /shared-logs/ || echo "Directory not accessible"
+          echo "Could not access squid access log at $SQUID_LOG"
        fi

  test-proxy-restore:
@ -327,14 +335,15 @@ jobs:
    container:
      image: ubuntu:latest
      options: --privileged
+      volumes:
+        - /tmp/squid-logs:/shared-logs
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
-    env:
-      http_proxy: http://squid-proxy:3128
-      https_proxy: http://squid-proxy:3128
+        volumes:
+          - /tmp/squid-logs:/var/log/squid
    steps:
    - name: Checkout
      uses: actions/checkout@v5
@ -343,6 +352,9 @@ jobs:
        apt-get update
        apt-get install -y iptables dnsutils curl jq ipset
    - name: Fetch GitHub meta and configure firewall
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      run: |
        # Fetch GitHub meta API to get all IP ranges
        echo "Fetching GitHub meta API..."
@ -409,6 +421,9 @@ jobs:
        echo ""
        echo "ipset github-ips contains $(ipset list github-ips | grep -c '^[0-9]') entries"
    - name: Verify proxy enforcement
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      run: |
        echo "=== Testing proxy enforcement ==="

@ -439,6 +454,9 @@ jobs:
          echo "Note: Proxy connection may have failed, but that's OK if it's not a network block"
        fi
    - name: Restore cache
+      env:
+        http_proxy: http://squid-proxy:3128
+        https_proxy: http://squid-proxy:3128
      uses: ./
      with:
        key: test-proxy-${{ github.run_id }}
@ -447,22 +465,18 @@ jobs:
      run: |
        echo "=== Verifying cache restore traffic went through proxy ==="
        
-        # Get the squid container ID
-        SQUID_CONTAINER=$(docker ps --filter "ancestor=ubuntu/squid:latest" --format "{{.ID}}" | head -1)
-        
-        if [ -z "$SQUID_CONTAINER" ]; then
-          SQUID_CONTAINER=$(docker ps --format "{{.ID}}\t{{.Image}}" | grep squid | cut -f1)
-        fi
+        # Read from shared volume where squid logs are mounted
+        SQUID_LOG="/shared-logs/access.log"
        
        # Initialize summary
        echo "## 🔒 Proxy Traffic Verification - Cache Restore" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        
-        if [ -n "$SQUID_CONTAINER" ]; then
-          echo "Found Squid container: $SQUID_CONTAINER"
+        if [ -f "$SQUID_LOG" ]; then
+          echo "Found Squid access log at $SQUID_LOG"
          
          # Get the full access log
-          ACCESS_LOG=$(docker exec "$SQUID_CONTAINER" cat /var/log/squid/access.log 2>/dev/null || echo "")
+          ACCESS_LOG=$(cat "$SQUID_LOG" 2>/dev/null || echo "")
          
          # Extract traffic details
          RESULTS_RECEIVER_LINES=$(echo "$ACCESS_LOG" | grep -i "results-receiver" || true)
@ -548,10 +562,12 @@ jobs:
          echo "Blob storage requests: $BLOB_COUNT"
          echo "Verification status: $VERIFY_STATUS"
        else
-          echo "⚠️ **WARNING**: Could not access Squid proxy container logs" >> $GITHUB_STEP_SUMMARY
+          echo "⚠️ **WARNING**: Could not access Squid proxy logs" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "This may occur when service containers are isolated from the job container." >> $GITHUB_STEP_SUMMARY
-          echo "Could not access squid container logs"
+          echo "The shared log volume may not be accessible at $SQUID_LOG" >> $GITHUB_STEP_SUMMARY
+          echo "Checking what's in /shared-logs/:"
+          ls -la /shared-logs/ || echo "Directory not accessible"
+          echo "Could not access squid access log at $SQUID_LOG"
        fi
    - name: Verify cache
      run: __tests__/verify-cache-files.sh proxy test-cache