ci: use go stable

Signed-off-by: Xe Iaso <me@xeiaso.net>
ci(go): use go stable
2026-05-09 00:22:53 +00:00 · 2026-03-16 10:26:38 +00:00 · 2026-03-16 10:18:10 +00:00 · 2026-03-16 10:12:14 +00:00 · 2026-03-12 16:35:53 +00:00 · 2026-02-19 12:24:34 +00:00
20 changed files with 45 additions and 157 deletions
@@ -31,7 +31,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

@@ -41,7 +41,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

@@ -19,7 +19,7 @@ jobs:

      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - name: Check go.mod and go.sum in main directory
        run: |
@@ -29,7 +29,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - name: Cache playwright binaries
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@@ -61,4 +61,4 @@ jobs:

      - name: Govulncheck
        run: |
-          go tool govulncheck ./...
+          go tool govulncheck ./... ||:
@@ -30,7 +30,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - name: install node deps
        run: |
@@ -31,7 +31,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - name: install node deps
        run: |
@@ -39,7 +39,7 @@ jobs:
          node-version: "24.11.0"
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

@@ -37,7 +37,7 @@ jobs:

      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
-          go-version: "1.25.4"
+          go-version: "stable"

      - name: Run CI
        run: go run ./utils/cmd/backoff-retry bash test/ssh-ci/rigging.sh ${{ matrix.host }}
@@ -24,7 +24,6 @@ build: assets
 lint: assets
 	$(GO) vet ./...
 	$(GO) tool staticcheck ./...
-	$(GO) tool govulncheck ./...
 	
 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
@@ -11,7 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

- fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
+- Fixed mixed tab/space indentation in Caddy documentation code block

 <!-- This changes the project to: -->

@@ -62,9 +62,9 @@ yourdomain.example.com {
  tls your@email.address

  reverse_proxy http://anubis:3000 {
-		header_up X-Real-Ip {remote_host}
-		header_up X-Http-Version {http.request.proto}
-	}
+    header_up X-Real-Ip {remote_host}
+    header_up X-Http-Version {http.request.proto}
+  }
 }
 ```

@@ -393,6 +393,32 @@ logging:

 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).

+:::note
+
+If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
+
+```text
+# /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
+[Service]
+ReadWritePaths=/run /var/log/anubis
+```
+
+Once you write this to the correct place, reload the systemd configuration:
+
+```text
+sudo systemctl daemon-reload
+```
+
+And then restart Anubis:
+
+```text
+sudo systemctl restart anubis@instance-name
+```
+
+You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
+
+:::
+
 ### `stdio` sink

 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration:
@@ -106,13 +106,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		//return nil, errors.New("[unexpected] this codepath should be impossible, asked to issue a challenge for a non-challenge rule")
 	}

-	if rule.Challenge == nil {
-		rule.Challenge = &config.ChallengeRules{
-			Difficulty: s.policy.DefaultDifficulty,
-			Algorithm:  config.DefaultAlgorithm,
-		}
-	}
-
 	id, err := uuid.NewV7()
 	if err != nil {
 		return nil, err
@@ -498,11 +491,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	chall, err := s.getChallenge(r)
 	if err != nil {
 		lg.Error("getChallenge failed", "err", err)
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}

@@ -649,16 +638,8 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 		}

 		if matches {
-			challRules := t.Challenge
-			if challRules == nil {
-				// Non-CHALLENGE thresholds (ALLOW/DENY) don't have challenge config.
-				// Use an empty struct so hydrateChallengeRule can fill from stored
-				// challenge data during validation, rather than baking in defaults
-				// that could mismatch the difficulty the client actually solved for.
-				challRules = &config.ChallengeRules{}
-			}
 			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
-				Challenge: challRules,
+				Challenge: t.Challenge,
 				Rules:     &checker.List{},
 			}, nil
 		}
@@ -10,7 +10,6 @@ var (
 	ErrFailed        = errors.New("challenge: user failed challenge")
 	ErrMissingField  = errors.New("challenge: missing field")
 	ErrInvalidFormat = errors.New("challenge: field has invalid format")
-	ErrInvalidInput  = errors.New("challenge: input is nil or missing required fields")
 )

 func NewError(verb, publicReason string, privateReason error) *Error {
@@ -1,7 +1,6 @@
 package challenge

 import (
-	"fmt"
 	"log/slog"
 	"net/http"
 	"sort"
@@ -51,44 +50,12 @@ type IssueInput struct {
 	Store     store.Interface
 }

-func (in *IssueInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: IssueInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type ValidateInput struct {
 	Rule      *policy.Bot
 	Challenge *Challenge
 	Store     store.Interface
 }

-func (in *ValidateInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: ValidateInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type Impl interface {
 	// Setup registers any additional routes with the Impl for assets or API routes.
 	Setup(mux *http.ServeMux)
@@ -24,10 +24,6 @@ type Impl struct{}
 func (i *Impl) Setup(mux *http.ServeMux) {}

 func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -53,10 +49,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)

 	if time.Now().Before(wantTime) {
@@ -39,10 +39,6 @@ type impl struct{}
 func (i *impl) Setup(mux *http.ServeMux) {}

 func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -61,10 +57,6 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)

 	if time.Now().Before(wantTime) {
@@ -33,10 +33,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return chall.NewError("validate", "invalid input", err)
-	}
-
 	rule := in.Rule
 	challenge := in.Challenge.RandomData

@@ -30,62 +30,6 @@ func mkRequest(t *testing.T, values map[string]string) *http.Request {
 	return req
 }

-// TestValidateNilRuleChallenge reproduces the panic from
-// https://github.com/TecharoHQ/anubis/issues/1463
-//
-// When a threshold rule matches during PassChallenge, check() can return
-// a policy.Bot with Challenge == nil. After hydrateChallengeRule fails to
-// run (or the error path hits before it), Validate dereferences
-// rule.Challenge.Difficulty and panics.
-func TestValidateNilRuleChallenge(t *testing.T) {
-	i := &Impl{Algorithm: "fast"}
-	lg := slog.With()
-
-	// This is the exact response for SHA256("hunter" + "0") with 0 leading zeros required.
-	const challengeStr = "hunter"
-	const response = "2652bdba8fb4d2ab39ef28d8534d7694c557a4ae146c1e9237bd8d950280500e"
-
-	req := mkRequest(t, map[string]string{
-		"nonce":       "0",
-		"elapsedTime": "69",
-		"response":    response,
-	})
-
-	for _, tc := range []struct {
-		name  string
-		input *challenge.ValidateInput
-	}{
-		{
-			name: "nil-rule-challenge",
-			input: &challenge.ValidateInput{
-				Rule:      &policy.Bot{},
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name: "nil-rule",
-			input: &challenge.ValidateInput{
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name:  "nil-challenge",
-			input: &challenge.ValidateInput{Rule: &policy.Bot{Challenge: &config.ChallengeRules{Algorithm: "fast"}}},
-		},
-		{
-			name:  "nil-input",
-			input: nil,
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			err := i.Validate(req, lg, tc.input)
-			if !errors.Is(err, challenge.ErrInvalidInput) {
-				t.Fatalf("expected ErrInvalidInput, got: %v", err)
-			}
-		})
-	}
-}
-
 func TestBasic(t *testing.T) {
 	i := &Impl{Algorithm: "fast"}
 	bot := &policy.Bot{
@@ -222,12 +222,8 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	chall, err := s.issueChallenge(r.Context(), r, lg, cr, rule)
 	if err != nil {
 		lg.Error("can't get challenge", "err", err)
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}

@@ -252,13 +248,9 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C

 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		lg.Error("check failed", "err", "can't get algorithm", "algorithm", algorithm)
+		lg.Error("check failed", "err", "can't get algorithm", "algorithm", rule.Challenge.Algorithm)
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}
Author	SHA1	Message	Date
Xe Iaso	3bf1acd548	ci: use go stable Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-16 10:26:38 +00:00
Xe Iaso	780c1d8d6a	ci(go): use go stable Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-16 10:18:10 +00:00
Xe Iaso	ea08ba2f61	ci: purge govulncheck, it's less signal than i hoped Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-03-16 10:12:14 +00:00
Mozi	fa518e1b8c	docs: fix mixed tab/space indentation in Caddy config example (#1506 ) Assisted-by: Claude Opus 4.6 via Copilot Signed-off-by: Mozi <29089388+pzhlkj6612@users.noreply.github.com>	2026-03-12 16:35:53 +00:00
Xe Iaso	f38210fd84	docs(admin/policy): document ReadWritePaths for logging to files (#1469 ) The default Anubis systemd configuration is very restrictive in order to prevent any possible compromise of Anubis to be useful by threat actors. As such, it assumes all logs will be pushed to the system journal. Some administrators do not want Anubis' logs to be pushed to the system journal and want Anubis to log to a file instead. This change documents how to set up ReadWritePaths in the Anubis systemd configuration such that Anubis can lot to a file as administrators expect. Closes: #1468 Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-02-19 12:24:34 +00:00