fix(ci): drop redis auth in e2e service + emit health body inline
Some checks failed
Veza CI / Rust (Stream Server) (push) Successful in 3m40s
Security Scan / Secret Scanning (gitleaks) (push) Successful in 1m4s
E2E Playwright / e2e (full) (push) Failing after 14m36s
Veza CI / Backend (Go) (push) Failing after 17m6s
Veza CI / Frontend (Web) (push) Successful in 26m17s
Veza CI / Notify on failure (push) Successful in 7s
Some checks failed
Veza CI / Rust (Stream Server) (push) Successful in 3m40s
Security Scan / Secret Scanning (gitleaks) (push) Successful in 1m4s
E2E Playwright / e2e (full) (push) Failing after 14m36s
Veza CI / Backend (Go) (push) Failing after 17m6s
Veza CI / Frontend (Web) (push) Successful in 26m17s
Veza CI / Notify on failure (push) Successful in 7s
Two issues from run 430: 1. Health probe never produced a diagnosable signal. The script printed only `false` (jq output) and "Health response invalid" without the body or backend log, because Forgejo artifact upload is broken under GHES so /tmp/backend.log never made it out. Fix: poll instead of fixed sleep, always cat the health body, and tail backend.log on any non-ok status. 2. Redis auth never actually took effect. I had set REDIS_ARGS=--requirepass on the redis service expecting the redis:7-alpine entrypoint to pick it up. It does not — the entrypoint just execs whatever CMD is set, and act_runner services don't accept a `command:` field. So the service started without auth while the backend was sending a password in REDIS_URL → AUTH rejected → .status != "ok". Fix: drop auth on the CI redis service (the dev/prod REM-023 policy lives in docker-compose.yml; the CI service network is ephemeral and isolated), and change REDIS_URL accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
senke
parent
2a96766ae3
commit
1de016dfeb
1 changed files with 39 additions and 10 deletions
49
.github/workflows/e2e.yml
vendored
49
.github/workflows/e2e.yml
vendored
|
|
@ -57,14 +57,16 @@ jobs:
|
|||
--health-timeout 3s
|
||||
--health-retries 10
|
||||
redis:
|
||||
# Match docker-compose.yml (REM-023: password required even
|
||||
# in dev). Default redis:7-alpine entrypoint reads
|
||||
# REDIS_ARGS, so requirepass works without a `command:`.
|
||||
# No-auth redis for CI: act_runner services don't support a
|
||||
# `command:` field, and the redis:7-alpine entrypoint does
|
||||
# NOT read REDIS_ARGS (verified empirically) — so passing
|
||||
# --requirepass via env doesn't work. The dev/prod password
|
||||
# policy (REM-023) is enforced via docker-compose.yml only;
|
||||
# the CI service network is ephemeral and isolated, so
|
||||
# dropping auth here is acceptable.
|
||||
image: redis:7-alpine
|
||||
env:
|
||||
REDIS_ARGS: "--requirepass devpassword"
|
||||
options: >-
|
||||
--health-cmd "redis-cli -a devpassword ping"
|
||||
--health-cmd "redis-cli ping"
|
||||
--health-interval 5s
|
||||
--health-timeout 3s
|
||||
--health-retries 10
|
||||
|
|
@ -82,7 +84,7 @@ jobs:
|
|||
# Service hostnames + standard ports — no host-port mapping needed.
|
||||
env:
|
||||
DATABASE_URL: postgresql://veza:${{ secrets.E2E_DB_PASSWORD || 'devpassword' }}@postgres:5432/veza?sslmode=disable
|
||||
REDIS_URL: redis://:devpassword@redis:6379
|
||||
REDIS_URL: redis://redis:6379
|
||||
RABBITMQ_URL: ${{ secrets.E2E_RABBITMQ_URL || 'amqp://veza:devpassword@rabbitmq:5672/' }}
|
||||
|
||||
steps:
|
||||
|
|
@ -140,9 +142,36 @@ jobs:
|
|||
cd veza-backend-api
|
||||
go build -o veza-api ./cmd/api/main.go
|
||||
./veza-api > /tmp/backend.log 2>&1 &
|
||||
sleep 10
|
||||
curl -sf http://localhost:18080/api/v1/health > /tmp/health.json || (echo "Backend health check failed"; tail -50 /tmp/backend.log; exit 1)
|
||||
jq -e '.status == "ok"' /tmp/health.json || (echo "Health response invalid"; cat /tmp/health.json; exit 1)
|
||||
BACKEND_PID=$!
|
||||
|
||||
# Poll for up to 30s — beats a fixed sleep on a cold start.
|
||||
for i in $(seq 1 30); do
|
||||
if curl -sf -m 2 http://localhost:18080/api/v1/health > /tmp/health.json 2>/dev/null; then
|
||||
break
|
||||
fi
|
||||
if ! kill -0 "$BACKEND_PID" 2>/dev/null; then
|
||||
echo "::error::backend process died before becoming reachable"
|
||||
echo "--- /tmp/backend.log (last 200 lines) ---"
|
||||
tail -200 /tmp/backend.log
|
||||
exit 1
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
|
||||
# Always print the response body so debugging doesn't
|
||||
# require re-running with extra logging. Artifact upload
|
||||
# is broken under Forgejo (GHES not supported), so the
|
||||
# log step output is our only diagnostic channel.
|
||||
echo "--- /api/v1/health response ---"
|
||||
cat /tmp/health.json
|
||||
echo
|
||||
|
||||
if ! jq -e '.status == "ok"' /tmp/health.json >/dev/null; then
|
||||
echo "::error::backend health is not ok"
|
||||
echo "--- /tmp/backend.log (last 200 lines) ---"
|
||||
tail -200 /tmp/backend.log
|
||||
exit 1
|
||||
fi
|
||||
echo "Backend healthy"
|
||||
|
||||
- name: Install Playwright browsers
|
||||
|
|
|
|||
Loading…
Reference in a new issue