[miniflare] Point HTTPS-CA test at a stable URL#13973
Conversation
`packages/miniflare/test/index.spec.ts` had a test that fetched `https://workers.cloudflare.com/cf.json` from inside a worker and asserted `res.ok === true` to verify that workerd trusts public CAs. That URL now permanently 301s to `https://www.cloudflare.com/cf.json` which returns 404 `not found :(`. Following the redirect produces a non-OK response and the test fails on every CI run regardless of the change under test, blocking all PRs touching anything in the packages-and-tools matrix. Switch the test to `https://example.com/` — the IANA-maintained stable test endpoint — which serves a 200 over HTTPS with a public CA chain and so still exercises the original behaviour the test was written to verify.
|
|
Codeowners approval required for this PR:
Show detailed file reviewers |
|
LGTM |
|
✅ All changesets look good |
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
ascorbic
left a comment
There was a problem hiding this comment.
I think the missing cf.json is a bigger issue, but shouldn't block this
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
No tracked issue; this fixes a CI-blocking regression on `main`.
What
The `Miniflare: HTTPS fetches using browser CA certificates` test at `packages/miniflare/test/index.spec.ts:1566` was fetching `https://workers.cloudflare.com/cf.json\` from inside a worker and asserting `res.ok === true` to verify that workerd trusts public CAs.
That URL now permanently 301s to `https://www.cloudflare.com/cf.json\` which returns 404 with the body `not found :(`:
fetch()follows the redirect by default, so the worker sees the 404. `res.ok` is false. The test fails on every CI run regardless of the change under test, blocking all PRs touching anything in the packages-and-tools matrix (e.g. #13971).How
Switch the test to fetch `https://example.com/\` — the IANA-maintained stable test endpoint — which serves 200 OK over HTTPS with a public CA chain. The test still exercises the original behaviour it was written to verify (workerd trusting the system/public CA store) without depending on a Cloudflare-controlled URL whose lifecycle is outside this repo.
I considered keeping a Cloudflare-owned URL (e.g. `https://www.cloudflare.com/\` returns 200) but `example.com` is purpose-built for this kind of test and won't quietly disappear.
Test plan
Note on `packages/miniflare/src/cf.ts`
The same `https://workers.cloudflare.com/cf.json\` URL is also hard-coded as `defaultCfFetchEndpoint` in `packages/miniflare/src/cf.ts:49`. That code already falls back to `fallbackCf` on fetch failure so it's degraded but not broken at runtime — and updating it is out of scope for this minimal CI-unblocker. Worth a follow-up to point it at the correct URL (or strip it entirely if cf.json is no longer published).