|
| 1 | +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json |
| 2 | +# |
| 3 | +# Strict-mode interoperability smoke tests (HTTPS + HTTP signature verification). |
| 4 | +# Uses a standalone Docker Compose file with Caddy TLS proxies to verify that |
| 5 | +# Fedify correctly signs and verifies requests over HTTPS. |
| 6 | +# See: https://github.com/fedify-dev/fedify/issues/481 |
| 7 | +name: smoke-mastodon-strict |
| 8 | + |
| 9 | +on: |
| 10 | + schedule: |
| 11 | + - cron: "0 6 * * *" |
| 12 | + workflow_dispatch: |
| 13 | + |
| 14 | +concurrency: |
| 15 | + group: ${{ github.workflow }}-${{ github.ref }} |
| 16 | + cancel-in-progress: true |
| 17 | + |
| 18 | +jobs: |
| 19 | + smoke: |
| 20 | + runs-on: ubuntu-latest |
| 21 | + timeout-minutes: 25 |
| 22 | + |
| 23 | + env: |
| 24 | + COMPOSE: >- |
| 25 | + docker compose |
| 26 | + -f test/smoke/mastodon/docker-compose.strict.yml |
| 27 | +
|
| 28 | + steps: |
| 29 | + - uses: actions/checkout@v4 |
| 30 | + |
| 31 | + - uses: ./.github/actions/setup-mise |
| 32 | + |
| 33 | + - name: Generate TLS certificates |
| 34 | + run: bash test/smoke/mastodon/generate-certs.sh test/smoke/mastodon/.certs |
| 35 | + |
| 36 | + - name: Verify certificates |
| 37 | + run: | |
| 38 | + openssl verify -CAfile test/smoke/mastodon/.certs/ca.crt \ |
| 39 | + test/smoke/mastodon/.certs/fedify-harness.crt |
| 40 | + openssl verify -CAfile test/smoke/mastodon/.certs/ca.crt \ |
| 41 | + test/smoke/mastodon/.certs/mastodon.crt |
| 42 | +
|
| 43 | + - name: Generate Mastodon secrets |
| 44 | + run: | |
| 45 | + IMAGE=ghcr.io/mastodon/mastodon:v4.3.9 |
| 46 | + docker pull "$IMAGE" |
| 47 | +
|
| 48 | + SECRET1=$(docker run --rm "$IMAGE" bundle exec rails secret) |
| 49 | + SECRET2=$(docker run --rm "$IMAGE" bundle exec rails secret) |
| 50 | +
|
| 51 | + { |
| 52 | + echo "SECRET_KEY_BASE=$SECRET1" |
| 53 | + echo "OTP_SECRET=$SECRET2" |
| 54 | + docker run --rm "$IMAGE" bundle exec rails mastodon:webpush:generate_vapid_key \ |
| 55 | + | grep -E '^[A-Z_]+=.+' |
| 56 | + docker run --rm "$IMAGE" bundle exec rails db:encryption:init \ |
| 57 | + | grep -E '^[A-Z_]+=.+' |
| 58 | + } >> test/smoke/mastodon/mastodon-strict.env |
| 59 | +
|
| 60 | + - name: Start database and redis |
| 61 | + run: | |
| 62 | + $COMPOSE up -d db redis |
| 63 | + $COMPOSE exec -T db \ |
| 64 | + sh -c 'until pg_isready -U mastodon; do sleep 1; done' |
| 65 | +
|
| 66 | + - name: Run DB setup and migrations |
| 67 | + run: | |
| 68 | + $COMPOSE run --rm -T \ |
| 69 | + mastodon-web-backend bundle exec rails db:setup |
| 70 | + timeout-minutes: 5 |
| 71 | + |
| 72 | + - name: Start Mastodon stack |
| 73 | + run: $COMPOSE up --wait |
| 74 | + timeout-minutes: 12 |
| 75 | + |
| 76 | + - name: Provision Mastodon |
| 77 | + run: bash test/smoke/mastodon/provision-strict.sh |
| 78 | + |
| 79 | + - name: Verify connectivity |
| 80 | + run: | |
| 81 | + echo "=== Harness health (from mastodon-web-backend, via Caddy TLS) ===" |
| 82 | + $COMPOSE exec -T mastodon-web-backend \ |
| 83 | + curl -sf https://fedify-harness/_test/health |
| 84 | + echo " OK" |
| 85 | +
|
| 86 | + echo "=== Harness health (from mastodon-sidekiq, via Caddy TLS) ===" |
| 87 | + $COMPOSE exec -T mastodon-sidekiq \ |
| 88 | + curl -sf https://fedify-harness/_test/health |
| 89 | + echo " OK" |
| 90 | +
|
| 91 | + - name: Run smoke tests |
| 92 | + run: | |
| 93 | + set -a && source test/smoke/.env.test && set +a |
| 94 | + deno run --allow-net --allow-env --unstable-temporal \ |
| 95 | + test/smoke/orchestrator.ts |
| 96 | +
|
| 97 | + - name: Collect logs on failure |
| 98 | + if: failure() |
| 99 | + run: | |
| 100 | + echo "=== Docker Compose logs ===" |
| 101 | + $COMPOSE logs --tail=500 |
| 102 | +
|
| 103 | + - name: Teardown |
| 104 | + if: always() |
| 105 | + run: $COMPOSE down -v |
0 commit comments