Skip to content

fix(security): replace insecure TrustManager with default JVM trust v… #35

fix(security): replace insecure TrustManager with default JVM trust v…

fix(security): replace insecure TrustManager with default JVM trust v… #35

Workflow file for this run

name: Integration Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch: {}
# Weekly drift catch — Tuesday 06:00 UTC so failures land in EU/IN
# working hours, not weekend handover.
schedule:
- cron: '0 6 * * 2'
permissions:
contents: read
# Avoid spawning parallel docker-compose stacks for back-to-back pushes;
# also cancels stale PR runs when a new commit lands.
concurrency:
group: integration-${{ github.ref }}
cancel-in-progress: true
env:
AXONFLOW_TELEMETRY: 'off'
jobs:
# WireMock-based integration tests run on every PR + push. No live stack
# needed — these are contract-style tests over the SDK + agent wire shape.
# Matrixed across the same JDKs as the unit-test suite in ci.yml.
contract-integration:
name: Contract Integration (WireMock, JDK ${{ matrix.java-version }})
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
java-version: [11, 17, 21]
steps:
- name: Checkout SDK
uses: actions/checkout@v4
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v4
with:
java-version: ${{ matrix.java-version }}
distribution: 'temurin'
cache: 'maven'
- name: Configure Maven mirror
uses: ./.github/actions/setup-maven
# `-DskipUnitTests=true` is now a real toggle (bound to surefire's
# <skipTests> via pom.xml); previously it was a no-op flag and unit
# tests were silently re-running here.
#
# `-Djacoco.skip=true` because the jacoco:check goal (bound to verify)
# expects coverage data from the unit tests we just skipped; coverage
# gating is the unit-test job's responsibility (ci.yml `build (17)`).
- name: Run integration tests (WireMock)
run: mvn verify -DskipUnitTests=true -Djacoco.skip=true -B -U
- name: Upload failsafe reports on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: failsafe-reports-jdk${{ matrix.java-version }}
path: target/failsafe-reports/
if-no-files-found: ignore
# Live integration runs against a real community stack via docker compose.
# Mirrors axonflow-sdk-go/.github/workflows/integration.yml — clones the
# community repo, brings up docker compose, runs the basic example.
# Skipped on PR (Go pattern) — PR-level live coverage is added in QF-13.
live-integration:
name: Live Integration (Community Stack)
runs-on: ubuntu-latest
timeout-minutes: 25
needs: contract-integration
if: github.event_name != 'pull_request'
steps:
- name: Checkout SDK
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
- name: Configure Maven mirror
uses: ./.github/actions/setup-maven
# 3-attempt retry for transient Maven Central flakes — same pattern
# ci.yml's `Build with Maven` and `Run unit tests` use.
- name: Install SDK to local Maven repo
run: |
for i in 1 2 3; do
echo "Attempt $i: mvn install"
if mvn install -DskipTests -B -U; then break; fi
if [ $i -eq 3 ]; then exit 1; fi
sleep 30
done
# Pin the basic example's SDK dep to whatever we just installed
# locally, so the example resolves the freshly-built artifact and
# not whatever version is published to Central. Without this, when
# the parent pom bumps from 6.1.0 → 6.2.0 the example silently
# keeps testing the OLD 6.1.0 from Central.
- name: Sync example SDK version with parent
run: |
PARENT_VERSION=$(mvn -B -q -DforceStdout help:evaluate -Dexpression=project.version)
echo "Parent SDK version: ${PARENT_VERSION}"
# Replace the axonflow-sdk dependency version in examples/basic/pom.xml.
# Anchored on the artifactId on the previous line to avoid touching
# other deps. Asserts the regex matched (count >= 1) so a layout
# drift fails CI loud; a no-op rewrite (versions already match)
# is fine.
python3 - <<PY
import re, pathlib
p = pathlib.Path("examples/basic/pom.xml")
s = p.read_text()
new, count = re.subn(
r"(<artifactId>axonflow-sdk</artifactId>\s*<version>)[^<]+(</version>)",
rf"\g<1>${PARENT_VERSION}\g<2>",
s,
)
assert count >= 1, "Regex did not match — examples/basic/pom.xml layout drifted"
if new != s:
p.write_text(new)
print(f"Rewrote example pom version to ${PARENT_VERSION}")
else:
print(f"Example pom already at parent version ${PARENT_VERSION} (no-op)")
PY
grep -A 1 "axonflow-sdk" examples/basic/pom.xml | head -4
- name: Clone community stack
run: git clone --depth 1 https://github.com/getaxonflow/axonflow.git ../axonflow
- name: Start community stack
run: |
cd ../axonflow
docker compose up -d --wait --wait-timeout 120
# Belt-and-suspenders: also poll /health since not every compose
# service has a healthcheck wired.
echo "Waiting for agent to be healthy..."
timeout 120 bash -c 'until curl -sf http://localhost:8080/health; do sleep 2; done'
echo "Agent is healthy"
echo "Waiting for orchestrator to be healthy..."
timeout 60 bash -c 'until curl -sf http://localhost:8081/health; do sleep 2; done'
echo "Orchestrator is healthy"
- name: Run basic example against live stack
env:
AXONFLOW_AGENT_URL: http://localhost:8080
AXONFLOW_CLIENT_ID: demo-client
AXONFLOW_CLIENT_SECRET: demo-secret
working-directory: examples/basic
run: timeout 90 mvn -q compile exec:java
# Logs MUST be captured before `Stop community stack` runs — `compose
# down` destroys the containers and `compose logs` then returns
# nothing.
- name: Show docker logs on failure
if: failure()
run: |
if [ -d "../axonflow" ]; then
cd ../axonflow
docker compose logs --tail=200 || true
fi
- name: Upload docker logs on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: docker-compose-logs
path: ../axonflow/docker-compose-logs.txt
if-no-files-found: ignore
- name: Stop community stack
if: always()
run: |
if [ -d "../axonflow" ]; then
cd ../axonflow
# Persist logs to disk so the upload step can grab them even after teardown.
docker compose logs --tail=500 > docker-compose-logs.txt 2>/dev/null || true
docker compose down --volumes --remove-orphans || true
fi