fix(security): replace insecure TrustManager with default JVM trust v… #35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration Tests | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: {} | |
| # Weekly drift catch — Tuesday 06:00 UTC so failures land in EU/IN | |
| # working hours, not weekend handover. | |
| schedule: | |
| - cron: '0 6 * * 2' | |
| permissions: | |
| contents: read | |
| # Avoid spawning parallel docker-compose stacks for back-to-back pushes; | |
| # also cancels stale PR runs when a new commit lands. | |
| concurrency: | |
| group: integration-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| AXONFLOW_TELEMETRY: 'off' | |
| jobs: | |
| # WireMock-based integration tests run on every PR + push. No live stack | |
| # needed — these are contract-style tests over the SDK + agent wire shape. | |
| # Matrixed across the same JDKs as the unit-test suite in ci.yml. | |
| contract-integration: | |
| name: Contract Integration (WireMock, JDK ${{ matrix.java-version }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| java-version: [11, 17, 21] | |
| steps: | |
| - name: Checkout SDK | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK ${{ matrix.java-version }} | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: ${{ matrix.java-version }} | |
| distribution: 'temurin' | |
| cache: 'maven' | |
| - name: Configure Maven mirror | |
| uses: ./.github/actions/setup-maven | |
| # `-DskipUnitTests=true` is now a real toggle (bound to surefire's | |
| # <skipTests> via pom.xml); previously it was a no-op flag and unit | |
| # tests were silently re-running here. | |
| # | |
| # `-Djacoco.skip=true` because the jacoco:check goal (bound to verify) | |
| # expects coverage data from the unit tests we just skipped; coverage | |
| # gating is the unit-test job's responsibility (ci.yml `build (17)`). | |
| - name: Run integration tests (WireMock) | |
| run: mvn verify -DskipUnitTests=true -Djacoco.skip=true -B -U | |
| - name: Upload failsafe reports on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: failsafe-reports-jdk${{ matrix.java-version }} | |
| path: target/failsafe-reports/ | |
| if-no-files-found: ignore | |
| # Live integration runs against a real community stack via docker compose. | |
| # Mirrors axonflow-sdk-go/.github/workflows/integration.yml — clones the | |
| # community repo, brings up docker compose, runs the basic example. | |
| # Skipped on PR (Go pattern) — PR-level live coverage is added in QF-13. | |
| live-integration: | |
| name: Live Integration (Community Stack) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 25 | |
| needs: contract-integration | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout SDK | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: 'maven' | |
| - name: Configure Maven mirror | |
| uses: ./.github/actions/setup-maven | |
| # 3-attempt retry for transient Maven Central flakes — same pattern | |
| # ci.yml's `Build with Maven` and `Run unit tests` use. | |
| - name: Install SDK to local Maven repo | |
| run: | | |
| for i in 1 2 3; do | |
| echo "Attempt $i: mvn install" | |
| if mvn install -DskipTests -B -U; then break; fi | |
| if [ $i -eq 3 ]; then exit 1; fi | |
| sleep 30 | |
| done | |
| # Pin the basic example's SDK dep to whatever we just installed | |
| # locally, so the example resolves the freshly-built artifact and | |
| # not whatever version is published to Central. Without this, when | |
| # the parent pom bumps from 6.1.0 → 6.2.0 the example silently | |
| # keeps testing the OLD 6.1.0 from Central. | |
| - name: Sync example SDK version with parent | |
| run: | | |
| PARENT_VERSION=$(mvn -B -q -DforceStdout help:evaluate -Dexpression=project.version) | |
| echo "Parent SDK version: ${PARENT_VERSION}" | |
| # Replace the axonflow-sdk dependency version in examples/basic/pom.xml. | |
| # Anchored on the artifactId on the previous line to avoid touching | |
| # other deps. Asserts the regex matched (count >= 1) so a layout | |
| # drift fails CI loud; a no-op rewrite (versions already match) | |
| # is fine. | |
| python3 - <<PY | |
| import re, pathlib | |
| p = pathlib.Path("examples/basic/pom.xml") | |
| s = p.read_text() | |
| new, count = re.subn( | |
| r"(<artifactId>axonflow-sdk</artifactId>\s*<version>)[^<]+(</version>)", | |
| rf"\g<1>${PARENT_VERSION}\g<2>", | |
| s, | |
| ) | |
| assert count >= 1, "Regex did not match — examples/basic/pom.xml layout drifted" | |
| if new != s: | |
| p.write_text(new) | |
| print(f"Rewrote example pom version to ${PARENT_VERSION}") | |
| else: | |
| print(f"Example pom already at parent version ${PARENT_VERSION} (no-op)") | |
| PY | |
| grep -A 1 "axonflow-sdk" examples/basic/pom.xml | head -4 | |
| - name: Clone community stack | |
| run: git clone --depth 1 https://github.com/getaxonflow/axonflow.git ../axonflow | |
| - name: Start community stack | |
| run: | | |
| cd ../axonflow | |
| docker compose up -d --wait --wait-timeout 120 | |
| # Belt-and-suspenders: also poll /health since not every compose | |
| # service has a healthcheck wired. | |
| echo "Waiting for agent to be healthy..." | |
| timeout 120 bash -c 'until curl -sf http://localhost:8080/health; do sleep 2; done' | |
| echo "Agent is healthy" | |
| echo "Waiting for orchestrator to be healthy..." | |
| timeout 60 bash -c 'until curl -sf http://localhost:8081/health; do sleep 2; done' | |
| echo "Orchestrator is healthy" | |
| - name: Run basic example against live stack | |
| env: | |
| AXONFLOW_AGENT_URL: http://localhost:8080 | |
| AXONFLOW_CLIENT_ID: demo-client | |
| AXONFLOW_CLIENT_SECRET: demo-secret | |
| working-directory: examples/basic | |
| run: timeout 90 mvn -q compile exec:java | |
| # Logs MUST be captured before `Stop community stack` runs — `compose | |
| # down` destroys the containers and `compose logs` then returns | |
| # nothing. | |
| - name: Show docker logs on failure | |
| if: failure() | |
| run: | | |
| if [ -d "../axonflow" ]; then | |
| cd ../axonflow | |
| docker compose logs --tail=200 || true | |
| fi | |
| - name: Upload docker logs on failure | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-compose-logs | |
| path: ../axonflow/docker-compose-logs.txt | |
| if-no-files-found: ignore | |
| - name: Stop community stack | |
| if: always() | |
| run: | | |
| if [ -d "../axonflow" ]; then | |
| cd ../axonflow | |
| # Persist logs to disk so the upload step can grab them even after teardown. | |
| docker compose logs --tail=500 > docker-compose-logs.txt 2>/dev/null || true | |
| docker compose down --volumes --remove-orphans || true | |
| fi |