mirror/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-06-07 15:24:26 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
fafe4e2dee7630e5b901199166457deabcac276a
caddy/.github/workflows/ci.yml
Mohammed Al Sahaf 5ae245fb1d adjust the CI a bit for robustness 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2026-06-06 21:59:42 +03:00

455 lines
16 KiB
YAML
Raw Blame History

# Used as inspiration: https://github.com/mvdan/github-actions-golang
name: Tests
on:
push:
branches:
- master
- 2.*
pull_request:
branches:
- master
- 2.*
env:
GOFLAGS: '-tags=nobadger,nomysql,nopgx'
# https://github.com/actions/setup-go/issues/491
GOTOOLCHAIN: local
permissions:
contents: read
jobs:
test:
strategy:
# Default is true, cancels jobs for other platforms in the matrix if one fails
fail-fast: false
matrix:
os:
- linux
- mac
- windows
go:
- '1.26'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.26'
GO_SEMVER: '~1.26.0'
# Set some variables per OS, usable via ${{ matrix.VAR }}
# OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
# CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
# SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
- os: linux
OS_LABEL: ubuntu-latest
CADDY_BIN_PATH: ./cmd/caddy/caddy
SUCCESS: 0
- os: mac
OS_LABEL: macos-14
CADDY_BIN_PATH: ./cmd/caddy/caddy
SUCCESS: 0
- os: windows
OS_LABEL: windows-latest
CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
SUCCESS: 'True'
runs-on: ${{ matrix.OS_LABEL }}
permissions:
contents: read
pull-requests: read
actions: write # to allow uploading artifacts and cache
checks: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: ${{ matrix.GO_SEMVER }}
check-latest: true
# These tools would be useful if we later decide to reinvestigate
# publishing test/coverage reports to some tool for easier consumption
# - name: Install test and coverage analysis tools
# run: |
# go get github.com/axw/gocov/gocov
# go get github.com/AlekSi/gocov-xml
# go get -u github.com/jstemmer/go-junit-report
# echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
- name: Print Go version and environment
id: vars
shell: bash
run: |
printf "Using go at: $(which go)\n"
printf "Go version: $(go version)\n"
printf "\n\nGo environment:\n\n"
go env
printf "\n\nSystem environment:\n\n"
env
printf "Git version: $(git version)\n\n"
# Calculate the short SHA1 hash of the git commit
echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Get dependencies
run: |
go get -v -t -d ./...
# mkdir test-results
- name: Build Caddy
working-directory: ./cmd/caddy
env:
CGO_ENABLED: 0
run: |
go build -trimpath -ldflags="-w -s" -v
- name: Smoke test Caddy
working-directory: ./cmd/caddy
run: |
./caddy start
./caddy stop
- name: Publish Build Artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
path: ${{ matrix.CADDY_BIN_PATH }}
compression-level: 0
# Commented bits below were useful to allow the job to continue
# even if the tests fail, so we can publish the report separately
# For info about set-output, see https://stackoverflow.com/questions/57850553/github-actions-check-steps-status
- name: Run tests
# id: step_test
# continue-on-error: true
run: |
# (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
go test -v -coverprofile="cover-profile.out" -short -race ./...
# echo "status=$?" >> $GITHUB_OUTPUT
# Relevant step if we reinvestigate publishing test/coverage reports
# - name: Prepare coverage reports
# run: |
# mkdir coverage
# gocov convert cover-profile.out > coverage/coverage.json
# # Because Windows doesn't work with input redirection like *nix, but output redirection works.
# (cat ./coverage/coverage.json | gocov-xml) > coverage/coverage.xml
# To return the correct result even though we set 'continue-on-error: true'
# - name: Coerce correct build result
# if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
# run: |
# echo "step_test ${{ steps.step_test.outputs.status }}\n"
# exit 1
spec-test:
permissions:
checks: write
pull-requests: write
strategy:
matrix:
os:
- linux
go:
- '1.25'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.25'
GO_SEMVER: '~1.25.0'
# Set some variables per OS, usable via ${{ matrix.VAR }}
# OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
# CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
# SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
- os: linux
OS_LABEL: ubuntu-latest
CADDY_BIN_PATH: ./cmd/caddy/caddy
SUCCESS: 0
runs-on: ${{ matrix.OS_LABEL }}
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ matrix.GO_SEMVER }}
check-latest: true
- name: Print Go version and environment
id: vars
shell: bash
run: |
printf "curl version: $(curl --version)\n"
printf "Using go at: $(which go)\n"
printf "Go version: $(go version)\n"
printf "\n\nGo environment:\n\n"
go env
printf "\n\nSystem environment:\n\n"
env
printf "Git version: $(git version)\n\n"
# Calculate the short SHA1 hash of the git commit
echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Get dependencies
run: |
go get -v -t ./...
# mkdir test-results
- name: Build Caddy
working-directory: ./cmd/caddy
env:
CGO_ENABLED: 0
run: |
go build -cover -tags nobadger,nopgx,nomysql -trimpath -ldflags="-w -s" -v
- name: Install Hurl
env:
HURL_VERSION: "7.0.0"
run: |
curl --location --remote-name https://github.com/Orange-OpenSource/hurl/releases/download/${HURL_VERSION}/hurl_${HURL_VERSION}_amd64.deb
sudo dpkg -i hurl_${HURL_VERSION}_amd64.deb
hurl --version
- name: Run Caddy
run: |
set -euo pipefail
./cmd/caddy/caddy environ
mkdir -p coverdir
# GOCOVERDIR must be set in the same command that spawns the daemon
# so the background process inherits it and writes coverage atomic files
# there at shutdown. `caddy start` daemonizes via fork+exec; inheritance
# is reliable when the variable is in the command's own environment.
GOCOVERDIR="$PWD/coverdir" ./cmd/caddy/caddy start --pidfile=./caddy.pid
# Poll the admin API for readiness rather than sleeping a fixed time.
# Fails the step (set -e) if the API doesn't come up within ~15s.
for i in $(seq 1 30); do
if curl --silent --fail --max-time 1 http://localhost:2019/config/ >/dev/null; then
echo "Caddy admin API ready after ${i} probe(s)"
break
fi
if [ "$i" = "30" ]; then
echo "Caddy admin API did not become ready" >&2
exit 1
fi
sleep 0.5
done
- name: Warm local CA
run: |
# Force certmagic to generate the local CA root + intermediate and
# issue a leaf cert for `localhost` before the spec suite runs.
# Without this, the first spec that hits HTTPS races against the
# async cert issuance and may receive TLS alert 80 (internal_error)
# from a TLS app that has no cert to present yet.
set -euo pipefail
# Note: Caddyfile requires `{` to be followed by a newline, so the
# site block cannot be written inline.
curl --silent --show-error --fail -X POST http://localhost:2019/load \
-H "Content-Type: text/caddyfile" \
--data-binary $'{\n\tskip_install_trust\n\thttp_port 9080\n\thttps_port 9443\n\tlocal_certs\n}\nlocalhost {\n\trespond "warmup"\n}\n'
# Poll until HTTPS responds successfully, up to ~15s.
for i in $(seq 1 30); do
if curl --silent --insecure --fail --max-time 1 https://localhost:9443/ >/dev/null; then
echo "Local CA warm after ${i} probe(s)"
break
fi
if [ "$i" = "30" ]; then
echo "Local CA did not warm up in time" >&2
exit 1
fi
sleep 0.5
done
- name: Run tests with Hurl
run: |
# Intentionally NOT using `set -e` here so we can capture every spec
# file's exit code and continue running the rest of the suite; the
# final exit code reflects whether any file failed.
mkdir -p hurl-report
rc=0
# Hurl 7.x accumulates results into a single JUnit file across
# invocations: each new run appends to the existing report.
# Find produces a deterministic order; the quoted glob prevents
# shell expansion from biasing matches if cwd has *.hurl files.
#
# `--retry 3 --retry-interval 500` is a safety net for the residual
# TLS race after each `POST /load`: re-provisioning the TLS app
# briefly leaves the cert cache empty, which can produce a one-shot
# `tlsv1 alert internal error`. The retry only kicks in on failure,
# so passing requests pay no cost.
while IFS= read -r -d '' file; do
echo "::group::hurl $file"
if ! hurl --jobs 1 \
--variables-file caddytest/spec/hurl_vars.properties \
--retry 3 \
--retry-interval 500 \
--test \
--report-junit hurl-report/junit.xml \
--color \
"$file"; then
rc=1
echo "::error file=$file::spec failed"
fi
echo "::endgroup::"
done < <(find caddytest/spec -name "*.hurl" -print0 | sort -z)
exit $rc
- name: Publish Test Results
if: always()
uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
with:
files: |
hurl-report/junit.xml
- name: Generate Coverage Data
if: always()
run: |
set -euo pipefail
# `caddy stop` triggers the admin API shutdown path which calls the
# standard process exit, giving Go's coverage runtime a chance to
# flush atomic files to GOCOVERDIR. We still give it a moment to
# finish writing before invoking covdata.
./cmd/caddy/caddy stop || true
# Wait for the pid to actually exit so coverage files are fully written.
if [ -f ./caddy.pid ]; then
pid=$(cat ./caddy.pid)
for i in $(seq 1 20); do
if ! kill -0 "$pid" 2>/dev/null; then break; fi
sleep 0.25
done
# If still alive, force it down so the step doesn't hang.
if kill -0 "$pid" 2>/dev/null; then
kill -TERM "$pid" || true
sleep 1
fi
fi
mkdir -p hurl-report
go tool covdata textfmt -i=coverdir -o hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt
go tool cover -html hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt -o hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.html
# Per-package summary to surface coverage trend in the job log.
go tool cover -func=hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt | tail -n 50
- name: Publish Coverage Profile
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: caddy-spec-coverage-${{ steps.vars.outputs.short_sha }}
path: |
hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt
hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.html
retention-days: 30
compression-level: 6
s390x-test:
name: test (s390x on IBM Z)
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-latest
if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
continue-on-error: true # August 2020: s390x VM is down due to weather and power issues
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
allowed-endpoints: ci-s390x.caddyserver.com:22
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Tests
run: |
set +e
mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa
# short sha is enough?
short_sha=$(git rev-parse --short HEAD)
# To shorten the following lines
ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
ssh_host="$CI_USER@ci-s390x.caddyserver.com"
# The environment is fresh, so there's no point in keeping accepting and adding the key.
rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
ssh $ssh_opts -t "$ssh_host" bash <<EOF
cd /var/tmp/$short_sha
go version
go env
printf "\n\n"
retries=3
exit_code=0
while ((retries > 0)); do
CGO_ENABLED=0 go test -p 1 -v ./...
exit_code=$?
if ((exit_code == 0)); then
break
fi
echo "\n\nTest failed: \$exit_code, retrying..."
((retries--))
done
echo "Remote exit code: \$exit_code"
exit \$exit_code
EOF
test_result=$?
# There's no need leaving the files around
ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"
echo "Test exit code: $test_result"
exit $test_result
env:
SSH_KEY: ${{ secrets.S390X_SSH_KEY }}
CI_USER: ${{ secrets.CI_USER }}
goreleaser-check:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: latest
args: check
- name: Install Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version: "~1.26"
check-latest: true
- name: Install xcaddy
run: |
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
xcaddy version
- uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: latest
args: build --single-target --snapshot
env:
TAG: ${{ github.head_ref || github.ref_name }}
Reference in New Issue View Git Blame Copy Permalink