Fix CI build/deploy/smoke pipeline for the self-hosted qa runner (#3)
## Summary - Fix a chain of QA CI issues: Docker build/health-check flakiness, NuGet vuln pins, then adds the post-deploy integration + Playwright smoke suite and works through everything needed to make it actually run on the self-hosted `qa` runner (musl/Alpine job container, no node/dotnet/curl preinstalled, docker-outside-of-docker networking). - Adds a fixed dev/QA seed admin user + fixed Development environment API key so integration tests and e2e specs have a stable target. - Pins Aspire's `AppHost.cs` ports/credentials to match the docker-compose local dev defaults. - Adds `tests/api/MicCheck.Api.Tests.Integration` coverage for disabled flags, environment-document bootstrap, identity override precedence, auth login, and unauthorized access; adds a Playwright e2e suite under `src/admin/e2e` (login, nav, context selection, features CRUD/toggle). - Adds a `smoke-qa` CI job that runs both suites against the just-deployed QA stack, working around: no curl/node/dotnet on the bare runner, musl vs glibc (Playwright browsers run via the official `mcr.microsoft.com/playwright` image instead), and the runner's job-container network isolation (reach the QA stack via the docker bridge gateway IP; `docker cp` instead of a bind mount to get files into the playwright container, since paths don't cross the docker-outside-of-docker boundary). ## Test plan - [x] Unit tests pass (dotnet test tests/api/MicCheck.Api.Tests.Unit, 243 passed) - [x] API integration suite passes against the real QA stack in CI - [x] Playwright e2e suite passes against the real QA stack in CI (verified 3/3 locally against a real dev API + vite server for the flakiest spec) - [x] Full CI pipeline (build → deploy-qa → smoke-qa) green end to end on the qa runner Reviewed-on: #3
This commit was merged in pull request #3.
This commit is contained in:
@@ -6,6 +6,8 @@ set -euo pipefail
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")" && source ./lib.sh
|
||||
cd "$CI_ROOT"
|
||||
|
||||
ensure_dotnet
|
||||
|
||||
log "Restoring and publishing MicCheck.Api (Release)"
|
||||
dotnet publish src/api/MicCheck.Api/MicCheck.Api.csproj -c Release
|
||||
|
||||
|
||||
@@ -13,6 +13,12 @@ export API_IMAGE ADMIN_IMAGE
|
||||
export JWT_SECRET_KEY="${JWT_SECRET_KEY:?JWT_SECRET_KEY env var is required}"
|
||||
export QA_ADMIN_PORT="${QA_ADMIN_PORT:-3001}"
|
||||
|
||||
# Bind narrowly to docker's bridge gateway IP rather than 0.0.0.0: reachable
|
||||
# from the smoke-qa job container (a sibling on the default bridge), but not
|
||||
# exposed on the host's public interface.
|
||||
export DB_BIND_HOST="$(docker_bridge_gateway)"
|
||||
[[ -n "$DB_BIND_HOST" ]] || fail "could not determine docker bridge gateway IP to bind the QA db port"
|
||||
|
||||
COMPOSE="docker compose -p miccheck-qa -f deploy/qa/docker-compose.qa.yml"
|
||||
|
||||
log "Pulling latest :qa images"
|
||||
@@ -24,9 +30,14 @@ $COMPOSE down -v
|
||||
log "Starting QA stack"
|
||||
$COMPOSE up -d
|
||||
|
||||
log "Waiting for API health check via admin proxy on port $QA_ADMIN_PORT"
|
||||
log "Waiting for API health check via admin proxy"
|
||||
# Checked with `docker compose exec` rather than curling the published host
|
||||
# port: CI runs this script inside a runner container on its own bridge
|
||||
# network, where "localhost:$QA_ADMIN_PORT" is the runner's own loopback, not
|
||||
# the docker host's - it can never reach a host-published port. Exec'ing into
|
||||
# the admin container and curling its own localhost sidesteps that entirely.
|
||||
attempts=30
|
||||
until curl -fsS "http://localhost:${QA_ADMIN_PORT}/api/v1/health" >/dev/null 2>&1; do
|
||||
until $COMPOSE exec -T admin curl -fsS http://localhost/health >/dev/null 2>&1; do
|
||||
attempts=$((attempts - 1))
|
||||
if [[ "$attempts" -le 0 ]]; then
|
||||
fail "QA stack did not become healthy in time"
|
||||
|
||||
@@ -37,6 +37,104 @@ image_names() {
|
||||
ADMIN_IMAGE="$REGISTRY/$REGISTRY_OWNER/miccheck-admin"
|
||||
}
|
||||
|
||||
# Installs .NET into $CI_ROOT/.dotnet via the vendored dotnet-install.sh if
|
||||
# `dotnet` isn't already on PATH, then prepends it to PATH for this process.
|
||||
# Keeps bare runners (no SDK preinstalled) working the same as a dev machine.
|
||||
ensure_dotnet() {
|
||||
if command -v dotnet > /dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local install_dir="$CI_ROOT/.dotnet"
|
||||
if [[ ! -x "$install_dir/dotnet" ]]; then
|
||||
log "dotnet not found on PATH; installing .NET SDK via dotnet-install.sh"
|
||||
bash "$CI_ROOT/dotnet-install.sh" --channel LTS --install-dir "$install_dir"
|
||||
fi
|
||||
export PATH="$install_dir:$PATH"
|
||||
export DOTNET_ROOT="$install_dir"
|
||||
|
||||
ensure_dotnet_native_deps
|
||||
}
|
||||
|
||||
# The .NET runtime is a native ELF binary that dynamically links libstdc++/libgcc.
|
||||
# Bare/minimal images (e.g. the act hostexecutor container) may lack them entirely,
|
||||
# which fails as an obscure symbol-relocation error rather than "command not found".
|
||||
ensure_dotnet_native_deps() {
|
||||
if ldconfig -p 2>/dev/null | grep -q 'libstdc++\.so\.6'; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
log "libstdc++.so.6 missing; installing native runtime deps for dotnet"
|
||||
local sudo_cmd=""
|
||||
if [[ "$(id -u)" -ne 0 ]] && command -v sudo > /dev/null 2>&1; then
|
||||
sudo_cmd="sudo"
|
||||
fi
|
||||
|
||||
if command -v apt-get > /dev/null 2>&1; then
|
||||
$sudo_cmd apt-get update -y
|
||||
$sudo_cmd apt-get install -y --no-install-recommends libstdc++6 libgcc-s1 libicu-dev ca-certificates
|
||||
elif command -v apk > /dev/null 2>&1; then
|
||||
# Alpine/musl runner - dotnet-install.sh falls back to the linux-musl-x64 SDK
|
||||
# here, which still wants a real libstdc++/libgcc (not just gcompat).
|
||||
$sudo_cmd apk add --no-cache libstdc++ libgcc icu-libs ca-certificates
|
||||
else
|
||||
fail "libstdc++.so.6 missing and neither apt-get nor apk is available; install a C++ runtime manually on this runner"
|
||||
fi
|
||||
}
|
||||
|
||||
# Installs Node.js into $CI_ROOT/.node from the official prebuilt tarball if
|
||||
# `npm` isn't already on PATH, then prepends it to PATH for this process.
|
||||
# Mirrors ensure_dotnet() above - keeps bare runners (no Node preinstalled,
|
||||
# e.g. the self-hosted qa runner) working the same as a dev machine.
|
||||
ensure_node() {
|
||||
if command -v npm > /dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# nodejs.org only ships glibc binaries; on a musl/Alpine runner (same one
|
||||
# dotnet-install.sh detects and picks the linux-musl-x64 SDK for) that
|
||||
# tarball fails to exec at all ("env: can't execute 'node'"). Prefer the
|
||||
# distro's own package on musl instead of a broken glibc download.
|
||||
if [[ ! -x "$CI_ROOT/.node/bin/node" ]] && command -v apk > /dev/null 2>&1; then
|
||||
log "node not found on PATH; installing via apk (musl runner)"
|
||||
local sudo_cmd=""
|
||||
if [[ "$(id -u)" -ne 0 ]] && command -v sudo > /dev/null 2>&1; then
|
||||
sudo_cmd="sudo"
|
||||
fi
|
||||
$sudo_cmd apk add --no-cache nodejs npm
|
||||
return 0
|
||||
fi
|
||||
|
||||
local node_version="22.14.0"
|
||||
local install_dir="$CI_ROOT/.node"
|
||||
if [[ ! -x "$install_dir/bin/node" ]]; then
|
||||
log "node not found on PATH; installing Node.js v$node_version"
|
||||
local tarball="node-v${node_version}-linux-x64"
|
||||
local url="https://nodejs.org/dist/v${node_version}/${tarball}.tar.xz"
|
||||
if command -v curl > /dev/null 2>&1; then
|
||||
curl -fsSL "$url" -o "/tmp/${tarball}.tar.xz"
|
||||
elif command -v wget > /dev/null 2>&1; then
|
||||
wget -q "$url" -O "/tmp/${tarball}.tar.xz"
|
||||
else
|
||||
fail "neither curl nor wget found on PATH; cannot download Node.js"
|
||||
fi
|
||||
mkdir -p "$install_dir"
|
||||
tar -xJf "/tmp/${tarball}.tar.xz" -C "$install_dir" --strip-components=1
|
||||
rm -f "/tmp/${tarball}.tar.xz"
|
||||
fi
|
||||
export PATH="$install_dir/bin:$PATH"
|
||||
}
|
||||
|
||||
# The IP address on which a container published on 0.0.0.0/<gateway-ip> is
|
||||
# reachable from a sibling container on docker's default bridge network (i.e.
|
||||
# the docker host's bridge-side address, not its public interface). Used to
|
||||
# bind QA's db port narrowly - reachable by the smoke-qa job container, not
|
||||
# exposed off-box the way 0.0.0.0 would be.
|
||||
docker_bridge_gateway() {
|
||||
docker network inspect bridge -f '{{(index .IPAM.Config 0).Gateway}}' 2>/dev/null \
|
||||
|| ip route show default 2>/dev/null | awk '/default/ {print $3; exit}'
|
||||
}
|
||||
|
||||
registry_login() {
|
||||
require_registry_vars
|
||||
[[ -n "$REGISTRY_USER" ]] || fail "REGISTRY_USER env var is required to push images"
|
||||
|
||||
@@ -5,6 +5,8 @@ set -euo pipefail
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")" && source ./lib.sh
|
||||
cd "$CI_ROOT"
|
||||
|
||||
ensure_dotnet
|
||||
|
||||
log "Building full solution (Debug)"
|
||||
dotnet build MicCheck.slnx -c Debug
|
||||
|
||||
|
||||
55
scripts/ci/smoke-qa.sh
Executable file
55
scripts/ci/smoke-qa.sh
Executable file
@@ -0,0 +1,55 @@
|
||||
#!/usr/bin/env bash
|
||||
# Post-deploy validation for the QA environment: runs the API integration
|
||||
# suite (real HTTP + real Postgres, seeding/cleaning up its own data) and the
|
||||
# Playwright admin e2e suite against the just-deployed QA stack. Intended to
|
||||
# run immediately after deploy-qa.sh, on the same self-hosted qa runner. This
|
||||
# job runs in its own job container, a sibling of the QA stack's containers
|
||||
# on docker's default bridge network - not "localhost" from the host's point
|
||||
# of view - so it reaches published ports via the bridge gateway IP, same as
|
||||
# deploy-qa.sh binds the db port to.
|
||||
set -euo pipefail
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")" && source ./lib.sh
|
||||
cd "$CI_ROOT"
|
||||
|
||||
ensure_dotnet
|
||||
ensure_node
|
||||
|
||||
QA_ADMIN_PORT="${QA_ADMIN_PORT:-3001}"
|
||||
CI_HOST="$(docker_bridge_gateway)"
|
||||
[[ -n "$CI_HOST" ]] || fail "could not determine docker bridge gateway IP to reach the QA stack"
|
||||
BASE_URL="http://${CI_HOST}:${QA_ADMIN_PORT}"
|
||||
|
||||
log "Resolved docker host as $CI_HOST for reaching the QA stack's published ports"
|
||||
|
||||
export MICCHECK_API_BASE_URL="$BASE_URL"
|
||||
export MICCHECK_DB_CONNECTION_STRING="${MICCHECK_DB_CONNECTION_STRING:-Host=$CI_HOST;Port=55432;Database=miccheck;Username=miccheck;Password=password}"
|
||||
|
||||
log "Running API integration suite against $BASE_URL"
|
||||
dotnet test tests/api/MicCheck.Api.Tests.Integration/MicCheck.Api.Tests.Integration.csproj -c Release --logger trx
|
||||
|
||||
log "Installing admin e2e dependencies"
|
||||
npm --prefix src/admin ci
|
||||
|
||||
# Playwright's bundled Chromium is a glibc binary and `--with-deps` only knows
|
||||
# apt - neither works on this musl/Alpine runner. Run the e2e leg inside
|
||||
# Microsoft's official Playwright image instead (glibc, browsers preinstalled
|
||||
# at /ms-playwright), as a sibling container reachable at the same bridge
|
||||
# gateway IP used above. Pin the image tag to the exact resolved
|
||||
# @playwright/test version so the test runner and browser build match.
|
||||
#
|
||||
# This script itself runs inside the runner's own job container, talking to
|
||||
# the host's docker daemon over a mounted socket (docker-outside-of-docker) -
|
||||
# `docker run -v "$CI_ROOT:/work"` would ask the *host* daemon to bind-mount a
|
||||
# path that only exists inside this job container, which fails. `docker cp`
|
||||
# instead copies the files by content, sidestepping the path mismatch.
|
||||
PW_VERSION="$(node -p "require('./src/admin/node_modules/@playwright/test/package.json').version")"
|
||||
log "Running Playwright admin e2e suite against $BASE_URL (playwright:v$PW_VERSION-noble)"
|
||||
|
||||
PW_CONTAINER="$(docker create -e "E2E_BASE_URL=$BASE_URL" -w /work/src/admin "mcr.microsoft.com/playwright:v${PW_VERSION}-noble" npm run e2e)"
|
||||
docker cp "$CI_ROOT/." "$PW_CONTAINER:/work"
|
||||
pw_status=0
|
||||
docker start -a "$PW_CONTAINER" || pw_status=$?
|
||||
docker rm -f "$PW_CONTAINER" > /dev/null
|
||||
[[ "$pw_status" -eq 0 ]] || fail "Playwright e2e suite failed (exit $pw_status)"
|
||||
|
||||
log "smoke-qa.sh complete - QA environment validated end to end"
|
||||
@@ -6,6 +6,8 @@ set -euo pipefail
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")" && source ./lib.sh
|
||||
cd "$CI_ROOT"
|
||||
|
||||
ensure_dotnet
|
||||
|
||||
log "Running MicCheck.Api.Tests.Unit"
|
||||
dotnet test tests/api/MicCheck.Api.Tests.Unit/MicCheck.Api.Tests.Unit.csproj -c Release --logger trx
|
||||
|
||||
|
||||
Reference in New Issue
Block a user