## Summary - Fix a chain of QA CI issues: Docker build/health-check flakiness, NuGet vuln pins, then adds the post-deploy integration + Playwright smoke suite and works through everything needed to make it actually run on the self-hosted `qa` runner (musl/Alpine job container, no node/dotnet/curl preinstalled, docker-outside-of-docker networking). - Adds a fixed dev/QA seed admin user + fixed Development environment API key so integration tests and e2e specs have a stable target. - Pins Aspire's `AppHost.cs` ports/credentials to match the docker-compose local dev defaults. - Adds `tests/api/MicCheck.Api.Tests.Integration` coverage for disabled flags, environment-document bootstrap, identity override precedence, auth login, and unauthorized access; adds a Playwright e2e suite under `src/admin/e2e` (login, nav, context selection, features CRUD/toggle). - Adds a `smoke-qa` CI job that runs both suites against the just-deployed QA stack, working around: no curl/node/dotnet on the bare runner, musl vs glibc (Playwright browsers run via the official `mcr.microsoft.com/playwright` image instead), and the runner's job-container network isolation (reach the QA stack via the docker bridge gateway IP; `docker cp` instead of a bind mount to get files into the playwright container, since paths don't cross the docker-outside-of-docker boundary). ## Test plan - [x] Unit tests pass (dotnet test tests/api/MicCheck.Api.Tests.Unit, 243 passed) - [x] API integration suite passes against the real QA stack in CI - [x] Playwright e2e suite passes against the real QA stack in CI (verified 3/3 locally against a real dev API + vite server for the flakiest spec) - [x] Full CI pipeline (build → deploy-qa → smoke-qa) green end to end on the qa runner Reviewed-on: #3
67 lines
1.7 KiB
YAML
67 lines
1.7 KiB
YAML
name: miccheck-qa
|
|
|
|
# Dedicated, network-isolated QA stack. Not connected to the dev compose
|
|
# stack's network - runs entirely on its own bridge network below. The API has
|
|
# no published host port; Postgres is bound to DB_BIND_HOST (docker's bridge
|
|
# gateway IP, computed by deploy-qa.sh) so the smoke-qa CI job - itself a
|
|
# sibling container on that same default bridge - can seed/inspect data
|
|
# directly, while it stays unreachable off-box (unlike binding to 0.0.0.0).
|
|
services:
|
|
|
|
db:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_DB: miccheck
|
|
POSTGRES_USER: miccheck
|
|
POSTGRES_PASSWORD: password
|
|
ports:
|
|
- "${DB_BIND_HOST:-127.0.0.1}:55432:5432"
|
|
volumes:
|
|
- miccheck-qa-pgdata:/var/lib/postgresql/data
|
|
networks:
|
|
- qa
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U miccheck -d miccheck"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 10
|
|
|
|
api:
|
|
image: ${API_IMAGE}:qa
|
|
environment:
|
|
ASPNETCORE_ENVIRONMENT: Development
|
|
ASPNETCORE_URLS: http://+:8080
|
|
ConnectionStrings__miccheck: "Host=db;Database=miccheck;Username=miccheck;Password=password"
|
|
Jwt__SecretKey: ${JWT_SECRET_KEY}
|
|
Jwt__Issuer: MicCheck
|
|
Jwt__Audience: MicCheck
|
|
networks:
|
|
- qa
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -fsS http://localhost:8080/health || exit 1"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 20s
|
|
|
|
admin:
|
|
image: ${ADMIN_IMAGE}:qa
|
|
ports:
|
|
- "${QA_ADMIN_PORT:-3001}:80"
|
|
networks:
|
|
- qa
|
|
depends_on:
|
|
api:
|
|
condition: service_started
|
|
|
|
networks:
|
|
qa:
|
|
name: miccheck-qa-net
|
|
|
|
volumes:
|
|
miccheck-qa-pgdata:
|
|
name: miccheck-qa-pgdata
|