From 5eb3ad17b51d8163eab8f14818ddb2c64ac974fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hartmut=20N=C3=B6renberg?= <hn@hartmut-noerenberg.com>
Date: Sun, 12 Apr 2026 19:24:30 +0200
Subject: [PATCH] ci: force memory rate limiter in tests and set placeholder
 AUTH_SECRET
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unit Tests fix: when REDIS_URL is set but Redis briefly drops, the rate
limiter switches to a degraded in-memory backend with max/10 limits and
accumulates state across test files, breaking ~120 api router tests with
"Rate limit exceeded". Setting RATE_LIMIT_BACKEND=memory pins the limiter
to the full-capacity memory backend for unit tests (which don't need
distributed counters anyway).

Build fix: next build collects page data for /api/auth routes, which
validates AUTH_SECRET at boot. CI_AUTH_SECRET comes from a Gitea secret
that isn't configured, so it was empty and builds aborted. Use a
placeholder string ≥32 chars inline — the real secret is only required
in deploy workflows, not here.
---
 .github/workflows/ci.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 50bfe13..5386e49 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,7 +24,9 @@ env:
   NODE_VERSION: "20"
   PNPM_VERSION: "9.14.2"
   CI_AUTH_URL: http://localhost:3100
-  CI_AUTH_SECRET: ${{ secrets.CI_AUTH_SECRET }}
+  # Placeholder for CI — real secret only matters at deploy time.
+  # next build collects page data for auth routes and aborts if empty.
+  CI_AUTH_SECRET: ci-test-secret-minimum-32-chars-xx
 
 jobs:
   guardrails:
@@ -172,6 +174,9 @@ jobs:
     env:
       DATABASE_URL: postgresql://capakraken:capakraken_test@postgres:5432/capakraken_test
       REDIS_URL: redis://redis:6379
+      # Force in-memory rate limiter to avoid cross-test state when Redis drops.
+      # Redis fallback downgrades to max/10 limits which rate-limits unit tests.
+      RATE_LIMIT_BACKEND: memory
       NEXTAUTH_URL: ${{ env.CI_AUTH_URL }}
       AUTH_URL: ${{ env.CI_AUTH_URL }}
       NEXTAUTH_SECRET: ${{ env.CI_AUTH_SECRET }}