Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a0b407e92d28767311ff903e65eda93bdd4b9fee
CapaKraken/.github/workflows/ci.yml
T
Hartmut a0b407e92d
CI / Architecture Guardrails (push) Successful in 19m4s
Details
CI / Assistant Split Regression (push) Successful in 20m21s
Details
CI / Lint (push) Successful in 21m52s
Details
CI / Typecheck (push) Successful in 22m37s
Details
CI / Unit Tests (push) Successful in 7m48s
Details
CI / Build (push) Successful in 5m16s
Details
CI / Fresh-Linux Docker Deploy (push) Failing after 12m42s
Details
CI / E2E Tests (push) Failing after 35m15s
Details
CI / Release Images (push) Has been skipped
Details
ci: bump skill matrix parser test timeout; install playwright in isolated dir 
Unit Tests flaked on QNAP: skillMatrixParser ExcelJS workbook builds exceeded
the 5s default per-test timeout (runtime ~8.6s for the suite). Bumped to 30s.

Docker Deploy smoke tests failed because `npm install` in the repo root tried
to resolve sibling workspace:* deps (pnpm protocol, not npm-supported).
Install @playwright/test into /tmp/pw-install instead and symlink the package
dirs into apps/web/node_modules so the CJS require() in playwright.ci.config.ts
resolves it by walking up from apps/web/.
2026-04-13 01:11:37 +02:00

547 lines
21 KiB
YAML
Raw Blame History

name: CI
# Retrigger marker: da0d69c (QNAP runner DNS fix applied)
on:
push:
branches: [main]
paths-ignore:
- "docs/**"
- ".gitea/**"
- "**/*.md"
- "LICENSE"
pull_request:
branches: [main]
paths-ignore:
- "docs/**"
- ".gitea/**"
- "**/*.md"
- "LICENSE"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_VERSION: "20"
PNPM_VERSION: "9.14.2"
CI_AUTH_URL: http://localhost:3100
# Placeholder for CI — real secret only matters at deploy time.
# next build collects page data for auth routes and aborts if empty.
CI_AUTH_SECRET: ci-test-secret-minimum-32-chars-xx
jobs:
guardrails:
name: Architecture Guardrails
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run repo script tests
run: pnpm test:scripts
- name: Check architecture guardrails
run: pnpm check:architecture
- name: Check workspace exports
run: pnpm check:exports
- name: Check workspace imports
run: pnpm check:imports
- name: Security audit (high+ severity)
run: pnpm audit --audit-level=high
# ──────────────────────────────────────────────
# Typecheck — ~40s, no services needed
# ──────────────────────────────────────────────
typecheck:
name: Typecheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Cache Turborepo
uses: actions/cache@v4
continue-on-error: true
with:
path: .turbo
key: turbo-typecheck-${{ github.sha }}
restore-keys: turbo-typecheck-
- name: Run typecheck
run: pnpm typecheck
assistant-split:
name: Assistant Split Regression
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Run assistant split regression
run: pnpm --filter @capakraken/api test:assistant-split
# ──────────────────────────────────────────────
# Lint — ~20s, no services needed
# ──────────────────────────────────────────────
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Cache Turborepo
uses: actions/cache@v4
continue-on-error: true
with:
path: .turbo
key: turbo-lint-${{ github.sha }}
restore-keys: turbo-lint-
- name: Run lint
run: pnpm lint
# ──────────────────────────────────────────────
# Unit tests — needs PostgreSQL + Redis
# ──────────────────────────────────────────────
test:
name: Unit Tests
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16
env:
POSTGRES_DB: capakraken_test
POSTGRES_USER: capakraken
POSTGRES_PASSWORD: capakraken_test
options: >-
--health-cmd="pg_isready -U capakraken -d capakraken_test"
--health-interval=10s
--health-timeout=5s
--health-retries=5
redis:
image: redis:7
options: >-
--health-cmd="redis-cli ping"
--health-interval=10s
--health-timeout=5s
--health-retries=5
env:
DATABASE_URL: postgresql://capakraken:capakraken_test@postgres:5432/capakraken_test
REDIS_URL: redis://redis:6379
# Force in-memory rate limiter to avoid cross-test state when Redis drops.
# Redis fallback downgrades to max/10 limits which rate-limits unit tests.
RATE_LIMIT_BACKEND: memory
# Tests assume Europe/Berlin for month-boundary math (new Date(y,m,1)).
TZ: Europe/Berlin
NEXTAUTH_URL: ${{ env.CI_AUTH_URL }}
AUTH_URL: ${{ env.CI_AUTH_URL }}
NEXTAUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
AUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Run unit tests with coverage
run: |
pnpm --filter @capakraken/web test:unit -- --coverage
pnpm --filter @capakraken/engine exec vitest run --coverage
pnpm --filter @capakraken/staffing exec vitest run --coverage
pnpm --filter @capakraken/api exec vitest run --coverage
pnpm --filter @capakraken/application exec vitest run --coverage
pnpm --filter @capakraken/shared exec vitest run --coverage
pnpm --filter @capakraken/db test:unit
- name: Upload coverage reports
uses: actions/upload-artifact@v4
continue-on-error: true # upload-artifact@v4 unsupported on Gitea (GHES) runner
if: ${{ !cancelled() }}
with:
name: coverage-reports
path: |
apps/web/coverage/
packages/engine/coverage/
packages/staffing/coverage/
packages/api/coverage/
packages/application/coverage/
packages/shared/coverage/
retention-days: 14
# ──────────────────────────────────────────────
# Build — depends on typecheck passing
# ──────────────────────────────────────────────
build:
name: Build
needs: [guardrails, typecheck]
runs-on: ubuntu-latest
env:
DATABASE_URL: postgresql://placeholder:placeholder@localhost:5432/placeholder
REDIS_URL: redis://placeholder:6379
NEXTAUTH_URL: ${{ env.CI_AUTH_URL }}
AUTH_URL: ${{ env.CI_AUTH_URL }}
NEXTAUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
AUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Cache Turborepo
uses: actions/cache@v4
continue-on-error: true
with:
path: .turbo
key: turbo-build-${{ github.sha }}
restore-keys: turbo-build-
- name: Cache Next.js build
uses: actions/cache@v4
continue-on-error: true
with:
path: apps/web/.next/cache
key: nextjs-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.sha }}
restore-keys: nextjs-${{ hashFiles('pnpm-lock.yaml') }}-
- name: Build
run: pnpm --filter @capakraken/web exec next build
# ──────────────────────────────────────────────
# E2E — depends on build, needs PostgreSQL + Redis
# ──────────────────────────────────────────────
e2e:
name: E2E Tests
needs: [build]
runs-on: ubuntu-latest
services:
# Unique hostnames — "postgres"/"redis" collide with Gitea's own core
# containers and concurrent job service containers on the shared
# gitea_gitea network, producing split-brain where push hits one DB and
# seed hits another. See audit_logs-missing bug from commit f856dd26.
e2epg:
image: postgres:16
env:
POSTGRES_DB: capakraken_test
POSTGRES_USER: capakraken
POSTGRES_PASSWORD: capakraken_test
options: >-
--health-cmd="pg_isready -U capakraken -d capakraken_test"
--health-interval=10s
--health-timeout=5s
--health-retries=5
e2eredis:
image: redis:7
options: >-
--health-cmd="redis-cli ping"
--health-interval=10s
--health-timeout=5s
--health-retries=5
env:
DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
# Playwright test-server.mjs requires an explicit test DB URL.
PLAYWRIGHT_DATABASE_URL: postgresql://capakraken:capakraken_test@e2epg:5432/capakraken_test
# prisma-with-env.mjs refuses to run unless DATABASE_URL's db name matches
# the expected target; default is "capakraken", CI uses capakraken_test.
CAPAKRAKEN_EXPECTED_DB_NAME: capakraken_test
ALLOW_DESTRUCTIVE_DB_TOOLS: "true"
CONFIRM_DESTRUCTIVE_DB_NAME: capakraken_test
REDIS_URL: redis://e2eredis:6379
PORT: 3100
# test-server.mjs spawns `docker compose --profile test up postgres-test`;
# docker compose validates env interpolation in ALL services before
# applying the profile filter, so the unused pgadmin service's
# ${PGADMIN_PASSWORD:?} check fires and aborts the compose call.
# Provide a dummy value so parsing succeeds — pgadmin is never started.
PGADMIN_PASSWORD: ci-unused
# Tell test-server.mjs not to spin up its own postgres-test container
# — the e2epg job service is already running and reachable. Without
# this, test-server tries to publish 5432 on the QNAP host, which
# collides with Gitea's core postgres.
PLAYWRIGHT_USE_EXTERNAL_DB: "true"
NEXTAUTH_URL: ${{ env.CI_AUTH_URL }}
AUTH_URL: ${{ env.CI_AUTH_URL }}
NEXTAUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
AUTH_SECRET: ${{ env.CI_AUTH_SECRET }}
steps:
- uses: actions/checkout@v4
- name: Install pnpm
run: npm install -g pnpm@${{ env.PNPM_VERSION }}
- uses: actions/setup-node@v4.0.4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm db:generate
- name: Cache Playwright browsers
id: playwright-cache
uses: actions/cache@v4
continue-on-error: true
with:
path: ~/.cache/ms-playwright
key: playwright-${{ hashFiles('apps/web/package.json') }}
restore-keys: playwright-
- name: Install Playwright browsers
if: steps.playwright-cache.outputs.cache-hit != 'true'
run: pnpm --filter @capakraken/web exec playwright install --with-deps chromium
- name: Install Playwright system deps
if: steps.playwright-cache.outputs.cache-hit == 'true'
run: pnpm --filter @capakraken/web exec playwright install-deps chromium
- name: Install psql (debug schema state)
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends postgresql-client
- name: Push DB schema & seed
env:
PGPASSWORD: capakraken_test
run: |
# Nuke any leftover schema state from a previous job that shared the
# postgres service container (act_runner reuses service volumes).
# --force-reset alone proved unreliable: push reported "in sync" but
# audit_logs ended up missing. Diagnostic hypothesis: there are TWO
# postgres hosts reachable as "postgres" on gitea_gitea (the Gitea
# core DB plus the service container) and push/seed hit different
# ones. Verify via direct psql.
echo "--- hosts resolving to 'e2epg' ---"
getent hosts e2epg || true
echo "--- DROP SCHEMA ---"
psql -h e2epg -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
-c "DROP SCHEMA IF EXISTS public CASCADE; CREATE SCHEMA public; GRANT ALL ON SCHEMA public TO capakraken; GRANT ALL ON SCHEMA public TO public;"
echo "--- prisma db push ---"
pnpm --filter @capakraken/db exec prisma db push --schema ./prisma/schema.prisma --accept-data-loss --skip-generate
echo "--- tables in public after push ---"
psql -h e2epg -U capakraken -d capakraken_test -v ON_ERROR_STOP=1 \
-c "\dt public.*" | tee /tmp/tables.txt
if ! grep -q 'audit_logs' /tmp/tables.txt; then
echo "ERROR: audit_logs table missing after push!"
exit 1
fi
pnpm db:seed
- name: Run E2E tests
# Bypass turbo here — it runs in strict env mode and does not pass
# PLAYWRIGHT_DATABASE_URL / AUTH_SECRET / etc. through to the webServer
# subprocess, breaking test-server.mjs. Calling playwright directly
# inherits the job-level env unchanged.
run: pnpm --filter @capakraken/web exec playwright test
- name: Upload Playwright report
uses: actions/upload-artifact@v4
continue-on-error: true # upload-artifact@v4 unsupported on Gitea (GHES) runner
if: ${{ !cancelled() }}
with:
name: playwright-report
path: apps/web/playwright-report/
retention-days: 14
# ──────────────────────────────────────────────
# Fresh Docker Compose deploy test — validates
# that the prod compose bundle comes up clean
# from scratch and the smoke tests pass.
# ──────────────────────────────────────────────
docker-deploy-test:
name: Fresh-Linux Docker Deploy
needs: [build]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Create minimal .env
run: |
cat <<'EOF' > .env
NEXTAUTH_URL=http://localhost:3100
NEXTAUTH_SECRET=ci-test-secret-minimum-32-chars-xx
PGADMIN_PASSWORD=ci-pgadmin
EOF
- name: Tear down any stale stack & volumes
# act_runner on self-hosted QNAP keeps named compose volumes between
# runs. A previous run's failed migration entry in _prisma_migrations
# causes P3009 on the next migrate deploy; wipe volumes for a truly
# fresh deploy test every time.
run: docker compose -f docker-compose.yml -f docker-compose.ci.yml down -v --remove-orphans || true
- name: Start infrastructure (postgres + redis)
run: docker compose -f docker-compose.yml -f docker-compose.ci.yml up -d postgres redis
- name: Wait for postgres
run: |
for i in $(seq 1 20); do
docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T postgres pg_isready -U capakraken -d capakraken && break
sleep 3
done
- name: Build and start app (full profile)
run: docker compose -f docker-compose.yml -f docker-compose.ci.yml --profile full up -d --build app
- name: Wait for /api/health (up to 3 minutes)
# docker-compose.ci.yml attaches app/postgres/redis to gitea_gitea so the
# act_runner job container can reach them by compose service name.
run: |
for i in $(seq 1 36); do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://app:3100/api/health || echo "000")
echo "Attempt $i: HTTP $STATUS"
if [ "$STATUS" = "200" ]; then exit 0; fi
sleep 5
done
echo "Health check timed out"
docker compose -f docker-compose.yml -f docker-compose.ci.yml logs app --tail=50
exit 1
- name: Verify health response contains status ok
run: |
BODY=$(curl -sf http://app:3100/api/health)
echo "$BODY"
echo "$BODY" | grep '"status":"ok"'
- name: Seed admin user
# setup-admin.mjs imports @prisma/client and @node-rs/argon2, both of
# which live only in packages/db/node_modules under pnpm workspaces.
# Node's ESM bare-specifier resolver walks up from the *script's*
# directory (/app/scripts), not cwd, and NODE_PATH is a CJS-only
# escape hatch (ignored by ESM). Create a scripts/node_modules with
# symlinks to the real package directories so the resolver finds
# them on the first step up.
run: |
docker compose -f docker-compose.yml -f docker-compose.ci.yml exec -T app \
sh -c '
set -e
mkdir -p /app/scripts/node_modules
ln -sfn /app/packages/db/node_modules/@prisma /app/scripts/node_modules/@prisma
ln -sfn /app/packages/db/node_modules/@node-rs /app/scripts/node_modules/@node-rs
ln -sfn /app/packages/db/node_modules/.prisma /app/scripts/node_modules/.prisma
node /app/scripts/setup-admin.mjs --email admin@capakraken.dev --name Admin --password admin123
'
- name: Set up Node.js 20
uses: actions/setup-node@v4.0.4
with:
node-version: "20"
- name: Install Playwright and Chromium
# The repo root package.json uses pnpm `workspace:*` deps which npm
# cannot resolve, so install into an isolated temp dir and symlink
# @playwright/test into apps/web/node_modules so playwright.ci.config.ts
# (CJS) can resolve it by walking up from apps/web/.
run: |
set -e
mkdir -p /tmp/pw-install
cd /tmp/pw-install
[ -f package.json ] || npm init -y >/dev/null
npm install --no-save --no-package-lock @playwright/test@1.49
cd "$GITHUB_WORKSPACE"
mkdir -p apps/web/node_modules
ln -sfn /tmp/pw-install/node_modules/@playwright apps/web/node_modules/@playwright
ln -sfn /tmp/pw-install/node_modules/playwright apps/web/node_modules/playwright
ln -sfn /tmp/pw-install/node_modules/playwright-core apps/web/node_modules/playwright-core
/tmp/pw-install/node_modules/.bin/playwright install chromium --with-deps
- name: Run smoke tests
env:
# App runs on the compose network; act_runner job is on gitea_gitea
# (docker-compose.ci.yml attaches services to both). Override baseURL.
PLAYWRIGHT_BASE_URL: http://app:3100
run: /tmp/pw-install/node_modules/.bin/playwright test --config apps/web/playwright.ci.config.ts
- name: Upload Playwright report
if: failure()
continue-on-error: true # upload-artifact@v4 unsupported on Gitea (GHES) runner
uses: actions/upload-artifact@v4
with:
name: playwright-smoke-report
path: apps/web/playwright-report/
retention-days: 7
- name: Show logs on failure
if: failure()
run: docker compose -f docker-compose.yml -f docker-compose.ci.yml logs --tail=100
# ──────────────────────────────────────────────
# Release images — only on push to main, after
# every check has passed. Calls the reusable
# release-image.yml workflow.
# ──────────────────────────────────────────────
release-images:
name: Release Images
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs: [lint, test, e2e, assistant-split, docker-deploy-test]
uses: ./.github/workflows/release-image.yml
secrets: inherit
Reference in New Issue View Git Blame Copy Permalink