ci: add flaky-test management (#489) #28
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| # Lint, test, supply-chain audit, and terraform validate. No AWS credentials needed — everything | |
| # here is offline (terraform validate runs with `-backend=false`). Apply runs only on merge to main, | |
| # in deploy.yml, under the OIDC deploy role. | |
| # | |
| # Third-party actions are pinned to a full commit SHA (a mutable tag could be re-pointed at | |
| # malicious code). | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| rust: | |
| name: rust lint + test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | |
| with: | |
| toolchain: stable | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 | |
| # Install cargo-nextest straight from crates.io (no third-party GitHub-release-manifest | |
| # installer action — avoids the release-manifest fetch flakiness those actions can hit | |
| # against GitHub's API). rust-cache above caches the build. | |
| - run: cargo install cargo-nextest --locked | |
| - run: cargo fmt --all --check | |
| # Lint the pure lib (+ its tests) and the AWS Lambda binaries (both bins are feature-gated | |
| # behind `aws`, so they are skipped without the feature — lint each explicitly). | |
| - run: cargo clippy --all-targets -- -D warnings | |
| - run: cargo clippy --bin bootstrap --features aws -- -D warnings | |
| - run: cargo clippy --bin watcher --features aws -- -D warnings | |
| # cargo-nextest for flaky-test management (#489): --retries retries a failing test up to N | |
| # times before failing the run, surfacing genuine flakes without masking real regressions | |
| # (a test that fails every retry still fails the job). Config lives in .config/nextest.toml. | |
| - run: cargo nextest run --all-targets | |
| # nextest does not run doctests — keep them covered separately (this repo's lib has none | |
| # today, but this stays correct if any are added). | |
| - run: cargo test --doc | |
| js: | |
| name: js test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "22" | |
| # No package.json / dependencies: the sw.js orchestration logic (range planner, parallel | |
| # fan-out, cache-key builders, decrypt-stream assembly, §205d/§205e) is tested with Node's | |
| # built-in test runner + a small in-repo crypto stub (test/stub-dig-client.mjs) — no browser, | |
| # no wasm build needed. See test/load-sw.mjs for how assets/sw.js is loaded under Node. | |
| - run: node --test test/sw.test.mjs | |
| a11y: | |
| name: accessibility (axe WCAG 2.2 AA on the served documents) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "22" | |
| - name: install a11y test deps | |
| working-directory: tests/a11y | |
| run: npm ci | |
| - name: install chromium (with system deps) | |
| working-directory: tests/a11y | |
| run: npx playwright install --with-deps chromium | |
| # loader.html / error.html are the ONLY two documents src/bin/bootstrap.rs serves to a | |
| # browser (see tests/a11y/axe.test.mjs) — the four legacy per-status pages are dead code. | |
| - name: axe — assert 0 WCAG 2.2 AA violations on the served documents | |
| working-directory: tests/a11y | |
| run: npm test | |
| audit: | |
| name: cargo-deny | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 | |
| with: | |
| command: check advisories licenses sources bans | |
| terraform: | |
| name: terraform fmt + validate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| - run: terraform -chdir=infra fmt -check -recursive | |
| # Validate WITHOUT a backend (offline, no AWS creds): checks the config is well-formed. | |
| - run: terraform -chdir=infra init -backend=false | |
| - run: terraform -chdir=infra validate |