diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml index fa343eb4..3353e6f7 100644 --- a/.gitea/workflows/nightly.yml +++ b/.gitea/workflows/nightly.yml @@ -107,7 +107,11 @@ jobs: RESOLVE="--resolve $HOST:443:127.0.0.1" echo "Smoke test: $URL (pinned to 127.0.0.1)" curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null - curl -fsS $RESOLVE --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security' + # Pin the preload-list-eligible HSTS value, not just header presence: + # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must + # fail this check rather than pass it silently. + curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload' status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; } echo "All smoke checks passed" diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index e1eeca2c..69e59dd6 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -101,7 +101,11 @@ jobs: RESOLVE="--resolve $HOST:443:127.0.0.1" echo "Smoke test: $URL (pinned to 127.0.0.1)" curl -fsS $RESOLVE --max-time 10 "$URL/login" -o /dev/null - curl -fsS $RESOLVE --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security' + # Pin the preload-list-eligible HSTS value, not just header presence: + # a degraded `max-age=1` or a dropped `includeSubDomains; preload` must + # fail this check rather than pass it silently. + curl -fsS $RESOLVE --max-time 10 -I "$URL/" \ + | grep -Eqi 'strict-transport-security:[[:space:]]*max-age=31536000.*includeSubDomains.*preload' status=$(curl -s $RESOLVE -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; } echo "All smoke checks passed"