From a91a3e1f6105cdbb26735a8350933d88817a084d Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 12:05:41 +0200
Subject: [PATCH] feat(ci): smoke test production deploy after up --wait

Mirrors the nightly.yml smoke step against archiv.raddatz.cloud. Catches
the same three failure modes (Caddy not reloaded, DNS missing, HSTS
dropped, /actuator block bypassed) on the prod path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index dbf7a9a8..ba5fb168 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -74,6 +74,18 @@ jobs:
             --env-file .env.production \
             up -d --wait --remove-orphans
 
+      - name: Smoke test deployed environment
+        # See nightly.yml — same three checks, against the prod vhost.
+        run: |
+          set -e
+          URL="https://archiv.raddatz.cloud"
+          echo "Smoke test: $URL"
+          curl -fsS --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security'
+          status=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
+          echo "All smoke checks passed"
+
       - name: Cleanup env file
         if: always()
         run: rm -f .env.production