From c523721ce8f78948f18efd34f69838298ecc7dac Mon Sep 17 00:00:00 2001 From: Marcel Date: Mon, 11 May 2026 12:05:00 +0200 Subject: [PATCH] feat(ci): smoke test staging deploy after up --wait Healthchecks prove containers are healthy on the docker network; they do not prove the public URL is reachable, HSTS still fires, or /actuator is still blocked at the edge. Add a post-deploy smoke step to nightly.yml that: 1. GETs https://staging.raddatz.cloud/login (frontend reachable) 2. asserts the response includes the Strict-Transport-Security header 3. asserts /actuator/health returns 404 (defense-in-depth verified) Failure aborts the workflow before the env-file cleanup step. The cleanup step still runs because it is `if: always()`. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/nightly.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml index 82fc0c5c..bdfa399f 100644 --- a/.gitea/workflows/nightly.yml +++ b/.gitea/workflows/nightly.yml @@ -75,6 +75,20 @@ jobs: --profile staging \ up -d --wait --remove-orphans + - name: Smoke test deployed environment + # Healthchecks confirm containers are healthy; they do NOT confirm the + # public surface works. This step catches: Caddy not reloaded, DNS + # missing, HSTS header dropped, /actuator block bypassed. + run: | + set -e + URL="https://staging.raddatz.cloud" + echo "Smoke test: $URL" + curl -fsS --max-time 10 "$URL/login" -o /dev/null + curl -fsS --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security' + status=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health") + [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; } + echo "All smoke checks passed" + - name: Cleanup env file if: always() run: rm -f .env.staging