brooktrails/forgejo-runner-operator
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: fix/enable e2e tests #26

Merged
rcsheets merged 7 commits from feat/e2e-ephemeral-forgejo into master 2026-04-19 11:13:00 +00:00
Conversation 6 Commits 7 Files changed 5 +299 -79
rcsheets commented 2026-04-19 10:04:35 +00:00
Owner
Copy link
No description provided.
feat(ci): add GOPROXY and port remaining workflows to Forgejo runners
Some checks failed
CI / ci (push) Failing after 19m10s
Details
CI / ci (pull_request) Successful in 12m23s
Details
774df8b565 
Configure athens.brooktrails.org as the Go module proxy across all CI
workflows. Convert ci-next-go and e2e workflows from GitHub Actions
(ubuntu-latest + actions/checkout + actions/setup-go) to the Forgejo
runner pattern used by ci.yml and publish.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(e2e): run smoke test against ephemeral in-cluster Forgejo
Some checks failed
CI / ci (push) Successful in 1m58s
Details
CI / ci (pull_request) Successful in 1m50s
Details
E2E smoke test / e2e (pull_request) Failing after 1m19s
Details
04694690fd 
Rework hack/e2e-smoke.sh to stand up its own Forgejo instance inside the
kind cluster, bootstrap an admin user via `forgejo admin user create`,
mint a PAT, and create a test repo — then point the RunnerPool at that
instance instead of the production Forgejo at git.brooktrails.org.

Also fix a handful of issues that prevented the script from passing
even against a real Forgejo:

- `kubectl apply -f config/crd/bases/` failed on the directory's
  kustomization.yaml; use `-k` so kustomize resolves it.
- Under podman-backed kind, `kind load docker-image` leaves the image
  tagged `localhost/<image>`, but kubelet resolves bare names as
  `docker.io/library/<image>`. Retag inside each node so both resolve;
  no-op under real docker.
- The controller's admission webhook server requires TLS certs at
  /tmp/k8s-webhook-server/serving-certs/; generate a self-signed pair
  and mount as a Secret so the manager can start.
- Replace the fixed `sleep 10` with a polling wait loop per reconciled
  resource and add rollout-failure diagnostics on controller startup
  failures.

Drop `--token` and the FORGEJO_E2E_TOKEN CI secret — the ephemeral
instance replaces the need for one. Also update runner labels to
[trusted, dind, runner-operator] and install openssl.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 10:04:36 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4a8b4-4df361
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — No alarming security issues or obvious bugs found - the detected credentials are test passwords for ephemeral test instances.
Complexity: moderate

Safety Check Review

Summary

This PR enhances the e2e test infrastructure by implementing ephemeral Forgejo instances and updating CI workflows. No security concerns or obvious bugs detected.

Key Changes Reviewed

  • CI workflows: Updated to use custom runners and Go proxy
  • E2E test script: Replaced external token dependency with ephemeral Forgejo deployment
  • Test credentials: Uses hardcoded test passwords (e2e-admin-password-abc123) for ephemeral instances - this is appropriate for test-only code

Automated Alert Analysis

The flagged "credentials" are test passwords for ephemeral Forgejo instances that are created and destroyed during testing. These are not production secrets and pose no security risk.

Technical Notes

  • Go version 1.26/1.27 in matrix are reasonable (newer versions exist post-training cutoff)
  • Custom checkout logic replaces actions for self-hosted runners
  • TLS cert generation for webhook testing is appropriate
  • Proper cleanup mechanisms implemented

No breaking changes or production security issues identified.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4a8b4-4df361`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No alarming security issues or obvious bugs found - the detected credentials are test passwords for ephemeral test instances. **Complexity:** moderate # Safety Check Review ## Summary This PR enhances the e2e test infrastructure by implementing ephemeral Forgejo instances and updating CI workflows. No security concerns or obvious bugs detected. ## Key Changes Reviewed - **CI workflows**: Updated to use custom runners and Go proxy - **E2E test script**: Replaced external token dependency with ephemeral Forgejo deployment - **Test credentials**: Uses hardcoded test passwords (`e2e-admin-password-abc123`) for ephemeral instances - this is appropriate for test-only code ## Automated Alert Analysis The flagged "credentials" are test passwords for ephemeral Forgejo instances that are created and destroyed during testing. These are not production secrets and pose no security risk. ## Technical Notes - Go version 1.26/1.27 in matrix are reasonable (newer versions exist post-training cutoff) - Custom checkout logic replaces actions for self-hosted runners - TLS cert generation for webhook testing is appropriate - Proper cleanup mechanisms implemented No breaking changes or production security issues identified.
fix(e2e): set ALLOW_BRANCH=1 to bypass Makefile branch guard in CI
Some checks failed
CI / ci (push) Successful in 1m50s
Details
CI / ci (pull_request) Successful in 1m52s
Details
E2E smoke test / e2e (pull_request) Failing after 3m15s
Details
83d1b543ef 
The Checkout step in the workflow does a `git checkout $SHA` after the
clone, leaving the repo in detached-HEAD state. The Makefile's
check-main-branch guard then reads "HEAD" as the current branch name
and aborts `container-build-controller`. Pass ALLOW_BRANCH=1 from the
workflow env so CI can build from any ref.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 10:13:16 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4aabb-41bc7e
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — No obvious security issues or bugs detected in the e2e test improvements.
Complexity: moderate

Safety Check Review

Key Changes

  • Enhances e2e testing by deploying ephemeral Forgejo instance in test
  • Switches CI workflows to use custom runners and containers
  • Updates test script to mint admin tokens and create test repositories
  • Adds dependency installation and Docker configuration

Security Assessment

The "possible secret/credential" flag was triggered by the admin token generation code in the test script, but this is legitimate test functionality that creates ephemeral tokens for testing purposes only.

No Obvious Issues Found

  • Go version 1.26/1.27 are reasonable future versions (not typos)
  • Token handling is appropriate for test context
  • Docker configuration looks standard
  • No exposed secrets or obvious vulnerabilities detected

The changes appear to be straightforward CI/testing improvements without alarming issues.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4aabb-41bc7e`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No obvious security issues or bugs detected in the e2e test improvements. **Complexity:** moderate # Safety Check Review ## Key Changes - Enhances e2e testing by deploying ephemeral Forgejo instance in test - Switches CI workflows to use custom runners and containers - Updates test script to mint admin tokens and create test repositories - Adds dependency installation and Docker configuration ## Security Assessment The "possible secret/credential" flag was triggered by the admin token generation code in the test script, but this is legitimate test functionality that creates ephemeral tokens for testing purposes only. ## No Obvious Issues Found - Go version 1.26/1.27 are reasonable future versions (not typos) - Token handling is appropriate for test context - Docker configuration looks standard - No exposed secrets or obvious vulnerabilities detected The changes appear to be straightforward CI/testing improvements without alarming issues.
fix(e2e): make kind apiserver reachable when DOCKER_HOST is remote
Some checks failed
CI / ci (push) Successful in 1m51s
Details
CI / ci (pull_request) Successful in 1m48s
Details
E2E smoke test / e2e (pull_request) Failing after 5m34s
Details
166d0a23a1 
In CI, the job runs in a golang container that talks to a separate
dind daemon over tcp://. kind then binds the apiserver to 127.0.0.1
on the dind side and writes that into the kubeconfig — the port is
only reachable from dind's loopback, and from the job container
127.0.0.1 is our own loopback.

When DOCKER_HOST is a tcp:// endpoint:
- Pass a kind config with apiServerAddress: 0.0.0.0 so the port is
  exposed on the dind container's external interface.
- Rewrite the kubeconfig's server URL to the docker-host IP and skip
  TLS verification (the apiserver cert isn't signed for that IP).

No-op when DOCKER_HOST is unset or a local socket.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 10:25:13 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4ad89-268c45
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The changes enhance CI/CD workflows and improve e2e testing with ephemeral Forgejo instances, no security issues or obvious bugs detected.
Complexity: moderate

Safety Check Review

Overview

This PR significantly enhances the e2e testing infrastructure by introducing ephemeral Forgejo instances and updating CI workflows. The changes span multiple workflow files and a comprehensive e2e test script.

Key Changes Reviewed

  • CI Workflows: Updated to use custom runners, added GOPROXY configuration, and enhanced dependency installation
  • E2E Testing: Complete rewrite of the smoke test to use ephemeral Forgejo instances instead of requiring external tokens
  • Container Setup: Improved Docker-in-Docker support for CI environments

Security Assessment

  • The automated flag about "possible secret or credential detected" appears to be a false positive - the detected content is actually test credentials hardcoded for the ephemeral test environment (FORGEJO_USER, FORGEJO_PASS, etc.)
  • All credentials are clearly test-only and used within the isolated e2e environment
  • No actual secrets or production credentials exposed

Technical Assessment

  • Go version 1.26-1.27 in matrix testing appears reasonable (these are future versions but not wildly outside expected range)
  • Docker host detection logic is sound for containerized CI environments
  • Proper cleanup mechanisms implemented with trap handlers
  • Resource creation and validation logic follows expected patterns

Potential Issues

  • None identified that would cause service breakage or security vulnerabilities
  • The complexity is appropriate for enabling comprehensive e2e testing

The changes represent a significant improvement to the testing infrastructure without introducing security risks or obvious bugs.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4ad89-268c45`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes enhance CI/CD workflows and improve e2e testing with ephemeral Forgejo instances, no security issues or obvious bugs detected. **Complexity:** moderate # Safety Check Review ## Overview This PR significantly enhances the e2e testing infrastructure by introducing ephemeral Forgejo instances and updating CI workflows. The changes span multiple workflow files and a comprehensive e2e test script. ## Key Changes Reviewed - **CI Workflows**: Updated to use custom runners, added GOPROXY configuration, and enhanced dependency installation - **E2E Testing**: Complete rewrite of the smoke test to use ephemeral Forgejo instances instead of requiring external tokens - **Container Setup**: Improved Docker-in-Docker support for CI environments ## Security Assessment - The automated flag about "possible secret or credential detected" appears to be a false positive - the detected content is actually test credentials hardcoded for the ephemeral test environment (`FORGEJO_USER`, `FORGEJO_PASS`, etc.) - All credentials are clearly test-only and used within the isolated e2e environment - No actual secrets or production credentials exposed ## Technical Assessment - Go version 1.26-1.27 in matrix testing appears reasonable (these are future versions but not wildly outside expected range) - Docker host detection logic is sound for containerized CI environments - Proper cleanup mechanisms implemented with trap handlers - Resource creation and validation logic follows expected patterns ## Potential Issues - None identified that would cause service breakage or security vulnerabilities - The complexity is appropriate for enabling comprehensive e2e testing The changes represent a significant improvement to the testing infrastructure without introducing security risks or obvious bugs.
feat(e2e): stream pod events while waiting for Forgejo rollout
Some checks failed
CI / ci (push) Successful in 1m51s
Details
CI / ci (pull_request) Successful in 1m52s
Details
E2E smoke test / e2e (pull_request) Failing after 7m31s
Details
d2683799cb 
A bare `kubectl rollout status` leaves the log silent until either
success or timeout. Stream pod-scoped events in the background during
the wait so image-pull progress, scheduling, and container state
transitions are visible as they happen, and bump the timeout from
180s to 300s for cold image pulls in CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 10:38:31 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4b0a7-4a59a4
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The automated flag for potential credentials appears to be the hardcoded test passwords in the e2e script, which are appropriate for ephemeral test environments.
Complexity: moderate

Safety Check Review

This PR significantly enhances the e2e test infrastructure by adding an ephemeral Forgejo instance and improving CI workflows. The changes look reasonable overall.

Key Changes

  • Replaces external Forgejo dependency with ephemeral instance in e2e tests
  • Updates CI workflows to use custom runners and Go proxy
  • Adds proper Docker-in-Docker support for containerized CI
  • Enhances e2e smoke test with full integration testing

Flagged Issue Investigation

The automated tool flagged potential credentials in hack/e2e-smoke.sh. These are hardcoded test credentials:

  • FORGEJO_PASS="e2e-admin-password-abc123"
  • FORGEJO_EMAIL="e2e@test.local"

These are appropriate for ephemeral test environments and pose no security risk since they're only used in temporary, isolated test instances.

Version Notes

  • Go 1.26/1.27 versions are future releases but this is expected for testing next-gen compatibility
  • Forgejo image version 15 appears reasonable for container testing

No security vulnerabilities, accidental commits, or breaking changes detected.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4b0a7-4a59a4`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The automated flag for potential credentials appears to be the hardcoded test passwords in the e2e script, which are appropriate for ephemeral test environments. **Complexity:** moderate # Safety Check Review This PR significantly enhances the e2e test infrastructure by adding an ephemeral Forgejo instance and improving CI workflows. The changes look reasonable overall. ## Key Changes - Replaces external Forgejo dependency with ephemeral instance in e2e tests - Updates CI workflows to use custom runners and Go proxy - Adds proper Docker-in-Docker support for containerized CI - Enhances e2e smoke test with full integration testing ## Flagged Issue Investigation The automated tool flagged potential credentials in `hack/e2e-smoke.sh`. These are hardcoded test credentials: - `FORGEJO_PASS="e2e-admin-password-abc123"` - `FORGEJO_EMAIL="e2e@test.local"` These are appropriate for ephemeral test environments and pose no security risk since they're only used in temporary, isolated test instances. ## Version Notes - Go 1.26/1.27 versions are future releases but this is expected for testing next-gen compatibility - Forgejo image version 15 appears reasonable for container testing No security vulnerabilities, accidental commits, or breaking changes detected.
fix(e2e): pull Forgejo image via the harbor codeberg proxy cache
Some checks failed
CI / ci (push) Successful in 1m57s
Details
CI / ci (pull_request) Successful in 1m49s
Details
E2E smoke test / e2e (pull_request) Failing after 7m35s
Details
1b0b57b912 
The kind node's DNS can't resolve codeberg.org in the CI dind environment.
Pull through harbor.brooktrails.org/codeberg instead, which is reachable
from inside the LAN and doesn't require auth for public repos.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 10:53:49 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4b43d-99cd4b
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — This is a comprehensive improvement to E2E testing infrastructure with no obvious security or correctness issues.
Complexity: complex

Safety Check Review

This PR significantly enhances the E2E testing setup by:

  1. Replacing external dependencies with an ephemeral Forgejo instance for testing
  2. Improving CI workflows with proper containerization and dependency management
  3. Adding comprehensive test infrastructure for smoke testing

Key observations:

  • No security issues: The automated flag about "possible secret or credential detected" refers to hardcoded test credentials (FORGEJO_PASS="e2e-admin-password-abc123"), which is appropriate for ephemeral test infrastructure
  • Go version 1.26/1.27: These appear to be legitimate pre-release versions being tested in the "next-go" workflow
  • Proper cleanup: The test script includes proper resource cleanup in trap handlers
  • Docker-in-Docker handling: Correctly handles remote Docker hosts for CI environments
  • TLS certificate generation: Uses appropriate self-signed certs for webhook testing

The changes are well-structured and follow good practices for CI/CD and testing infrastructure.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4b43d-99cd4b`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — This is a comprehensive improvement to E2E testing infrastructure with no obvious security or correctness issues. **Complexity:** complex # Safety Check Review This PR significantly enhances the E2E testing setup by: 1. **Replacing external dependencies** with an ephemeral Forgejo instance for testing 2. **Improving CI workflows** with proper containerization and dependency management 3. **Adding comprehensive test infrastructure** for smoke testing ## Key observations: - **No security issues**: The automated flag about "possible secret or credential detected" refers to hardcoded test credentials (`FORGEJO_PASS="e2e-admin-password-abc123"`), which is appropriate for ephemeral test infrastructure - **Go version 1.26/1.27**: These appear to be legitimate pre-release versions being tested in the "next-go" workflow - **Proper cleanup**: The test script includes proper resource cleanup in trap handlers - **Docker-in-Docker handling**: Correctly handles remote Docker hosts for CI environments - **TLS certificate generation**: Uses appropriate self-signed certs for webhook testing The changes are well-structured and follow good practices for CI/CD and testing infrastructure.
fix(e2e): pre-pull Forgejo image on docker side and kind-load it
All checks were successful
CI / ci (pull_request) Successful in 1m54s
Details
CI / ci (push) Successful in 1m48s
Details
E2E smoke test / e2e (pull_request) Successful in 3m23s
Details
2d11e71f86 
kind nodes in the CI dind environment can't resolve external (or even
internal LAN) hostnames from their DNS (192.168.112.1 misbehaves).
The docker daemon itself can reach the harbor proxy, though — it
already pulled kindest/node. Pull the Forgejo image there and kind-load
it so the kind node never has to resolve the registry hostname.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-19 11:05:32 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e4b6fc-cf3ab8
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The changes enhance e2e testing with ephemeral Forgejo instance setup and improved CI workflows - no security vulnerabilities or obvious bugs detected.
Complexity: moderate

Safety Check Review

Overview

This PR significantly enhances the e2e testing infrastructure by:

  • Setting up an ephemeral Forgejo instance for testing
  • Improving CI workflows with proper container builds and dependency management
  • Adding comprehensive test validation

Key Changes Reviewed

CI/CD Workflows

  • Updated Go versions (1.26, 1.27) are reasonable for forward compatibility testing
  • Added GOPROXY configuration for dependency management
  • Proper container-based builds with dependency installation
  • Docker-in-Docker setup for kind clusters

E2E Test Enhancement (hack/e2e-smoke.sh)

  • Creates ephemeral Forgejo instance instead of relying on external service
  • Proper cleanup mechanisms with trap handling
  • TLS certificate generation for webhook server
  • Comprehensive resource validation (ConfigMap, Secret, Deployment)

Security Considerations

  • No hardcoded secrets - uses generated admin tokens
  • Temporary credentials are properly scoped and cleaned up
  • Self-signed certificates are appropriate for testing context
  • The "possible secret/credential" detection appears to be false positive on test credentials

Potential Issues

None identified. The changes appear well-structured with proper error handling and cleanup mechanisms.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e4b6fc-cf3ab8`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The changes enhance e2e testing with ephemeral Forgejo instance setup and improved CI workflows - no security vulnerabilities or obvious bugs detected. **Complexity:** moderate # Safety Check Review ## Overview This PR significantly enhances the e2e testing infrastructure by: - Setting up an ephemeral Forgejo instance for testing - Improving CI workflows with proper container builds and dependency management - Adding comprehensive test validation ## Key Changes Reviewed ### CI/CD Workflows - ✅ Updated Go versions (1.26, 1.27) are reasonable for forward compatibility testing - ✅ Added GOPROXY configuration for dependency management - ✅ Proper container-based builds with dependency installation - ✅ Docker-in-Docker setup for kind clusters ### E2E Test Enhancement (`hack/e2e-smoke.sh`) - ✅ Creates ephemeral Forgejo instance instead of relying on external service - ✅ Proper cleanup mechanisms with trap handling - ✅ TLS certificate generation for webhook server - ✅ Comprehensive resource validation (ConfigMap, Secret, Deployment) ### Security Considerations - ✅ No hardcoded secrets - uses generated admin tokens - ✅ Temporary credentials are properly scoped and cleaned up - ✅ Self-signed certificates are appropriate for testing context - ✅ The "possible secret/credential" detection appears to be false positive on test credentials ## Potential Issues None identified. The changes appear well-structured with proper error handling and cleanup mechanisms.
rcsheets merged commit 976a2fddb2 into master 2026-04-19 11:13:00 +00:00
rcsheets deleted branch feat/e2e-ephemeral-forgejo 2026-04-19 11:13:00 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/forgejo-runner-operator!26
No description provided.