test: add smoke test script, integration tests, and post-deploy verification (#810)

* test: add smoke test script, integration tests, and post-deploy verification

- Add integration tests for app-runner.js with real Probot instance (tests/app-runner.test.js)
- Add smoke test script for live Lambda verification (scripts/smoke-test.js)
- Add reusable smoke-test workflow, callable from release or manually from UI
- Add shared webhook payload fixtures in tests/fixtures/
- Remove app-runner.js from c8 coverage exclusion (now 100% covered)
- Call smoke-test workflow from release workflow after deploy

Signed-off-by: Tomer Figenblat <tomer@figenblat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: add secrets: inherit so smoke-test workflow receives secrets

Without secrets: inherit, the reusable smoke-test workflow gets empty
FUNCTION_URL and WEBHOOK_SECRET when called from the release workflow.

Signed-off-by: Tomer Figenblat <tomer@figenblat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

* chore: retrigger PR checks

Signed-off-by: Tomer Figenblat <tomer@figenblat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Signed-off-by: Tomer Figenblat <tomer@figenblat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: TomerFi

.github/workflows/release.yml

@@ -148,3 +148,8 @@ jobs:
           git add mkdocs.yml
           git commit -m "docs: updated docs with ${{ steps.bumper.outputs.next }} [skip ci]"
           git push
+
+  smoke-test:
+    needs: release
+    uses: ./.github/workflows/smoke-test.yml
+    secrets: inherit

.github/workflows/smoke-test.yml

@@ -0,0 +1,30 @@
+---
+name: Smoke Test
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-latest
+    environment: smoke-test
+    name: Smoke test deployed function
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v6
+
+      - name: Install node 22
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+
+      - name: Wait for propagation
+        if: github.event_name != 'workflow_dispatch'
+        run: sleep 10
+
+      - name: Run smoke tests
+        env:
+          FUNCTION_URL: ${{ secrets.FUNCTION_URL }}
+          WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
+        run: node scripts/smoke-test.js all

.gitignore

@@ -10,3 +10,4 @@ lambda.zip
 auto-me-bot.zip
 unit-tests-result.json
 release.sh
+plans/

package.json

@@ -62,9 +62,7 @@
     "include": [
       "src/**/*.js"
     ],
-    "exclude": [
-      "src/app-runner.js"
-    ],
+    "exclude": [],
     "reporter": [
       "html",
       "lcov",

scripts/smoke-test.js

@@ -0,0 +1,132 @@
+import { createHmac, randomUUID } from 'node:crypto';
+import { readFileSync, readdirSync } from 'node:fs';
+import { resolve, dirname, basename } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// load .env if present (no external dependencies, optional for CI)
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const envPath = resolve(__dirname, '..', '.env');
+try {
+    for (const line of readFileSync(envPath, 'utf-8').split('\n')) {
+        const match = line.match(/^([^#=]+)=(.*)$/);
+        if (match) {
+            const key = match[1].trim();
+            const val = match[2].trim().replace(/^["']|["']$/g, '');
+            if (!process.env[key]) process.env[key] = val;
+        }
+    }
+} catch {
+    // no .env file -- rely on environment variables (e.g. in CI)
+}
+
+const FUNCTION_URL = process.env.FUNCTION_URL;
+const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
+
+if (!FUNCTION_URL) {
+    console.error('FUNCTION_URL is not set in .env');
+    process.exit(1);
+}
+if (!WEBHOOK_SECRET) {
+    console.error('WEBHOOK_SECRET is not set in .env');
+    process.exit(1);
+}
+
+// discover available events from payloads directory
+// filename format: <event-name>.json where dots in event name map to dots in filename
+// e.g. pull_request.opened.json -> event "pull_request", action "opened"
+//      ping.json -> event "ping", no action
+const payloadsDir = resolve(__dirname, '..', 'tests', 'fixtures');
+const EVENTS = {};
+for (const file of readdirSync(payloadsDir).filter(f => f.endsWith('.json'))) {
+    const label = basename(file, '.json');
+    const parts = label.split('.');
+    // first part before the dot is the github event name (e.g. "pull_request", "pull_request_review")
+    // but event names can contain underscores, so we use the payload's action field to determine the split
+    const payload = JSON.parse(readFileSync(resolve(payloadsDir, file), 'utf-8'));
+    const eventName = payload.action ? label.slice(0, label.lastIndexOf('.')) : label;
+    EVENTS[label] = { name: eventName, payload };
+}
+
+// sign a payload the same way GitHub does
+function sign(payload) {
+    return 'sha256=' + createHmac('sha256', WEBHOOK_SECRET).update(payload).digest('hex');
+}
+
+// send a webhook event to the function
+async function sendEvent(eventName, payload) {
+    const body = JSON.stringify(payload);
+    const deliveryId = randomUUID();
+    const signature = sign(body);
+
+    console.log(`Sending '${eventName}' event (delivery: ${deliveryId})...`);
+
+    const response = await fetch(FUNCTION_URL, {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+            'x-github-delivery': deliveryId,
+            'x-github-event': eventName,
+            'x-hub-signature-256': signature,
+        },
+        body,
+    });
+
+    const responseBody = await response.text();
+    return { status: response.status, body: responseBody };
+}
+
+const MAX_RETRIES = Number(process.env.SMOKE_RETRIES) || 3;
+const RETRY_DELAY_MS = Number(process.env.SMOKE_RETRY_DELAY_MS) || 5000;
+
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+async function runOne(label, eventName, payload) {
+    for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+        try {
+            const { status, body } = await sendEvent(eventName, payload);
+            if (status >= 200 && status < 300) {
+                console.log(`  ${label}: OK (${status})`);
+                return true;
+            }
+            console.error(`  ${label}: FAILED (${status})${attempt < MAX_RETRIES ? ' - retrying...' : ''}`);
+            if (body) console.error(`  Response: ${body}`);
+        } catch (error) {
+            console.error(`  ${label}: ERROR - ${error.message}${attempt < MAX_RETRIES ? ' - retrying...' : ''}`);
+        }
+        if (attempt < MAX_RETRIES) await sleep(RETRY_DELAY_MS);
+    }
+    return false;
+}
+
+async function main() {
+    const arg = process.argv[2] || 'ping';
+    const labels = Object.keys(EVENTS).sort();
+
+    if (arg !== 'all' && !(arg in EVENTS)) {
+        console.error(`Unknown event type: ${arg}`);
+        console.error(`Supported events: ${labels.join(', ')}, all`);
+        process.exit(1);
+    }
+
+    let failed = false;
+
+    if (arg === 'all') {
+        console.log('Running all smoke tests...\n');
+        for (const label of labels) {
+            const event = EVENTS[label];
+            const ok = await runOne(label, event.name, event.payload);
+            if (!ok) failed = true;
+        }
+        console.log(failed ? '\nSome tests failed.' : '\nAll tests passed.');
+    } else {
+        const event = EVENTS[arg];
+        const ok = await runOne(arg, event.name, event.payload);
+        if (!ok) failed = true;
+    }
+
+    process.exit(failed ? 1 : 0);
+}
+
+main();

tests/app-runner.test.js

@@ -0,0 +1,96 @@
+import { expect } from 'chai'
+import { createHmac, generateKeyPairSync, randomUUID } from 'node:crypto'
+import { readFileSync } from 'node:fs'
+import { resolve, dirname } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const fixturesDir = resolve(__dirname, 'fixtures');
+
+// generate a test RSA key pair (probot requires a valid private key)
+const { privateKey: testPrivateKey } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+    privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    publicKeyEncoding: { type: 'pkcs1', format: 'pem' },
+});
+
+const TEST_APP_ID = '12345';
+const TEST_WEBHOOK_SECRET = 'test-webhook-secret';
+const TEST_PRIVATE_KEY_B64 = Buffer.from(testPrivateKey).toString('base64');
+
+// build a lambda event object from a fixture file
+function buildEvent(fixtureFile, eventName) {
+    const payload = readFileSync(resolve(fixturesDir, fixtureFile), 'utf-8');
+    const parsed = JSON.parse(payload);
+    // derive event name from filename if not provided
+    if (!eventName) {
+        const base = fixtureFile.replace('.json', '');
+        eventName = parsed.action ? base.slice(0, base.lastIndexOf('.')) : base;
+    }
+    const body = JSON.stringify(parsed);
+    const signature = 'sha256=' + createHmac('sha256', TEST_WEBHOOK_SECRET)
+        .update(body).digest('hex');
+
+    return {
+        headers: {
+            'x-github-delivery': randomUUID(),
+            'x-github-event': eventName,
+            'x-hub-signature-256': signature,
+        },
+        body,
+    };
+}
+
+suite('Testing the app-runner handler', () => {
+    let originalEnv;
+
+    suiteSetup(() => {
+        // save and override env vars needed by the handler
+        originalEnv = { ...process.env };
+        process.env.APP_ID = TEST_APP_ID;
+        process.env.WEBHOOK_SECRET = TEST_WEBHOOK_SECRET;
+        process.env.PRIVATE_KEY = TEST_PRIVATE_KEY_B64;
+        process.env.LOG_LEVEL = 'fatal'; // suppress logs during tests
+    });
+
+    suiteTeardown(() => {
+        // restore original env
+        process.env = originalEnv;
+    });
+
+    test('Handler initializes probot and processes a ping event without throwing', async () => {
+        const { handler } = await import('../src/app-runner.js');
+        const event = buildEvent('ping.json', 'ping');
+        // ping events have no matching handler, so this should resolve cleanly
+        await handler(event);
+    });
+
+    test('Handler initializes probot and accepts a pull_request event', async () => {
+        const { handler } = await import('../src/app-runner.js');
+        const event = buildEvent('pull_request.opened.json');
+        // handlers will attempt GitHub API calls which will fail, but
+        // verifyAndReceive should not reject -- errors are handled by onError
+        try {
+            await handler(event);
+        } catch (error) {
+            // even if handlers fail on API calls, the function should not crash
+            // on initialization -- that's the critical path we're testing
+            expect(error.message).to.not.match(/cannot read properties of null/i,
+                'Probot initialization failed -- probot.log or probot.webhooks is null');
+        }
+    });
+
+    test('Handler rejects with an invalid webhook signature', async () => {
+        const { handler } = await import('../src/app-runner.js');
+        const event = buildEvent('ping.json', 'ping');
+        // tamper with the signature
+        event.headers['x-hub-signature-256'] = 'sha256=invalid';
+        try {
+            await handler(event);
+            expect.fail('Expected handler to reject with invalid signature');
+        } catch (error) {
+            // signature verification should fail
+            expect(error).to.exist;
+        }
+    });
+});

tests/fixtures/ping.json

@@ -0,0 +1,11 @@
+{
+    "zen": "Speak like a human.",
+    "hook_id": 1,
+    "hook": {
+        "type": "App",
+        "id": 1,
+        "active": true,
+        "events": ["pull_request"],
+        "app_id": 1
+    }
+}

tests/fixtures/pull_request.closed.json

@@ -0,0 +1,37 @@
+{
+    "action": "closed",
+    "number": 1,
+    "pull_request": {
+        "number": 1,
+        "title": "smoke test PR",
+        "body": "- [x] smoke test task",
+        "state": "closed",
+        "draft": false,
+        "merged": true,
+        "head": {
+            "sha": "0000000000000000000000000000000000000000",
+            "ref": "smoke-test"
+        },
+        "base": {
+            "ref": "main"
+        },
+        "user": {
+            "login": "smoke-test",
+            "type": "User"
+        }
+    },
+    "repository": {
+        "name": "auto-me-bot",
+        "full_name": "TomerFi/auto-me-bot",
+        "owner": {
+            "login": "TomerFi"
+        }
+    },
+    "sender": {
+        "login": "smoke-test",
+        "type": "User"
+    },
+    "installation": {
+        "id": 1
+    }
+}

tests/fixtures/pull_request.opened.json

@@ -0,0 +1,37 @@
+{
+    "action": "opened",
+    "number": 1,
+    "pull_request": {
+        "number": 1,
+        "title": "smoke test PR",
+        "body": "- [ ] smoke test task",
+        "state": "open",
+        "draft": false,
+        "merged": false,
+        "head": {
+            "sha": "0000000000000000000000000000000000000000",
+            "ref": "smoke-test"
+        },
+        "base": {
+            "ref": "main"
+        },
+        "user": {
+            "login": "smoke-test",
+            "type": "User"
+        }
+    },
+    "repository": {
+        "name": "auto-me-bot",
+        "full_name": "TomerFi/auto-me-bot",
+        "owner": {
+            "login": "TomerFi"
+        }
+    },
+    "sender": {
+        "login": "smoke-test",
+        "type": "User"
+    },
+    "installation": {
+        "id": 1
+    }
+}