test: add smoke test script, integration tests, and post-deploy verification

[TomerFi]

Summary

• Add integration tests for app-runner.js that instantiate a real Probot with a test RSA key, sign webhook payloads with HMAC-SHA256, and verify the Lambda handler processes events without crashing. This covers the initialization path that broke in 3.0.9-3.0.12 (probot v14 async init). Removes app-runner.js from the c8 coverage exclusion list -- now at 100% statement coverage.
• Add a smoke test script (scripts/smoke-test.js) that sends signed webhook events to the live Lambda Function URL and verifies the HTTP response. Supports ping, pr, closed, review, and all modes with automatic retries.
• Add a reusable smoke-test.yml workflow that can be triggered manually from the GitHub UI (workflow_dispatch) or called automatically from the release workflow (workflow_call). Uses a separate smoke-test environment for secrets.
• Add shared webhook payload fixtures in tests/fixtures/ used by both the integration tests and the smoke test script.

Setup required

Create a smoke-test GitHub environment with two secrets:

• FUNCTION_URL -- the Lambda Function URL
• WEBHOOK_SECRET -- the webhook secret

Test plan

• All 105 tests pass locally (3 new + 102 existing)
• Coverage passes with app-runner.js included
• Smoke test verified against live Lambda (ping + all event types)
• CI passes on this PR

Summary by CodeRabbit

• Chores

  • Added automated smoke tests to the release pipeline to run after releases.
  • Updated coverage configuration and ignored a new plans directory.

• New Features

  • Added a reusable smoke-test workflow and a CLI smoke-test tool that validates webhook behavior, signs payloads, retries on failure, and reports outcomes.

• Tests

  • Added a test suite and multiple event fixtures to validate webhook handling and signature verification.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a smoke-test system: a new GitHub Actions workflow and a release job that calls it, a Node.js smoke-test script that signs and posts webhook fixtures with retry logic, new webhook fixtures, and a test suite validating app-runner signature handling.

Changes

Cohort / File(s)	Summary
Workflows .github/workflows/release.yml, .github/workflows/smoke-test.yml	Added a smoke-test job to the release workflow that reuses ./.github/workflows/smoke-test.yml; introduced a new smoke-test workflow (triggers: workflow_dispatch, workflow_call) that runs on ubuntu-latest with Node.js 22 and uses repository secrets.
Smoke test script scripts/smoke-test.js	New Node.js script: loads env/.env, discovers fixtures, HMAC-SHA256 signs payloads, sends webhook requests to FUNCTION_URL with WEBHOOK_SECRET, implements configurable retry/backoff, supports single/all event runs, and exits non-zero on failures.
Tests & fixtures tests/app-runner.test.js, tests/fixtures/ping.json, tests/fixtures/pull_request.opened.json, tests/fixtures/pull_request.closed.json, tests/fixtures/pull_request_review.submitted.json	New test suite for app-runner that generates RSA keys, builds and signs mock webhook requests, verifies signature handling and basic handler initialization; added multiple webhook JSON fixtures for ping, pull_request (opened/closed), and pull_request_review events.
Config / ignore .gitignore, package.json	Added plans/ to .gitignore; removed src/app-runner.js from c8.exclude in package.json (coverage exclusion now empty).

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant ReleaseWF as Release Workflow
    participant SmokeWF as Smoke-test Workflow
    participant Script as smoke-test.js
    participant Fixtures as Test Fixtures
    participant Endpoint as Function Endpoint

    GH->>ReleaseWF: trigger release
    ReleaseWF->>ReleaseWF: run release job
    ReleaseWF->>SmokeWF: call smoke-test (needs: release)
    SmokeWF->>Script: run smoke-test job
    Script->>Fixtures: discover event payloads
    Script->>Script: load env (FUNCTION_URL, WEBHOOK_SECRET)
    loop for each fixture
        Script->>Script: sign payload (HMAC-SHA256)
        Script->>Endpoint: POST signed webhook
        Endpoint-->>Script: respond (status, body)
        alt failure
            Script->>Script: wait & retry (configured retries/delay)
            Script->>Endpoint: resend webhook
        end
    end
    Script-->>SmokeWF: emit results (success/failure)
    SmokeWF-->>ReleaseWF: job completion

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I nibbled fixtures late at night,

Signed each hop with secret light,
Workflows hum, retries take flight,
Endpoints blink — tests pass in sight,
A joyful hop for code tonight!

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding a smoke test script, integration tests, and post-deploy verification workflow. It is specific, clear, and directly reflects the primary objectives of the changeset.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/smoke-and-integration-tests

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

.github/workflows/release.yml (1)

22-22: Pre-existing actions use floating major-version tags instead of pinned SHAs.

Not introduced by this PR, but worth noting: actions like actions/checkout@v6, actions/setup-node@v6, actions/github-script@v8, etc. use major-version tags rather than pinned commit SHAs. Consider pinning to full SHAs (e.g., actions/checkout@<sha>) in a follow-up for supply-chain safety. As per coding guidelines, "Pin action versions in GitHub workflow files."

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.20%. Comparing base (9dcfb85) to head (bb8cb34).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #810      +/-   ##
==========================================
+ Coverage   98.77%   99.20%   +0.42%     
==========================================
  Files           7        8       +1     
  Lines         981     1006      +25     
==========================================
+ Hits          969      998      +29     
+ Misses         12        8       -4     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/smoke-test.yml:
- Around line 26-30: The workflow step that runs "node scripts/smoke-test.js
all" exports FUNCTION_URL and WEBHOOK_SECRET from the called workflow but those
secrets will be empty when this workflow is invoked via workflow_call unless the
caller forwards secrets; update the calling workflow (the release.yml invocation
of this workflow_call) to include secrets: inherit (or explicitly pass
FUNCTION_URL and WEBHOOK_SECRET) so that the environment variables set in the
smoke-test step (env: FUNCTION_URL, WEBHOOK_SECRET) are populated when run;
ensure the caller forwards the secrets to the called workflow rather than
relying on implicit availability.
- Around line 14-18: Replace the mutable action tags with full-length commit
SHAs: change uses: actions/checkout@v6 to uses:
actions/checkout@<full-commit-sha> and uses: actions/setup-node@v6 to uses:
actions/setup-node@<full-commit-sha>; keep a short version comment after each
SHA (e.g., "# v6") to indicate the tag you replaced. Locate the two occurrences
of actions/checkout@v6 and actions/setup-node@v6 in the workflow and update them
accordingly so both are pinned to their respective commit SHAs with version
comments.

🧹 Nitpick comments (3)

scripts/smoke-test.js (2)

63-72: Consider adding a request timeout to fetch.

If the Lambda function URL is unresponsive or slow, fetch will hang indefinitely, potentially causing the CI job to time out after a long delay with no useful diagnostics. Node 22 supports the signal option with AbortSignal.timeout().

Suggested improvement

     const response = await fetch(FUNCTION_URL, {
         method: 'POST',
         headers: {
             'content-type': 'application/json',
             'x-github-delivery': deliveryId,
             'x-github-event': eventName,
             'x-hub-signature-256': signature,
         },
         body,
+        signal: AbortSignal.timeout(30_000),
     });

---

6-20: Custom .env parser is pragmatic but has a minor quoting quirk.

The quote-stripping regex on line 14 independently removes a leading and trailing quote character, so a mismatched pair like "value' would strip both. This is fine for a smoke-test utility script but worth a brief inline note if anyone reuses this parser.

tests/app-runner.test.js (1)

83-95: Consider a more specific assertion on the signature rejection error.

expect(error).to.exist passes for any thrown error. A slightly tighter check (e.g., matching "signature" in the message) would confirm the rejection is actually from signature verification and not from some unrelated failure.

🔧 Suggested tightening

         } catch (error) {
             // signature verification should fail
-            expect(error).to.exist;
+            expect(error.message).to.match(/signature/i,
+                'Expected a signature verification error');
         }

[TomerFi]

@coderabbitai resolve

Re: Pin actions to commit SHAs -- All other workflows in this repo use @v6 tag references. Pinning only this workflow would be inconsistent. If we adopt SHA pinning, it should be done across all workflows in a separate PR.

Re: secrets: inherit -- Fixed in 693afae. Added secrets: inherit to the release.yml caller.

[coderabbitai]

Resolving this thread as the issue has been addressed.

[coderabbitai]

@TomerFi, thank you for the updates and explanation!

✅ secrets: inherit - Confirmed fixed in commit 693afae. The reusable workflow will now properly receive the required secrets from the caller.

✅ SHA pinning consistency - Your point is well taken. Applying SHA pinning to just this workflow while others use @v6 tags would create inconsistency. If SHA pinning is adopted as a practice, a separate PR that updates all workflows uniformly would be the right approach.

I'll resolve these comments now.

---

🧠 Learnings used

Learnt from: CR
Repo: TomerFi/auto-me-bot PR: 0
File: .cursor/rules/project-rules.mdc:0-0
Timestamp: 2026-01-30T23:29:28.398Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Pin action versions in GitHub workflow files

✅ Actions performed

Comments resolved. Auto-approval is disabled; enable reviews.request_changes_workflow to approve automatically.