ci: add PR validation, smoke tests, and workflow security hardening#30
Merged
gustavovalverde merged 10 commits intodevfrom Apr 7, 2026
Merged
ci: add PR validation, smoke tests, and workflow security hardening#30gustavovalverde merged 10 commits intodevfrom
gustavovalverde merged 10 commits intodevfrom
Conversation
- Add CI workflow: compose config validation + service startup smoke tests on every PR
- Add integration test workflow: regtest stack end-to-end validation on dev push
- Add zizmor workflow: GitHub Actions security scanning (SARIF → Security tab)
- Add Dependabot for GitHub Actions (monthly, with cooldown)
- Pin all actions to commit SHAs and update to latest versions
- Harden all workflows: persist-credentials: false, permissions: {}
- Add CI improvement plan tracking document
The smoke tests would have directly caught #28 (missing zaino start subcommand).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
The previous SHA was an annotated tag object, not a reachable commit. Zizmor flagged this as impostor-commit and ref-mismatch.
- Start Zebra in regtest, verify RPC serves getblockchaininfo - Mine block 1 (required for Zaino initial sync) - Start Zaino, verify gRPC port binds and JSON-RPC proxy works - Add failure log collection and cleanup steps - Fix platform for cross-arch image pulls
- chmod 644 on generated TLS certs (Zaino's setpriv drops to uid 1000) - Detect Zaino container crash before checking ports - Wait for JSON-RPC port (8237) instead of gRPC (8137) to avoid race between port bind and TLS initialization
…lication - Remove validate-compose job (redundant — smoke-test catches same errors) - Remove integration-test.yaml (duplicated smoke-test with less robustness) - Remove ci-improvement-plan.md (all items implemented, stale) - Inline compose validation as first step of smoke-test - Fix container name: use compose-aware ps instead of hardcoded z3_zaino - Remove unnecessary comments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci.yaml): validates compose configs and runs service startup smoke tests on every PRintegration-test.yaml): spins up full regtest stack ondevpushzizmor.yaml): GitHub Actions security scanning with SARIF uploadpersist-credentials: false,permissions: {}Context
Issue #28 revealed that a missing
startsubcommand in the zaino compose command caused the service to crash on startup — with no CI to catch it. The smoke test added here (zainod start --help) would have caught that directly.