feat: move smoke test into build-and-publish workflow

- Add KIND smoke test job to build-and-publish.yml
- Runs on every PR (including Renovate Dockerfile bumps)
- Publish now requires both test + smoke-test to pass
- Remove separate helm-smoke-test.yml to avoid duplication

Author: apham0001

.github/workflows/build-and-publish.yml

@@ -117,10 +117,130 @@ jobs:
             test -d /keys \
             && echo "/keys OK"
 
+  smoke-test:
+    name: KIND Smoke Test
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./docker/
+          load: true
+          tags: ${{ env.TEST_TAG }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Create KIND cluster
+        uses: helm/kind-action@v1
+
+      - name: Load image into KIND
+        run: kind load docker-image ${{ env.TEST_TAG }} --name chart-testing
+
+      - name: Add subchart repos & build deps
+        run: |
+          helm repo add kubelauncher https://kubelauncher.github.io/charts
+          helm dependency build charts/
+
+      - name: Lint chart
+        run: helm lint charts/
+
+      - name: Generate signing key
+        run: |
+          SIGNING_KEY="ed25519 a_test $(openssl rand -base64 32)"
+          echo "SIGNING_KEY=${SIGNING_KEY}" >> "$GITHUB_ENV"
+
+      - name: Install chart
+        run: |
+          helm install beacon-node charts/ \
+            --set image.repository=beacon-node \
+            --set image.tag=test \
+            --set image.digest="" \
+            --set image.pullPolicy=Never \
+            --set serverName=beacon-node-test.local \
+            --set "signingKey=${SIGNING_KEY}" \
+            --set postgresql.enabled=true \
+            --set postgresql.auth.password=testpass \
+            --set postgresql.auth.postgresPassword=testpass \
+            --set redis.enabled=true \
+            --set ingress.enabled=false \
+            --set workers.enabled=true \
+            --wait \
+            --timeout 300s
+
+      - name: Verify pods are running
+        run: |
+          kubectl get pods -o wide
+          kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=beacon-node --timeout=120s
+
+      - name: Check beacon-node logs for errors
+        run: |
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}')
+          kubectl logs "$POD" --tail=50
+          if kubectl logs "$POD" | grep -i "FATAL" | grep -v "reserved for"; then
+            echo "FATAL errors found in logs"
+            exit 1
+          fi
+          echo "No FATAL errors in logs"
+
+      - name: Smoke test Synapse endpoints
+        run: |
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}')
+
+          echo "--- /.well-known/matrix/server ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/.well-known/matrix/server)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.server" || (echo "FAIL: missing m.server" && exit 1)
+
+          echo "--- /.well-known/matrix/client ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/.well-known/matrix/client)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.homeserver" || (echo "FAIL: missing m.homeserver" && exit 1)
+
+          echo "--- /_matrix/client/versions ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/client/versions)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "versions" || (echo "FAIL: missing versions" && exit 1)
+
+          echo "--- /_matrix/federation/v1/version ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/federation/v1/version)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "Synapse" || (echo "FAIL: unexpected version response" && exit 1)
+
+          echo "--- /_matrix/client/v3/login ---"
+          RESPONSE=$(kubectl exec "$POD" -- curl -sf http://localhost:8008/_matrix/client/v3/login)
+          echo "$RESPONSE"
+          echo "$RESPONSE" | grep -q "m.login.password" || (echo "FAIL: login flow missing" && exit 1)
+
+          echo "All smoke tests passed"
+
+      - name: Debug on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl get pods -o wide
+          echo "=== Events ==="
+          kubectl get events --sort-by='.lastTimestamp'
+          echo "=== Beacon node logs ==="
+          POD=$(kubectl get pod -l app.kubernetes.io/name=beacon-node -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          [ -n "$POD" ] && kubectl logs "$POD" --tail=100
+          echo "=== PostgreSQL logs ==="
+          PG_POD=$(kubectl get pod -l app.kubernetes.io/name=postgresql -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          [ -n "$PG_POD" ] && kubectl logs "$PG_POD" --tail=50
+
   publish:
     name: Publish to GHCR
     runs-on: ubuntu-latest
-    needs: test
+    needs: [test, smoke-test]
     if: github.event_name != 'pull_request'
     permissions:
       contents: read