ci: add acceptance tests and reduce duplication

rjaegers · rjaegers · commit 5351af7d50c3 · 2025-10-15T09:13:04.000Z
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -37,6 +37,8 @@ jobs:
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
       image-name: ${{ github.repository }}-${{ matrix.flavor }}
       integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
+      acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
+      test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
 
   dependency-review:
     needs: build-push-test-flavors
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
@@ -4,7 +4,13 @@ name: Acceptance Test
 on:
   workflow_call:
     inputs:
-      flavor:
+      image-basename:
+        required: true
+        type: string
+      devcontainer-file:
+        required: true
+        type: string
+      acceptance-test-path:
         required: true
         type: string
     secrets:
@@ -49,9 +55,9 @@ jobs:
             gh secret set -a codespaces IMAGE_VERSION --body "edge"
           fi
 
-          echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path ".devcontainer/${CONTAINER_FLAVOR}-test/devcontainer.json" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV"
+          echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV"
         env:
-          CONTAINER_FLAVOR: ${{ inputs.flavor }}
+          DEVCONTAINER_FILE: ${{ inputs.devcontainer-file }}
           GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
           HEAD_REF: ${{ github.head_ref }}
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
@@ -82,17 +88,17 @@ jobs:
           done
         env:
           GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
-      - run: cd "test/${CONTAINER_FLAVOR}/features" && npm test
+      - run: cd "${ACCEPTANCE_TEST_PATH}" && npm test
         env:
-          CONTAINER_FLAVOR: ${{ inputs.flavor }}
+          ACCEPTANCE_TEST_PATH: ${{ inputs.acceptance-test-path }}
           GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
           GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
           GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
-          PLAYWRIGHT_JUNIT_OUTPUT_NAME: ${{ github.workspace }}/test-report-acceptance-${{ inputs.flavor }}.xml
+          PLAYWRIGHT_JUNIT_OUTPUT_NAME: ${{ github.workspace }}/test-report-acceptance-${{ inputs.image-basename }}.xml
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ !cancelled() }}
         with:
-          name: test-results-acceptance-${{ inputs.flavor }}
+          name: test-results-acceptance-${{ inputs.image-basename }}
           path: |
             test-report-*.xml
             test-results/
diff --git a/.github/workflows/wc-build-push-test-flavor.yml b/.github/workflows/wc-build-push-test-flavor.yml
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
@@ -43,6 +43,14 @@ on:
         description: "Path to the BATS test file to run for integration tests"
         required: false
         type: string
+      test-devcontainer-file:
+        description: "Path to the devcontainer.json file to use for acceptance tests"
+        required: false
+        type: string
+      acceptance-test-path:
+        description: "Path to the Playwright acceptance tests (directory that contains playwright.config.ts)"
+        required: false
+        type: string
     secrets:
       TEST_GITHUB_TOKEN:
         required: false
@@ -92,6 +100,24 @@ jobs:
     permissions:
       contents: read
     with:
-      image-name: ${{ inputs.image-name }}
+      fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
+      image-basename: ${{ needs.build-push.outputs.image-basename }}
+      image-digest: ${{ needs.build-push.outputs.digest }}
       test-file: ${{ inputs.integration-test-file }}
       runner-labels: ${{ matrix.runner }}
+
+  acceptance-test:
+    if: ${{ inputs.test-devcontainer-file && inputs.acceptance-test-path }}
+    needs: build-push
+    uses: ./.github/workflows/wc-acceptance-test.yml
+    permissions:
+      contents: read
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
+    with:
+      image-basename: ${{ needs.build-push.outputs.image-basename }}
+      devcontainer-file: ${{ inputs.test-devcontainer-file }}
+      acceptance-test-path: ${{ inputs.acceptance-test-path }}
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
@@ -32,6 +32,13 @@ on:
       runner-labels:
         required: true
         type: string
+    outputs:
+      fully-qualified-image-name:
+        value: ${{ jobs.sanitize-image-name.outputs.fully-qualified-image-name }}
+      image-basename:
+        value: ${{ jobs.sanitize-image-name.outputs.image-basename }}
+      digest:
+        value: ${{ jobs.merge-image.outputs.digest }}
     secrets:
       DOCKER_REGISTRY_USERNAME:
         required: true
@@ -142,6 +149,8 @@ jobs:
       id-token: write
       packages: write
       pull-requests: write
+    outputs:
+      digest: ${{ steps.inspect-manifest.outputs.digest }}
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml
@@ -4,7 +4,13 @@ name: Integration Test
 on:
   workflow_call:
     inputs:
-      image-name:
+      fully-qualified-image-name:
+        required: true
+        type: string
+      image-basename:
+        required: true
+        type: string
+      image-digest:
         required: true
         type: string
       test-file:
@@ -28,44 +34,10 @@ on:
 permissions: {}
 
 jobs:
-  sanitize-image-name:
-    uses: ./.github/workflows/wc-sanitize-image-name.yml
-    with:
-      image-name: ${{ inputs.image-name }}
-      registry: ${{ inputs.registry }}
-      runner-labels: ${{ inputs.runner-labels }}
-
-  determine-container:
-    runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
-    needs: sanitize-image-name
-    outputs:
-      container: ${{ steps.set-container.outputs.container }}
-      runner-arch: ${{ steps.runner-arch.outputs.arch }}
-    steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
-        with:
-          disable-sudo: true
-          egress-policy: audit
-      - run: echo "arch=${RUNNER_ARCH@L}" >> "$GITHUB_OUTPUT"
-        id: runner-arch
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-        with:
-          path: ${{ runner.temp }}/digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
-          pattern: digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
-      - run: echo "container=$(printf "${FULLY_QUALIFIED_IMAGE_NAME}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
-        working-directory: ${{ runner.temp }}/digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
-        env:
-          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
-          GH_REPO: ${{ github.repository }}
-        id: set-container
-
   run-test:
-    needs:
-      - determine-container
-      - sanitize-image-name
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
     container:
-      image: ${{ needs.determine-container.outputs.container }} # zizmor: ignore[unpinned-images] This image is actually pinned by sha256 digest
+      image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }}
       credentials:
         username: ${{ secrets.DOCKER_REGISTRY_USERNAME || github.actor }}
         password: ${{ secrets.DOCKER_REGISTRY_PASSWORD || github.token }}
@@ -82,16 +54,16 @@ jobs:
       - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: test/cpp/.xwin-cache
-          key: xwin-cache-${{ needs.determine-container.outputs.runner-arch }}
+          key: xwin-cache-${{ runner.arch }}
           restore-keys: |
-            xwin-cache-${{ needs.determine-container.outputs.runner-arch }}
+            xwin-cache-${{ runner.arch }}
       - run: bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-${RUNNER_ARCH}.xml"
         env:
-          IMAGE_BASENAME: ${{ needs.sanitize-image-name.outputs.image-basename }}
+          IMAGE_BASENAME: ${{ inputs.image-basename }}
           TEST_FILE: ${{ inputs.test-file }}
-          RUNNER_ARCH: ${{ needs.determine-container.outputs.runner-arch }}
+          RUNNER_ARCH: ${{ runner.arch }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ !cancelled() }}
         with:
-          name: test-results-integration-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ needs.determine-container.outputs.runner-arch }}
+          name: test-results-integration-${{ inputs.image-basename }}-${{ runner.arch }}
           path: test-report-*.xml
