caddy/.github/workflows/ci.yml

# Used as inspiration: https://github.com/mvdan/github-actions-golang

name: Tests

on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*

env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local

permissions:
  contents: read

jobs:
  test:
    strategy:
      # Default is true, cancels jobs for other platforms in the matrix if one fails
      fail-fast: false
      matrix:
        os:
          - linux
          - mac
          - windows
        go:
          - '1.24'

        include:
        # Set the minimum Go patch version for the given Go minor
        # Usable via ${{ matrix.GO_SEMVER }}
        - go: '1.24'
          GO_SEMVER: '~1.24.1'

        # Set some variables per OS, usable via ${{ matrix.VAR }}
        # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
        # CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
        # SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
        - os: linux
          OS_LABEL: ubuntu-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

        - os: mac
          OS_LABEL: macos-14
          CADDY_BIN_PATH: ./cmd/caddy/caddy
          SUCCESS: 0

        - os: windows
          OS_LABEL: windows-latest
          CADDY_BIN_PATH: ./cmd/caddy/caddy.exe
          SUCCESS: 'True'

    runs-on: ${{ matrix.OS_LABEL }}
    permissions:
      contents: read
      pull-requests: read
      actions: write # to allow uploading artifacts and cache
    steps:
    - name: Harden the runner (Audit all outbound calls)
      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
      with:
        egress-policy: audit

    - name: Checkout code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
        go-version: ${{ matrix.GO_SEMVER }}
        check-latest: true

    # These tools would be useful if we later decide to reinvestigate
    # publishing test/coverage reports to some tool for easier consumption
    # - name: Install test and coverage analysis tools
    #   run: |
    #     go get github.com/axw/gocov/gocov
    #     go get github.com/AlekSi/gocov-xml
    #     go get -u github.com/jstemmer/go-junit-report
    #     echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

    - name: Print Go version and environment
      id: vars
      shell: bash
      run: |
        printf "Using go at: $(which go)\n"
        printf "Go version: $(go version)\n"
        printf "\n\nGo environment:\n\n"
        go env
        printf "\n\nSystem environment:\n\n"
        env
        printf "Git version: $(git version)\n\n"
        # Calculate the short SHA1 hash of the git commit
        echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

    - name: Get dependencies
      run: |
        go get -v -t -d ./...
        # mkdir test-results

    - name: Build Caddy
      working-directory: ./cmd/caddy
      env:
        CGO_ENABLED: 0
      run: |
        go build -tags nobadger,nomysql,nopgx -trimpath -ldflags="-w -s" -v

    - name: Smoke test Caddy
      working-directory: ./cmd/caddy
      run: |
        ./caddy start
        ./caddy stop

    - name: Publish Build Artifact
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
        path: ${{ matrix.CADDY_BIN_PATH }}
        compression-level: 0

    # Commented bits below were useful to allow the job to continue
    # even if the tests fail, so we can publish the report separately
    # For info about set-output, see https://stackoverflow.com/questions/57850553/github-actions-check-steps-status
    - name: Run tests
      # id: step_test
      # continue-on-error: true
      run: |
        # (go test -v -coverprofile=cover-profile.out -race ./... 2>&1) > test-results/test-result.out
        go test -tags nobadger,nomysql,nopgx -v -coverprofile="cover-profile.out" -short -race ./...
        # echo "status=$?" >> $GITHUB_OUTPUT

    # Relevant step if we reinvestigate publishing test/coverage reports
    # - name: Prepare coverage reports
    #   run: |
    #     mkdir coverage
    #     gocov convert cover-profile.out > coverage/coverage.json
    #     # Because Windows doesn't work with input redirection like *nix, but output redirection works.
    #     (cat ./coverage/coverage.json | gocov-xml) > coverage/coverage.xml

    # To return the correct result even though we set 'continue-on-error: true'
    # - name: Coerce correct build result
    #   if: matrix.os != 'windows' && steps.step_test.outputs.status != ${{ matrix.SUCCESS }}
    #   run: |
    #     echo "step_test ${{ steps.step_test.outputs.status }}\n"
    #     exit 1

  s390x-test:
    name: test (s390x on IBM Z)
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit
          allowed-endpoints: ci-s390x.caddyserver.com:22

      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run Tests
        run: |
          set +e
          mkdir -p ~/.ssh && echo -e "${SSH_KEY//_/\\n}" > ~/.ssh/id_ecdsa && chmod og-rwx ~/.ssh/id_ecdsa

          # short sha is enough?
          short_sha=$(git rev-parse --short HEAD)

          # To shorten the following lines
          ssh_opts="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
          ssh_host="$CI_USER@ci-s390x.caddyserver.com"

          # The environment is fresh, so there's no point in keeping accepting and adding the key.
          rsync -arz -e "ssh $ssh_opts" --progress --delete --exclude '.git' . "$ssh_host":/var/tmp/"$short_sha"
          ssh $ssh_opts -t "$ssh_host" bash <<EOF
          cd /var/tmp/$short_sha
          go version
          go env
          printf "\n\n"
          retries=3
          exit_code=0
          while ((retries > 0)); do
            CGO_ENABLED=0 go test -p 1 -tags nobadger,nomysql,nopgx -v ./...
            exit_code=$?
            if ((exit_code == 0)); then
              break
            fi
            echo "\n\nTest failed: \$exit_code, retrying..."
            ((retries--))
          done
          echo "Remote exit code: \$exit_code"
          exit \$exit_code
          EOF
          test_result=$?

          # There's no need leaving the files around
          ssh $ssh_opts "$ssh_host" "rm -rf /var/tmp/'$short_sha'"

          echo "Test exit code: $test_result"
          exit $test_result
        env:
          SSH_KEY: ${{ secrets.S390X_SSH_KEY }}
          CI_USER: ${{ secrets.CI_USER }}

  goreleaser-check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      
      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          version: latest
          args: check
      - name: Install Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: "~1.24"
          check-latest: true
      - name: Install xcaddy
        run: |
          go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
          xcaddy version
      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          version: latest
          args: build --single-target --snapshot
        env:
          TAG: ${{ github.head_ref || github.ref_name }}