Add strict-mode smoke test lane (HTTPS + signature verification)#650
Add strict-mode smoke test lane (HTTPS + signature verification)#650dahlia merged 5 commits intofedify-dev:mainfrom
Conversation
issues-auto-labeler
bot
added
component/ci
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a "strict mode" for smoke tests to support HTTPS and mandatory signature verification. Key changes include a new standalone Docker Compose configuration using Caddy as a TLS proxy, scripts for certificate generation and provisioning, and updates to the test harness for environment-based protocol switching. Feedback identifies an invalid Deno Docker image tag in the new compose file and suggests removing stderr redirection in the certificate generation script to facilitate debugging.
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a 'strict mode' for Mastodon smoke tests, enabling HTTPS and signature verification. It adds a new Docker Compose configuration (docker-compose.strict.yml), Caddy proxy configurations, a certificate generation script, and a specialized provisioning script. The fedify-harness and federation logic were also updated to toggle between HTTP and HTTPS based on the STRICT_MODE environment variable. However, the Docker images specified for Deno and Caddy in the new Compose file use invalid version tags, which will prevent the services from starting.
Add an end-to-end smoke test suite that spins up a Mastodon instance via Docker Compose and verifies that Fedify can correctly exchange ActivityPub messages with it. The suite includes a lightweight Fedify test harness that runs inside the Docker network alongside Mastodon, and an orchestrator that drives six scenarios through the Mastodon API and harness backdoor endpoints: - Mastodon → Fedify (Follow) - Fedify → Mastodon (Follow) - Fedify → Mastodon (Create Note) - Mastodon → Fedify (Reply) - Mastodon → Fedify (Unfollow) - Fedify → Mastodon (Unfollow) Each follow scenario includes precondition checks (ensureNotFollowing / assertNotFollowing) to verify the relationship starts clean. Mastodon-specific files live in test/smoke/mastodon/ to support adding other server targets (e.g. Misskey) in sibling directories later. See: fedify-dev#481 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a second smoke test lane that validates Fedify's interoperability with Mastodon over HTTPS with HTTP signature verification enabled. The non-strict lane tests basic ActivityPub over HTTP; this lane adds TLS termination via Caddy proxies and a self-signed CA to verify the full signature chain works end-to-end. Architecture: - Standalone Docker Compose file with renamed backend services to avoid DNS collisions with Caddy TLS proxy aliases - Self-signed CA generated per CI run, trusted via SSL_CERT_FILE (Ruby) and DENO_CERT (Deno) - WebFinger-based account discovery in provisioning instead of DB pre-registration - STRICT_MODE env var toggles signature verification and URL scheme in the shared harness code Runs on nightly schedule and workflow_dispatch, not on every push. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add mastodon-web-backend health check alongside the existing mastodon-sidekiq check, and make curl failures fail the step immediately instead of silently continuing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin Caddy images to 2.11.2-alpine for reproducible CI builds - Add healthchecks to caddy-harness and caddy-mastodon so docker compose --wait blocks until proxies are ready - Make mastodon-sidekiq depend on caddy-harness (instead of fedify-harness-backend directly) to ensure TLS proxy is ready before Sidekiq attempts HTTPS deliveries Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sij411
force-pushed
the
feat/smoke-strict
branch
from
a10197b to
c6db09a
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request implements a strict mode for Mastodon smoke tests, enabling HTTPS and signature verification. It introduces a standalone Docker Compose setup with Caddy proxies for TLS termination, certificate generation scripts, and updated test harness logic for protocol switching. A critical issue was identified regarding an invalid Deno Docker image tag in the new configuration, which would prevent the services from starting.
|
|
||
| # Fedify test harness — renamed to avoid colliding with the Caddy alias. | ||
| fedify-harness-backend: | ||
| image: denoland/deno:2.7.1 |
There was a problem hiding this comment.
The Docker image denoland/deno:2.7.1 specified here does not appear to be a valid tag on Docker Hub for the official Deno image. This will likely cause the docker compose up command to fail with an image not found error.
Please verify the intended Deno version and update the tag to a valid one from the denoland/deno repository on Docker Hub.
|
@codex review |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
2 participants
Summary
with Mastodon over HTTPS with HTTP signature verification enabled
Add interoperability smoke tests for Mastodon (non-strict) #598 (comment)
What this adds
Architecture
A standalone Docker Compose file (
docker-compose.strict.yml) with:caddy-harness,caddy-mastodon) that terminateTLS using per-run self-signed certificates
fedify-harness-backend,mastodon-web-backend) to avoid DNS collisions with Caddy aliasesSSL_CERT_FILE(Ruby/Mastodon) andDENO_CERT(Deno)Key differences from non-strict lane
skipSignatureVerification: trueskipSignatureVerification: falseResolveAccountServiceworkflow_dispatchShared harness changes
STRICT_MODEenv var toggleshttp://vshttps://for inbox URLs(
backdoor.ts) and scheme rewriting in Follow Accept handler(
federation.ts)CI reliability improvements
caddy:2.11.2-alpinemastodon-sidekiqdepends oncaddy-harness(not backend directly)to ensure TLS proxy is ready before HTTPS deliveries
Test plan
in both directions)
smoke-mastodon-strictpasses viaworkflow_dispatchRelated to #615 and #481
🤖 Generated with Claude Code