feat: add smoke-services workflow for --allow-host-service-ports e2e testing#1534
feat: add smoke-services workflow for --allow-host-service-ports e2e testing#1534
Conversation
…testing Add a new smoke test workflow that validates the full path: services: port mappings → --allow-host-service-ports → iptables rules → agent reaches Redis and PostgreSQL on localhost The workflow: - Declares Redis (6379) and PostgreSQL (5432) as GitHub Actions services - Passes compiler-generated port expressions to --allow-host-service-ports - Agent installs redis-tools/postgresql-client and verifies connectivity - Validates PING/PONG for Redis, pg_isready + SELECT 1 for PostgreSQL Also registers the new lock file in postprocess-smoke-workflows.ts. Closes #1525 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions smoke workflow intended to exercise the end-to-end --allow-host-service-ports path by bringing up Redis/PostgreSQL services: and verifying the AWF sandbox can reach them.
Changes:
- Added new smoke workflow source (
smoke-services.md) and compiled lock workflow (smoke-services.lock.yml) to validate service connectivity. - Registered the new lock workflow in the smoke-workflow postprocess pipeline.
- Updated the actions lockfile to include the
github/gh-aw-actions/setup@v0.64.5entry used by the new lock workflow.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| scripts/ci/postprocess-smoke-workflows.ts | Adds smoke-services.lock.yml to the postprocess list so it gets the same normalization as other smoke workflows. |
| .github/workflows/smoke-services.md | New agentic smoke workflow definition and instructions for Redis/PostgreSQL connectivity checks. |
| .github/workflows/smoke-services.lock.yml | Compiled workflow with services: containers and AWF invocation including --allow-host-service-ports. |
| .github/aw/actions-lock.json | Adds the pinned github/gh-aw-actions/setup@v0.64.5 action entry referenced by the new lock workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/smoke-services.md
Outdated
| 1. **Redis Connectivity**: Run `redis-cli -h localhost -p 6379 ping` and verify the response is `PONG` | ||
| 2. **PostgreSQL Connectivity**: Run `pg_isready -h localhost -p 5432` and verify it reports the server is accepting connections | ||
| 3. **PostgreSQL Query**: Run `PGPASSWORD=testpass psql -h localhost -p 5432 -U postgres -d smoketest -c "SELECT 1 AS smoke_test;"` and verify it returns a row |
There was a problem hiding this comment.
The connectivity commands use -h localhost, but inside the AWF sandbox localhost resolves to the sandbox container itself, not the GitHub Actions runner where the services: ports are published. This will likely cause the smoke test to fail even when --allow-host-service-ports is working. Use host.docker.internal (host gateway) for Redis/PostgreSQL connections so the test exercises the intended host-service-port path.
| 1. **Redis Connectivity**: Run `redis-cli -h localhost -p 6379 ping` and verify the response is `PONG` | |
| 2. **PostgreSQL Connectivity**: Run `pg_isready -h localhost -p 5432` and verify it reports the server is accepting connections | |
| 3. **PostgreSQL Query**: Run `PGPASSWORD=testpass psql -h localhost -p 5432 -U postgres -d smoketest -c "SELECT 1 AS smoke_test;"` and verify it returns a row | |
| 1. **Redis Connectivity**: Run `redis-cli -h host.docker.internal -p 6379 ping` and verify the response is `PONG` | |
| 2. **PostgreSQL Connectivity**: Run `pg_isready -h host.docker.internal -p 5432` and verify it reports the server is accepting connections | |
| 3. **PostgreSQL Query**: Run `PGPASSWORD=testpass psql -h host.docker.internal -p 5432 -U postgres -d smoketest -c "SELECT 1 AS smoke_test;"` and verify it returns a row |
|
Smoke Test Results — Claude Engine
Overall: PASS
|
Smoke Test Results — Copilot Engine ✅ PASS
Overall: PASS —
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Two CI fixes: 1. Agent connects to host.docker.internal instead of localhost (localhost inside the AWF container is the container itself, not the host where GitHub Actions services run) 2. Add GH_AW_SAFE_OUTPUTS env var to the validate step so it reads the outputs file from the correct v0.64.5 path Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Smoke Test Results — PASS
Overall: PASS
|
|
Smoke Test Results — Run 23825478676 ✅ GitHub MCP — Last 2 merged PRs: #1528 "fix: api-proxy auth chain…" · #1508 "fix: copy get-claude-key.sh…" (author: Overall: PASS
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Rewrite the test instructions to be less prescriptive about output format. The previous prompt explicitly described PASS/FAIL format and tool actions (add comment, add label), which the threat detection model misinterpreted as a pre-fabricated injection payload. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Smoke test results (run 23825943785) ✅ GitHub MCP — #1528 fix: api-proxy auth chain; #1508 fix: copy get-claude-key.sh to chroot-accessible path Overall: PASS
|
Smoke Test Results
Last 2 merged PRs: #1528 "fix: api-proxy auth chain — trim keys, align placeholder format, add diagnostics" · #1508 "fix: copy get-claude-key.sh to chroot-accessible path" (both by Overall: PASS
|
Smoke Test: GitHub Actions Services Connectivity ✅
All checks passed.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
This comment has been minimized.
This comment has been minimized.
|
PRs reviewed: "fix: api-proxy auth chain — trim keys, align placeholder format, add diagnostics" | "fix: copy get-claude-key.sh to chroot-accessible path"
|
Summary
Add a new smoke test workflow that validates the full
--allow-host-service-portspath end-to-end:What's included
.github/workflows/smoke-services.mdNew agentic workflow source:
redis-toolsandpostgresql-client, then verifies connectivityPING/PONGfor Redis,pg_isready+SELECT 1for PostgreSQL.github/workflows/smoke-services.lock.ymlCompiled + postprocessed lock file with:
services:block (redis:7 on 6379, postgres:15 on 5432)--allow-host-service-portsflag with ${{ job.services.*.ports[] }} expressionsscripts/ci/postprocess-smoke-workflows.tsRegistered the new lock file in the postprocess pipeline.
Testing strategy
This is a workflow-level test — it will be validated when manually triggered via
workflow_dispatch. The workflow itself IS the test: if the agent can reach Redis and PostgreSQL through the firewall, the feature works.Closes #1525