Преглед изворни кода

fix(ci): pin the tag smoke test to the release under test

The v3.4.2 tag push triggered the smoke workflow immediately, but
install.sh with no arguments resolves releases/latest, which still pointed
at v3.4.1 while release.yml was uploading the new assets. The green smoke
run therefore validated the previous release (#5756). A paths filter alone
cannot exclude tag pushes because a brand-new tag ref has no diff base.

Restrict the push trigger to branches so tag pushes no longer start the
unpinned job, and add a workflow_run job that fires after the release
workflow completes for a v* tag: it checks out the tagged commit, passes
the tag through smoke-noninteractive.sh into install.sh's explicit-version
path, and asserts the installed binary reports exactly that version.

Closes #5756
MHSanaei пре 5 часа
родитељ
комит
5c725df702
2 измењених фајлова са 55 додато и 5 уклоњено
  1. 35 1
      .github/workflows/smoke.yml
  2. 20 4
      deploy/test/smoke-noninteractive.sh

+ 35 - 1
.github/workflows/smoke.yml

@@ -1,10 +1,18 @@
 name: Deploy Smoke Tests
 
 # Container smoke test for the unattended (cloud-init) install path.
-# Runs only when the install/deploy assets change.
+# Runs when the install/deploy assets change on a branch push or PR, and
+# again after a release-tag build finishes uploading its assets — pinned to
+# that tag, so the green result verifies the release actually being shipped.
+# Tag pushes must NOT trigger the unpinned job directly: at that moment
+# releases/latest still points at the previous release (#5756), and a `paths`
+# filter alone cannot exclude them because a brand-new tag ref has no diff
+# base, so it runs on every tag push.
 
 on:
   push:
+    branches:
+      - "**"
     paths:
       - "install.sh"
       - "deploy/**"
@@ -14,12 +22,16 @@ on:
       - "install.sh"
       - "deploy/**"
       - ".github/workflows/smoke.yml"
+  workflow_run:
+    workflows: ["Release 3X-UI"]
+    types: [completed]
 
 permissions:
   contents: read
 
 jobs:
   noninteractive-install:
+    if: github.event_name != 'workflow_run'
     strategy:
       fail-fast: false
       matrix:
@@ -30,3 +42,25 @@ jobs:
       - uses: actions/checkout@v7
       - name: Non-interactive install smoke test
         run: bash deploy/test/smoke-noninteractive.sh
+
+  release-tag-install:
+    if: >-
+      github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'push' &&
+      startsWith(github.event.workflow_run.head_branch, 'v') &&
+      contains(github.event.workflow_run.head_branch, '.')
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v7
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+      - name: Pinned release install smoke test
+        env:
+          XUI_SMOKE_VERSION: ${{ github.event.workflow_run.head_branch }}
+        run: bash deploy/test/smoke-noninteractive.sh "$XUI_SMOKE_VERSION"

+ 20 - 4
deploy/test/smoke-noninteractive.sh

@@ -7,35 +7,51 @@
 #   * /etc/x-ui/install-result.env exists (mode 600) with random, non-default creds
 #   * the panel reports hasDefaultCredential: false (no admin/admin remains)
 #   * the panel HTTP server actually serves on the generated port/base path
+#   * with a [version] argument: the installed binary reports exactly that version
 #
 # Requires Docker and network access (install.sh downloads the released binary).
-# Usage: bash deploy/test/smoke-noninteractive.sh
+# Usage: bash deploy/test/smoke-noninteractive.sh [version]
+#   With no argument install.sh resolves releases/latest. Pass an explicit tag
+#   (e.g. v3.4.2) to verify that exact release — the tag-triggered CI run does
+#   this so it cannot silently validate the previous release (#5756).
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
 IMAGE="${SMOKE_IMAGE:-ubuntu:24.04}"
+XUI_SMOKE_VERSION="${1:-}"
 
 if ! command -v docker > /dev/null 2>&1; then
     echo "ERROR: docker is required for this smoke test." >&2
     exit 1
 fi
 
-echo "== non-interactive install smoke test (image: $IMAGE) =="
+echo "== non-interactive install smoke test (image: $IMAGE, version: ${XUI_SMOKE_VERSION:-latest}) =="
 
 docker run --rm \
     -v "${REPO_ROOT}/install.sh:/root/install.sh:ro" \
     -e XUI_NONINTERACTIVE=1 \
     -e XUI_SSL_MODE=none \
+    -e XUI_SMOKE_VERSION="$XUI_SMOKE_VERSION" \
     -e DEBIAN_FRONTEND=noninteractive \
     "$IMAGE" bash -euo pipefail -c '
         apt-get update -qq
         apt-get install -y -qq curl tar openssl ca-certificates > /dev/null
 
-        echo "--- running install.sh piped (no TTY) ---"
+        echo "--- running install.sh piped (no TTY), version: ${XUI_SMOKE_VERSION:-latest} ---"
         # Piping guarantees stdin is not a TTY, exercising the auto non-interactive path.
-        cat /root/install.sh | bash
+        if [ -n "${XUI_SMOKE_VERSION:-}" ]; then
+            cat /root/install.sh | bash -s -- "$XUI_SMOKE_VERSION"
+        else
+            cat /root/install.sh | bash
+        fi
 
         echo "--- assertions ---"
+        if [ -n "${XUI_SMOKE_VERSION:-}" ]; then
+            installed=$(/usr/local/x-ui/x-ui -v)
+            [ "$installed" = "${XUI_SMOKE_VERSION#v}" ] \
+                || { echo "FAIL: installed version $installed, want ${XUI_SMOKE_VERSION#v}"; exit 1; }
+        fi
+
         RESULT=/etc/x-ui/install-result.env
         test -f "$RESULT" || { echo "FAIL: $RESULT missing"; exit 1; }