Skip to content

feat(ci): add integration tests for AutoTLS in Beekeeper workflow #5350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akrem-chabchoub wants to merge 34 commits into
base: master
Choose a base branch
from
+114 −19
Open

feat(ci): add integration tests for AutoTLS in Beekeeper workflow #5350

Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
4420011
feat(ci): add integration tests for AutoTLS in Beekeeper workflow
akrem-chabchoub Feb 5, 2026
00c4ec7
feat(ci): enable P2P WebSocket support in Beekeeper workflow
akrem-chabchoub Feb 5, 2026
23279ad
fix(ci): update dependencies for ArgoCD trigger in Beekeeper workflow
akrem-chabchoub Feb 5, 2026
2b2b653
refactor(ci): add setup action for Beekeeper cluster deployment
akrem-chabchoub Feb 5, 2026
9ccf744
chore(ci): add checkout step to Beekeeper workflow for improved ref h…
akrem-chabchoub Feb 5, 2026
8ca3b1e
refactor(ci): remove setup action for Beekeeper cluster and inline st…
akrem-chabchoub Feb 5, 2026
282665c
refactor(ci): merge beekeeper and beekeeper-autotls
akrem-chabchoub Feb 9, 2026
31a1d0d
chore(ci): update Beekeeper workflow to use new branch and image tags
akrem-chabchoub Feb 16, 2026
a81b30f
chore(ci): update Beekeeper workflow to reference new autotls-check b…
akrem-chabchoub Feb 16, 2026
b25030a
chore(ci): update PEBBLE_IMAGE_TAG in Beekeeper workflow to v2.9.0 (t…
akrem-chabchoub Feb 16, 2026
3f59296
chore: update beekeeper branch
akrem-chabchoub Feb 17, 2026
1102828
chore: update beelocal and beekeeper branch
akrem-chabchoub Feb 17, 2026
00c7a11
chore: update beekeeper branch to fix/pebble-timout
akrem-chabchoub Feb 17, 2026
13c104e
fix: update pebble img tag to v2.9.0
akrem-chabchoub Feb 17, 2026
32c3a15
chore: update pebble and p2p-forge img tags
akrem-chabchoub Feb 17, 2026
19df6a0
chore: update beekeeper branch
akrem-chabchoub Feb 17, 2026
7fdabb3
Merge branch 'master' of https://github.com/ethersphere/bee into feat…
akrem-chabchoub Feb 20, 2026
d09d15c
chore: add pebble cert validity period
akrem-chabchoub Feb 20, 2026
a8da204
fix: simplify failure conditions in beekeeper workflow for artifact c…
akrem-chabchoub Feb 20, 2026
1323006
chore: update beelocal and beekeeper branch
akrem-chabchoub Mar 2, 2026
7249ec7
chore: increase pebble cert period to 300
akrem-chabchoub Mar 5, 2026
daa489e
chore: temp remove redundant test steps from beekeeper
akrem-chabchoub Mar 5, 2026
e31b93b
chore: update pebble cert validity period
akrem-chabchoub Mar 9, 2026
839e969
chore: update beekeeper and beelocal branches
akrem-chabchoub Apr 7, 2026
e27b650
chore: update beelocal branch
akrem-chabchoub Apr 7, 2026
37aa870
chore: update beelocal branch
akrem-chabchoub Apr 7, 2026
62962dc
chore: revert old chekcs
akrem-chabchoub Apr 17, 2026
621b571
chore: update beekeeper branch to refactor/autotls
akrem-chabchoub Apr 17, 2026
19d9846
chore: update beekeeper branch
akrem-chabchoub Apr 17, 2026
d1d7ec7
chore: enhance tests for autotls and update pebble validity period
akrem-chabchoub Apr 30, 2026
c8bcdb0
chore: update cert validity to 500
akrem-chabchoub Apr 30, 2026
e30e29e
chore: enhance beekeeper workflow with push event and P2P change dete…
akrem-chabchoub May 1, 2026
05ef834
chore: update beekeeper workflow to include itself in change detection
akrem-chabchoub May 1, 2026
63f2ffc
chore: fix error handling in beekeeper workflow
akrem-chabchoub May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 114 additions & 19 deletions .github/workflows/beekeeper.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
pull_request:
branches:
- "**"
push:
branches:
- master

env:
K3S_VERSION: "v1.31.10+k3s1"
Expand All @@ -25,24 +28,23 @@
AWS_EC2_METADATA_DISABLED: true
AWS_ENDPOINT: fra1.digitaloceanspaces.com
VERTAG: ${GITHUB_RUN_ID}
P2P_WSS_ENABLE: true
PEBBLE_IMAGE_TAG: "2.9.0"
P2P_FORGE_IMAGE_TAG: "v0.7.0"
PEBBLE_CERTIFICATE_VALIDITY_PERIOD: "500"
jobs:
init:
name: Init
runs-on: ubuntu-latest
outputs:
msg: ${{ steps.commit.outputs.msg }}
p2p_changed: ${{ steps.p2p.outputs.changed }}
steps:
- name: Checkout
uses: actions/checkout@v5
if: github.event.action != 'beekeeper'
with:
fetch-depth: 0
- name: Checkout
uses: actions/checkout@v5
if: github.event.action == 'beekeeper'
with:
fetch-depth: 0
ref: ${{ github.event.client_payload.ref }}
ref: ${{ github.event.action == 'beekeeper' && github.event.client_payload.ref || github.sha }}
- name: Setup Go
uses: actions/setup-go@v6
with:
Expand All @@ -60,8 +62,27 @@
- name: Get Commit Message
id: commit
run: |
MSG=$(git log --format=%s -n 1 ${{github.event.after}})
MSG=$(git log --format=%s -n 1 ${{ github.event.after || github.sha }})
echo "msg=${MSG}" >> $GITHUB_OUTPUT
- name: Detect P2P connectivity-related changes (pull_request only)
id: p2p
run: |
if [ "${{ github.event_name }}" != "pull_request" ]; then
echo "changed=skip" >> $GITHUB_OUTPUT
exit 0
fi
git fetch origin "${{ github.base_ref }}" --depth=1
# Paths that can affect ci-autotls behavior:
# - /addresses, /connect, /peers API surface
# - p2p/libp2p WSS/AutoTLS transport and handshake
# - node wiring + topology/hive/addressbook integration
# - swarm address identity types and p2p deps
if git diff --name-only "origin/${{ github.base_ref }}...HEAD" | grep -qE \
'^(pkg/(p2p|topology|hive|addressbook|bzz|node|swarm)/|pkg/api/(api|router|p2p|peer)\.go|cmd/bee/cmd/(cmd|start)\.go|\.github/workflows/beekeeper\.yml|go\.mod|go\.sum)'; then
echo "changed=true" >> $GITHUB_OUTPUT
else
echo "changed=false" >> $GITHUB_OUTPUT
fi
- name: Build - 0
run: |
make binary
Expand Down Expand Up @@ -99,6 +120,11 @@
runs-on: ubuntu-latest
needs: [init]
steps:
- name: Checkout
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.action == 'beekeeper' && github.event.client_payload.ref || github.sha }}
- name: Cache
uses: actions/cache@v4
with:
Expand All @@ -113,19 +139,17 @@
run: |
chmod +x bee-1 beekeeper .github/bin/beekeeper_artifacts.sh
mv .beekeeper.yaml ~/.beekeeper.yaml
mkdir ~/.beekeeper && mv local.yaml ~/.beekeeper/local.yaml
mkdir -p ~/.beekeeper && mv local.yaml ~/.beekeeper/local.yaml
mv bee-1 bee
sudo mv beekeeper /usr/local/bin/beekeeper
- name: Prepare local cluster
run: |
timeout ${TIMEOUT} make beelocal OPTS='ci skip-vet' ACTION=prepare
run: timeout ${TIMEOUT} make beelocal OPTS='ci skip-vet' ACTION=prepare
- name: Set kube config
run: |
mkdir -p ~/.kube
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
- name: Set local cluster
run: |
timeout ${TIMEOUT} make deploylocal BEEKEEPER_CLUSTER=local-dns
run: timeout ${TIMEOUT} make deploylocal BEEKEEPER_CLUSTER=local-dns
- name: Test pingpong
id: pingpong
run: timeout ${TIMEOUT} bash -c 'until beekeeper check --cluster-name local-dns --checks ci-pingpong; do echo "waiting for pingpong..."; sleep .3; done'
Expand Down Expand Up @@ -182,7 +206,7 @@
- name: Test feeds
id: feeds
run: timeout ${TIMEOUT} beekeeper check --cluster-name local-dns --checks=ci-feed
- name: Collect debug artifacts
- name: Collect debug artifacts (local-dns)
if: failure()
run: |
bash .github/bin/beekeeper_artifacts.sh local-dns
Expand All @@ -193,18 +217,18 @@
if ${{ steps.pss.outcome=='failure' }}; then FAILED=pss; fi
if ${{ steps.soc.outcome=='failure' }}; then FAILED=soc; fi
if ${{ steps.gsoc.outcome=='failure' }}; then FAILED=gsoc; fi
if ${{ steps.pushsync-chunks-1.outcome=='failure' }}; then FAILED=pushsync-chunks-1; fi
if ${{ steps.pushsync-chunks-2.outcome=='failure' }}; then FAILED=pushsync-chunks-2; fi
if ${{ steps.pushsync-chunks-1.outcome=='failure' }}; then FAILED=pushsync-chunks; fi
if ${{ steps.pushsync-chunks-2.outcome=='failure' }}; then FAILED=pushsync-light-chunks; fi
if ${{ steps.retrieval.outcome=='failure' }}; then FAILED=retrieval; fi
if ${{ steps.manifest.outcome=='failure' }}; then FAILED=manifest; fi
if ${{ steps.manifest-v1.outcome=='failure' }}; then FAILED=manifest-v1; fi
if ${{ steps.postage-stamps.outcome=='failure' }}; then FAILED=postage-stamps; fi
if ${{ steps.stake.outcome=='failure' }}; then FAILED=stake; fi
if ${{ steps.withdraw.outcome=='failure' }}; then FAILED=withdraw; fi
if ${{ steps.redundancy.outcome=='failure' }}; then FAILED=redundancy; fi
if ${{ steps.feeds.outcome=='failure' }}; then FAILED=feeds; fi
if ${{ steps.feeds-v1.outcome=='failure' }}; then FAILED=feeds-v1; fi
if ${{ steps.act.outcome=='failure' }}; then FAILED=act; fi
if ${{ steps.feeds-v1.outcome=='failure' }}; then FAILED=feeds-v1; fi
if ${{ steps.feeds.outcome=='failure' }}; then FAILED=feeds; fi
curl -sSf -X POST -H "Content-Type: application/json" -d "{\"text\": \"**${RUN_TYPE}** Beekeeper Error\nBranch: \`${{ github.head_ref }}\`\nUser: @${{ github.event.pull_request.user.login }}\nDebugging artifacts: [click](https://$BUCKET_NAME.$AWS_ENDPOINT/artifacts_$VERTAG.tar.gz)\nStep failed: \`${FAILED}\`\"}" https://beehive.ethswarm.org/hooks/${{ secrets.TUNSHELL_KEY }}
echo "Failed test: ${FAILED}"
- name: Create tunshell session for debug
Expand All @@ -220,11 +244,82 @@
with:
name: debug-dump
path: dump/
beekeeper-autotls:
name: Integration tests (autotls)
if: |
github.event_name == 'repository_dispatch' ||
(github.event_name == 'push' && github.ref == 'refs/heads/master') ||
(github.event_name == 'pull_request' && needs.init.outputs.p2p_changed == 'true')
runs-on: ubuntu-latest
needs: [init]
steps:
- name: Checkout
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.event.action == 'beekeeper' && github.event.client_payload.ref || github.sha }}
- name: Cache
uses: actions/cache@v4
with:
path: |
/tmp/k3s-${{ env.K3S_VERSION }}
key: k3s-${{ env.K3S_VERSION }}
- name: "Download Artifact"
uses: actions/download-artifact@v4
with:
name: temp-artifacts
- name: Unpack artifacts
run: |
chmod +x bee-1 beekeeper .github/bin/beekeeper_artifacts.sh
mv .beekeeper.yaml ~/.beekeeper.yaml
mkdir -p ~/.beekeeper && mv local.yaml ~/.beekeeper/local.yaml
mv bee-1 bee
sudo mv beekeeper /usr/local/bin/beekeeper
- name: Prepare local cluster
run: timeout ${TIMEOUT} make beelocal OPTS='ci skip-vet' ACTION=prepare
- name: Set kube config
run: |
mkdir -p ~/.kube
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
- name: Set local cluster (local-dns-autotls)
run: timeout ${TIMEOUT} make deploylocal BEEKEEPER_CLUSTER=local-dns-autotls
- name: Test pingpong (autotls)
id: pingpong-autotls
run: timeout ${TIMEOUT} bash -c 'until beekeeper check --cluster-name local-dns-autotls --checks ci-pingpong; do echo "waiting for pingpong..."; sleep .3; done'
- name: Test fullconnectivity (autotls)
id: fullconnectivity-autotls
run: timeout ${TIMEOUT} bash -c 'until beekeeper check --cluster-name local-dns-autotls --checks=ci-full-connectivity; do echo "waiting for full connectivity..."; sleep .3; done'
- name: Test retrieval (autotls)
id: retrieval-autotls
run: timeout ${TIMEOUT} beekeeper check --cluster-name local-dns-autotls --checks=ci-retrieval
- name: Test autotls
id: autotls
run: timeout ${TIMEOUT} beekeeper check --cluster-name local-dns-autotls --checks=ci-autotls
- name: Collect debug artifacts (autotls)
if: failure()
run: |
bash .github/bin/beekeeper_artifacts.sh local-dns-autotls
export FAILED='no-test'
if ${{ steps.pingpong-autotls.outcome=='failure' }}; then FAILED=pingpong; fi
if ${{ steps.fullconnectivity-autotls.outcome=='failure' }}; then FAILED=fullconnectivity; fi
if ${{ steps.retrieval-autotls.outcome=='failure' }}; then FAILED=retrieval; fi
if ${{ steps.autotls.outcome=='failure' }}; then FAILED=autotls; fi
curl -sSf -X POST -H "Content-Type: application/json" -d "{\"text\": \"**${RUN_TYPE}** Beekeeper Autotls Error\nBranch: \`${{ github.head_ref }}\`\nUser: @${{ github.event.pull_request.user.login }}\nDebugging artifacts: [click](https://$BUCKET_NAME.$AWS_ENDPOINT/artifacts_$VERTAG.tar.gz)\nStep failed: \`${FAILED}\`\"}" https://beehive.ethswarm.org/hooks/${{ secrets.TUNSHELL_KEY }}

Check failure

Code scanning / SonarCloud

GitHub Actions should not be vulnerable to script injections High

The expression github.head\_ref can be set by an external actor to a specially crafted value, enabling script injection. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. See more on SonarQube Cloud

Check failure on line 307 in .github/workflows/beekeeper.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

The expression github.head_ref can be set by an external actor to a specially crafted value, enabling script injection. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=ethersphere_bee&issues=AZ4bBOTThbjIBW_fU2s0&open=AZ4bBOTThbjIBW_fU2s0&pullRequest=5350
Comment thread Fixed
echo "Failed test: ${FAILED}"
- uses: actions/upload-artifact@v4
if: failure()
with:
name: debug-dump-autotls
path: dump/
retag:
name: Retag and Trigger ArgoCD
env:
TIMEOUT: 10m
needs: [beekeeper]
needs: [beekeeper, beekeeper-autotls]
if: |
always() &&
needs.beekeeper.result == 'success' &&
(needs.beekeeper-autotls.result == 'success' || needs.beekeeper-autotls.result == 'skipped')
runs-on: ubuntu-latest
steps:
- name: "Download Artifact"
Expand Down
Loading