wiregui/.forgejo/workflows/dev.yml

name: Dev

on:
  push:
    branches:
      - dev

jobs:
  test:
    runs-on: docker
    container:
      image: python:3.13-slim
    services:
      postgres:
        image: postgres:17
        env:
          POSTGRES_USER: wiregui
          POSTGRES_PASSWORD: wiregui
          POSTGRES_DB: wiregui
        options: >-
          --health-cmd "pg_isready -U wiregui"
          --health-interval 5s
          --health-timeout 5s
          --health-retries 5
      valkey:
        image: valkey/valkey:8
        options: >-
          --health-cmd "valkey-cli ping"
          --health-interval 5s
          --health-timeout 5s
          --health-retries 5
      mock-oidc:
        image: ghcr.io/navikt/mock-oauth2-server:2.1.10
        env:
          SERVER_PORT: "9000"
          JSON_CONFIG: '{"interactiveLogin":true,"httpServer":"NettyWrapper","tokenCallbacks":[{"issuerId":"test-idp","tokenExpiry":3600,"requestMappings":[{"requestParam":"scope","match":"*","claims":{"sub":"$${claim:sub}","email":"$${claim:sub}@test.local","name":"Test User"}}]}]}'
      mock-saml:
        image: kenchan0130/simplesamlphp
        env:
          SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:13003/auth/saml/test-saml/metadata
          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:13003/auth/saml/test-saml/callback
          SIMPLESAMLPHP_IDP_BASE_URL: http://mock-saml:8080/simplesaml/
    env:
      CI: "true"
      WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui
      WG_REDIS_URL: redis://valkey:6379/0
      MOCK_OIDC_HOST: mock-oidc
      MOCK_SAML_HOST: mock-saml
    steps:
      - name: Install system dependencies and checkout
        run: |
          apt-get update && apt-get install -y --no-install-recommends \
            git wireguard-tools pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl
          git clone --depth=1 -b "${GITHUB_REF_NAME}" ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .

      - name: Install uv
        run: pip install uv

      - name: Install dependencies
        run: uv sync

      - name: Install Playwright browsers
        run: uv run playwright install --with-deps chromium

      - name: Run migrations
        run: uv run alembic upgrade head

      - name: Run unit tests
        run: uv run pytest tests/ --ignore=tests/e2e --ignore=tests/integration -v --tb=short

      - name: Run E2E tests
        run: uv run pytest tests/e2e/ -v --tb=short

  docker:
    needs: test
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
      options: --privileged
    steps:
      - name: Checkout repository
        run: |
          git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git -b dev .
          git fetch origin main --tags

      - name: Build and push pre-release image
        shell: bash
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          # Derive version from latest tag on main: v1.2.3 -> 1.2.3.dev0, .dev1, etc.
          LATEST_TAG=$(git describe --tags --abbrev=0 origin/main 2>/dev/null || echo "v0.0.0")
          BASE_VERSION="${LATEST_TAG#v}"
          # Count commits on dev since that tag
          DEV_N=$(git rev-list --count "${LATEST_TAG}..HEAD" 2>/dev/null || echo "0")
          VERSION="${BASE_VERSION}.dev${DEV_N}"

          REGISTRY=$(echo "${{ github.server_url }}" | sed 's|https://||; s|http://||')
          IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui"

          echo "Building ${IMAGE}:v${VERSION}"

          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY}" \
            -u "${{ github.repository_owner }}" --password-stdin

          docker build --no-cache \
            --build-arg "VERSION=${VERSION}" \
            -t "${IMAGE}:v${VERSION}" \
            -t "${IMAGE}:dev" \
            .

          docker push "${IMAGE}:v${VERSION}"
          docker push "${IMAGE}:dev"

          echo "Pushed ${IMAGE}:v${VERSION}, ${IMAGE}:dev"
chore: add dev branch pipeline for pre-release images Builds and pushes docker images on every push to dev branch. Tags based on latest main release: e.g. v1.2.3.dev0, v1.2.3.dev5. No tests — fast feedback loop for testing. 2026-03-30 23:32:01 -05:00			`name: Dev`

			`on:`
			`push:`
			`branches:`
			`- dev`

			`jobs:`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`test:`
			`runs-on: docker`
			`container:`
			`image: python:3.13-slim`
			`services:`
			`postgres:`
			`image: postgres:17`
			`env:`
			`POSTGRES_USER: wiregui`
			`POSTGRES_PASSWORD: wiregui`
			`POSTGRES_DB: wiregui`
			`options: >-`
			`--health-cmd "pg_isready -U wiregui"`
			`--health-interval 5s`
			`--health-timeout 5s`
			`--health-retries 5`
			`valkey:`
			`image: valkey/valkey:8`
			`options: >-`
			`--health-cmd "valkey-cli ping"`
			`--health-interval 5s`
			`--health-timeout 5s`
			`--health-retries 5`
			`mock-oidc:`
			`image: ghcr.io/navikt/mock-oauth2-server:2.1.10`
			`env:`
			`SERVER_PORT: "9000"`
			`JSON_CONFIG: '{"interactiveLogin":true,"httpServer":"NettyWrapper","tokenCallbacks":[{"issuerId":"test-idp","tokenExpiry":3600,"requestMappings":[{"requestParam":"scope","match":"*","claims":{"sub":"$${claim:sub}","email":"$${claim:sub}@test.local","name":"Test User"}}]}]}'`
feat: comprehensive test suite + SAML auth fixes + mock SAML IdP Tests (198 unit + 70 e2e = 268 total): - Add test_api_deps.py: Bearer token auth, get_current_api_user, require_admin - Add test_wireguard_extended.py: ensure_interface, set_private_key, set_listen_port - Add test_firewall_extended.py: _nft/_nft_batch errors, jump rules, policies - Add test_mfa_login.py: MFA redirect, TOTP verify, invalid code, cancel - Add test_magic_link_page.py: page render, submit, empty email, back to login - Add test_admin_devices.py: list, filter, create, edit, delete, config dialog - Add test_admin_rules.py: list, create, edit, delete (all DB-verified) - Add test_admin_settings.py: defaults, security, OIDC/SAML providers - Add test_saml_login.py: button visible, redirect, metadata, full login flow Bug fixes: - Fix SAML callback to use /auth/complete bridge (same fix as OIDC) - Fix missing get_settings import in admin settings page - Add SAML provider buttons to login page - Make SAML strict mode configurable per-provider Infrastructure: - Add mock SimpleSAMLphp IdP to compose.yml with SP config - Add mock-saml service to CI workflows (release + dev) 2026-03-31 16:52:29 -05:00			`mock-saml:`
			`image: kenchan0130/simplesamlphp`
			`env:`
			`SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:13003/auth/saml/test-saml/metadata`
			`SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:13003/auth/saml/test-saml/callback`
			`SIMPLESAMLPHP_IDP_BASE_URL: http://mock-saml:8080/simplesaml/`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`env:`
			`CI: "true"`
			`WG_DATABASE_URL: postgresql+asyncpg://wiregui:wiregui@postgres/wiregui`
			`WG_REDIS_URL: redis://valkey:6379/0`
			`MOCK_OIDC_HOST: mock-oidc`
feat: comprehensive test suite + SAML auth fixes + mock SAML IdP Tests (198 unit + 70 e2e = 268 total): - Add test_api_deps.py: Bearer token auth, get_current_api_user, require_admin - Add test_wireguard_extended.py: ensure_interface, set_private_key, set_listen_port - Add test_firewall_extended.py: _nft/_nft_batch errors, jump rules, policies - Add test_mfa_login.py: MFA redirect, TOTP verify, invalid code, cancel - Add test_magic_link_page.py: page render, submit, empty email, back to login - Add test_admin_devices.py: list, filter, create, edit, delete, config dialog - Add test_admin_rules.py: list, create, edit, delete (all DB-verified) - Add test_admin_settings.py: defaults, security, OIDC/SAML providers - Add test_saml_login.py: button visible, redirect, metadata, full login flow Bug fixes: - Fix SAML callback to use /auth/complete bridge (same fix as OIDC) - Fix missing get_settings import in admin settings page - Add SAML provider buttons to login page - Make SAML strict mode configurable per-provider Infrastructure: - Add mock SimpleSAMLphp IdP to compose.yml with SP config - Add mock-saml service to CI workflows (release + dev) 2026-03-31 16:52:29 -05:00			`MOCK_SAML_HOST: mock-saml`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`steps:`
			`- name: Install system dependencies and checkout`
			`run: \|`
			`apt-get update && apt-get install -y --no-install-recommends \`
			`git wireguard-tools pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl`
fix: use branch-based shallow clone in CI to avoid missing SHA Clone with -b GITHUB_REF_NAME instead of depth=1 + checkout SHA, which fails when the shallow clone doesn't include the target commit. 2026-03-31 15:21:44 -05:00			`git clone --depth=1 -b "${GITHUB_REF_NAME}" ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00
			`- name: Install uv`
			`run: pip install uv`

			`- name: Install dependencies`
			`run: uv sync`

			`- name: Install Playwright browsers`
			`run: uv run playwright install --with-deps chromium`

fix: run migrations before unit tests in CI Some unit tests (test_api_deps, test_server_key) are integration tests that need DB tables. Move alembic upgrade head before unit tests. 2026-03-31 17:02:49 -05:00			`- name: Run migrations`
			`run: uv run alembic upgrade head`

fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`- name: Run unit tests`
feat: WireGuard metrics collector + integration test stack Metrics collector (wiregui/collector.py): - Standalone process spawned by web app when WG_METRICS_ENABLED=true - Polls wg show dump every WG_METRICS_POLL_INTERVAL seconds (default 5) - Updates device stats in PostgreSQL - Pushes Prometheus-format metrics to VictoriaMetrics (if configured) - Graceful shutdown on SIGTERM Integration test stack (compose.yml): - Unified compose file for dev, test, and integration modes - VictoriaMetrics single-node TSDB for metrics storage - 3 mock WireGuard client containers generating ping traffic - Automated setup script seeds server keypair, admin user, client devices - make test-stack-up: one command to start everything - make test-stack-verify: validates metrics flowing end-to-end Infrastructure: - Makefile with targets for dev, test, integration, and production - Integration tests verify VictoriaMetrics has data for all 3 clients - Fix Dockerfile to include img/ directory - Separate TESTS.md for test tracking, clean TODO.md for features only 2026-03-31 18:30:15 -05:00			`run: uv run pytest tests/ --ignore=tests/e2e --ignore=tests/integration -v --tb=short`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00
			`- name: Run E2E tests`
fix: run migrations before unit tests in CI Some unit tests (test_api_deps, test_server_key) are integration tests that need DB tables. Move alembic upgrade head before unit tests. 2026-03-31 17:02:49 -05:00			`run: uv run pytest tests/e2e/ -v --tb=short`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00
chore: add dev branch pipeline for pre-release images Builds and pushes docker images on every push to dev branch. Tags based on latest main release: e.g. v1.2.3.dev0, v1.2.3.dev5. No tests — fast feedback loop for testing. 2026-03-30 23:32:01 -05:00			`docker:`
fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`needs: test`
chore: add dev branch pipeline for pre-release images Builds and pushes docker images on every push to dev branch. Tags based on latest main release: e.g. v1.2.3.dev0, v1.2.3.dev5. No tests — fast feedback loop for testing. 2026-03-30 23:32:01 -05:00			`runs-on: docker`
			`container:`
			`image: catthehacker/ubuntu:act-latest`
			`options: --privileged`
			`steps:`
			`- name: Checkout repository`
			`run: \|`
			`git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git -b dev .`
			`git fetch origin main --tags`

			`- name: Build and push pre-release image`
			`shell: bash`
			`env:`
			`REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}`
			`run: \|`
			`# Derive version from latest tag on main: v1.2.3 -> 1.2.3.dev0, .dev1, etc.`
			`LATEST_TAG=$(git describe --tags --abbrev=0 origin/main 2>/dev/null \|\| echo "v0.0.0")`
			`BASE_VERSION="${LATEST_TAG#v}"`
			`# Count commits on dev since that tag`
			`DEV_N=$(git rev-list --count "${LATEST_TAG}..HEAD" 2>/dev/null \|\| echo "0")`
			`VERSION="${BASE_VERSION}.dev${DEV_N}"`

			`REGISTRY=$(echo "${{ github.server_url }}" \| sed 's\|https://\|\|; s\|http://\|\|')`
			`IMAGE="${REGISTRY}/${{ github.repository_owner }}/wiregui"`

			`echo "Building ${IMAGE}:v${VERSION}"`

			`echo "${REGISTRY_TOKEN}" \| docker login "${REGISTRY}" \`
			`-u "${{ github.repository_owner }}" --password-stdin`

fix: add --no-cache to docker builds to prevent stale images Docker layer caching on the runner was reusing old layers even when source code changed, resulting in images with outdated code. 2026-03-30 23:35:44 -05:00			`docker build --no-cache \`
chore: add dev branch pipeline for pre-release images Builds and pushes docker images on every push to dev branch. Tags based on latest main release: e.g. v1.2.3.dev0, v1.2.3.dev5. No tests — fast feedback loop for testing. 2026-03-30 23:32:01 -05:00			`--build-arg "VERSION=${VERSION}" \`
			`-t "${IMAGE}:v${VERSION}" \`
			`-t "${IMAGE}:dev" \`
			`.`

			`docker push "${IMAGE}:v${VERSION}"`
			`docker push "${IMAGE}:dev"`

fix: add Playwright, Valkey, and mock-OIDC to CI pipelines - Add valkey and mock-oidc services to both release and dev workflows - Install Playwright with Chromium deps for headless e2e tests - Set WG_REDIS_URL and MOCK_OIDC_HOST env vars for CI - Make mock OIDC discovery URL configurable via MOCK_OIDC_HOST env var - Add full test job (unit + e2e) to dev pipeline before Docker build 2026-03-31 14:48:27 -05:00			`echo "Pushed ${IMAGE}:v${VERSION}, ${IMAGE}:dev"`