Skip to content

Commit 7d2669a

Browse files
author
latdx-mirror-bot
committed
ci: overlay fork CI for upstream PR jongpie#959
Upstream-SHA: b635e20 Fork-CI-Tree: 1e0c226
1 parent b635e20 commit 7d2669a

4 files changed

Lines changed: 753 additions & 132 deletions

File tree

.github/actions/latdx-test/action.yml

Lines changed: 211 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,211 @@
1+
name: 'LATdx Apex Tests'
2+
description: >-
3+
Install the LATdx CLI, resolve a license (explicit key via the
4+
LATDX_LICENSE_KEY env var, or a short-lived OSS license minted from the
5+
GitHub Actions OIDC token on public repos), and run the full local Apex
6+
test suite against the job's default Salesforce org.
7+
8+
inputs:
9+
cli-version:
10+
# Must be >= 0.43.0: the OSS-license-uncaps-in-CI logic (#2190) landed
11+
# 2026-06-10, one day after the last STABLE release (0.41.4), so 'latest'
12+
# (= latest stable) still resolves to a binary that hard-blocks CI runs
13+
# without a TEAM/CI token regardless of the OSS license. Pin a release
14+
# that carries #2190 until a stable >= 0.43.0 ships; bump deliberately.
15+
description: "LATdx CLI version to install (semver like '0.46.0') or 'latest'."
16+
required: false
17+
default: '0.46.0'
18+
license:
19+
# Pass an optional TEAM/CI license here as an INPUT, not via an
20+
# `env: LATDX_LICENSE_KEY`. An unset secret passed as env sets an EMPTY
21+
# LATDX_LICENSE_KEY at the action level, which overrides the OSS license
22+
# this action resolves into $GITHUB_ENV and silently free-tier-caps the
23+
# run. An empty input is inert.
24+
description: 'Optional TEAM/CI LATdx license key. Leave empty to use the OSS auto-license on public repos.'
25+
required: false
26+
default: ''
27+
28+
runs:
29+
using: composite
30+
steps:
31+
# LATdx's cache Phase 4 runs an apex-ls bridge on the JVM. Hosted images
32+
# vary (ubuntu-latest ships a recent Temurin, ubuntu-22.04 a default JDK
33+
# too old for the bridge jar -> "JVM exited (code=1)"), so pin a known-good
34+
# JDK on PATH rather than relying on the image default.
35+
- name: 'Set up Java for LATdx apex-ls'
36+
uses: actions/setup-java@v4
37+
with:
38+
distribution: temurin
39+
java-version: '17'
40+
41+
- name: 'Install LATdx CLI'
42+
shell: bash
43+
env:
44+
CLI_VERSION: ${{ inputs.cli-version }}
45+
run: |
46+
set -euo pipefail
47+
if [[ ! "$CLI_VERSION" =~ ^(latest|[0-9]+\.[0-9]+\.[0-9]+)$ ]]; then
48+
echo "::error::Invalid 'cli-version' input. Must be 'latest' or a semver like '0.31.1'."
49+
exit 1
50+
fi
51+
# latdx.com serves the maintained install script, but Cloudflare
52+
# returns 403 to some hosted-runner egress IP ranges; fall back to
53+
# the GitHub raw mirror so the install succeeds from any runner.
54+
script=""
55+
for url in "https://latdx.com/install.sh" "https://raw.githubusercontent.com/nebulity/latdx-cli/main/install.sh"; do
56+
if script="$(curl -fsSL "$url")"; then
57+
break
58+
fi
59+
script=""
60+
done
61+
if [ -z "$script" ]; then
62+
echo "::error::Could not download the LATdx install script from any source."
63+
exit 1
64+
fi
65+
if [ "$CLI_VERSION" = "latest" ]; then
66+
printf '%s' "$script" | bash
67+
else
68+
printf '%s' "$script" | bash -s -- "$CLI_VERSION"
69+
fi
70+
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
71+
72+
- name: 'Verify LATdx CLI'
73+
shell: bash
74+
run: latdx --version
75+
76+
- name: 'Resolve LATdx license'
77+
shell: bash
78+
env:
79+
INPUT_LICENSE: ${{ inputs.license }}
80+
run: |
81+
# The runner injects -e -o pipefail; this step must never fail the
82+
# job: every problem degrades to the free-tier cap with a warning.
83+
set +e +o pipefail
84+
85+
# Precedence:
86+
# 1. `license` input (TEAM/CI token) -> use it.
87+
# 2. GH OIDC token available + repo public -> exchange for an OSS
88+
# auto-license via https://latdx.com/api/oss/license.
89+
# 3. Nothing -> daemon runs free-tier (capped at 100 tests, exit 2).
90+
91+
if [ -n "${INPUT_LICENSE:-}" ]; then
92+
echo "::add-mask::$INPUT_LICENSE"
93+
echo "LATDX_LICENSE_KEY=$INPUT_LICENSE" >> "$GITHUB_ENV"
94+
# A non-OSS token is live-resolved by the daemon against
95+
# /api/license/resolve; route it around the latdx.com edge too.
96+
echo "LATDX_LICENSE_BASE_URL=https://latdx-site.asolokh.workers.dev" >> "$GITHUB_ENV"
97+
echo "Using provided LATdx license."
98+
exit 0
99+
fi
100+
101+
if [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
102+
echo "::warning title=LATdx OSS license::OIDC token unavailable (missing 'permissions: id-token: write' on the job). Free-tier cap (100 tests/run) applies."
103+
exit 0
104+
fi
105+
106+
OIDC_RESPONSE="$(curl -sS -f -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
107+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=https%3A%2F%2Flatdx.com" 2>/dev/null)"
108+
CURL_RC=$?
109+
if [ "$CURL_RC" -ne 0 ]; then
110+
echo "::warning title=LATdx OSS license::OIDC token mint failed (curl rc=${CURL_RC}); falling back to free-tier cap."
111+
exit 0
112+
fi
113+
OIDC_TOKEN="$(printf '%s' "$OIDC_RESPONSE" | jq -r '.value // empty' 2>/dev/null)"
114+
if [ -z "$OIDC_TOKEN" ]; then
115+
echo "::warning title=LATdx OSS license::OIDC response not parseable (length ${#OIDC_RESPONSE}); falling back to free-tier cap."
116+
exit 0
117+
fi
118+
echo "Minted GitHub OIDC token (length ${#OIDC_TOKEN})."
119+
120+
EXCHANGE_BODY="$(mktemp)"
121+
EXCHANGE_HEADERS="$(mktemp)"
122+
trap 'rm -f "$EXCHANGE_BODY" "$EXCHANGE_HEADERS"' EXIT
123+
124+
# Try the branded origin first (it self-heals once its edge allows
125+
# GitHub Actions egress), then the Worker's *.workers.dev origin,
126+
# which is not behind the latdx.com zone's WAF/security rules that
127+
# currently 403 hosted-runner IPs. The OSS route authenticates on the
128+
# OIDC token's audience claim, not the request Host, so the same token
129+
# validates on either origin; the route's own OIDC + monthly-cap +
130+
# kill-switch protections apply regardless of which origin serves it.
131+
LATDX_JWT=""
132+
for OSS_URL in \
133+
"https://latdx.com/api/oss/license" \
134+
"https://latdx-site.asolokh.workers.dev/api/oss/license"; do
135+
HTTP_CODE="$(curl -sS -o "$EXCHANGE_BODY" -D "$EXCHANGE_HEADERS" -w "%{http_code}" \
136+
-X POST "$OSS_URL" \
137+
-H "Authorization: Bearer $OIDC_TOKEN" \
138+
-H "Content-Type: application/json" \
139+
--max-time 15)"
140+
[ $? -ne 0 ] && HTTP_CODE="000"
141+
echo "OSS license exchange via ${OSS_URL} -> HTTP ${HTTP_CODE}."
142+
143+
if [ "$HTTP_CODE" = "200" ]; then
144+
LATDX_JWT="$(jq -r '.license // empty' < "$EXCHANGE_BODY" 2>/dev/null)"
145+
if [ -n "$LATDX_JWT" ]; then
146+
echo "::add-mask::$LATDX_JWT"
147+
echo "LATDX_LICENSE_KEY=$LATDX_JWT" >> "$GITHUB_ENV"
148+
# The daemon live-resolves the license per run against
149+
# LATDX_LICENSE_BASE_URL + /api/license/resolve (default
150+
# latdx.com). Point it at the same origin that minted the
151+
# license so the resolve isn't blocked by the latdx.com edge
152+
# either; it self-heals to latdx.com once that edge is fixed.
153+
LICENSE_ORIGIN="${OSS_URL%/api/oss/license}"
154+
echo "LATDX_LICENSE_BASE_URL=$LICENSE_ORIGIN" >> "$GITHUB_ENV"
155+
USED="$(jq -r '.monthly_used // "?"' < "$EXCHANGE_BODY" 2>/dev/null)"
156+
CAP="$(jq -r '.monthly_cap // "?"' < "$EXCHANGE_BODY" 2>/dev/null)"
157+
echo "OSS auto-license active (monthly_used=$USED, monthly_cap=$CAP) via ${LICENSE_ORIGIN}; full suite enabled."
158+
break
159+
fi
160+
echo "::warning title=LATdx OSS license::200 without a license from ${OSS_URL}; trying next origin."
161+
elif [ "$HTTP_CODE" = "429" ]; then
162+
USED="$(jq -r '.monthly_used // "?"' < "$EXCHANGE_BODY" 2>/dev/null)"
163+
CAP="$(jq -r '.monthly_cap // "?"' < "$EXCHANGE_BODY" 2>/dev/null)"
164+
RESET="$(jq -r '.reset_at // "next UTC month"' < "$EXCHANGE_BODY" 2>/dev/null)"
165+
echo "::warning title=LATdx OSS license::Monthly cap reached (${USED}/${CAP}); resets ${RESET}."
166+
break
167+
else
168+
# 403/503/000/etc: log edge diagnostics (no secrets) and fall
169+
# through to the next origin.
170+
echo "--- server: $(grep -i '^server:' "$EXCHANGE_HEADERS" | tr -d '\r')"
171+
echo "--- cf-ray: $(grep -i '^cf-ray:' "$EXCHANGE_HEADERS" | tr -d '\r')"
172+
echo "--- body (first 200 chars): $(head -c 200 "$EXCHANGE_BODY" | tr '\n' ' ')"
173+
fi
174+
done
175+
176+
if [ -z "$LATDX_JWT" ]; then
177+
echo "::warning title=LATdx OSS license::No OSS license obtained from any origin; the run will halt on the CI license gate."
178+
fi
179+
180+
- name: 'Run Apex tests with LATdx'
181+
shell: bash
182+
run: |
183+
# Retry ONLY the transient "Daemon failed to start" spawn timeout
184+
# (cold-runner timing: the bun daemon + apex-ls JVM can miss the
185+
# client's 5s connect budget). Real test failures (exit 1) and the
186+
# license-gate halt (exit 2) are never retried.
187+
rc=1
188+
for attempt in 1 2 3; do
189+
set +e
190+
latdx test run 2>&1 | tee /tmp/latdx-out.txt
191+
rc=${PIPESTATUS[0]}
192+
set -e
193+
if [ "$rc" -ne 0 ] && grep -q "Daemon failed to start" /tmp/latdx-out.txt && [ "$attempt" -lt 3 ]; then
194+
echo "Daemon spawn failed (transient, attempt ${attempt}/3); stopping daemon and retrying in 5s..."
195+
latdx daemon stop >/dev/null 2>&1 || true
196+
sleep 5
197+
continue
198+
fi
199+
break
200+
done
201+
# Exit 2 is EXIT_LICENSE_REQUIRED: the CI license gate halted the run.
202+
# With no resolved license the gate blocks before any test executes
203+
# (it does not fall back to a 100-test free tier); a resolved free/pro
204+
# license would instead cap at 100. Either way no full suite ran. Keep
205+
# the pipeline green but say so honestly: lift it with the OSS
206+
# auto-license (OIDC, public repos) or LATDX_LICENSE_KEY.
207+
if [ "$rc" -eq 2 ]; then
208+
echo "::warning title=LATdx license::Run halted by the CI license gate (exit 2); no full suite ran. Provide an OSS auto-license or LATDX_LICENSE_KEY to run NebulaLogger's tests."
209+
exit 0
210+
fi
211+
exit "$rc"

0 commit comments

Comments
 (0)