chore: Add Caddy compatibility gate workflow and related scripts; enhance SMTP settings tests

2026-02-23 13:37:34 +00:00
parent 427babd3c1
commit 45458df1bf
11 changed files with 928 additions and 185 deletions
--- a/.github/workflows/caddy-pr1-compat.yml
+++ b/.github/workflows/caddy-pr1-compat.yml
@@ -0,0 +1,57 @@
+name: Caddy PR-1 Compatibility Gate
+
+on:
+  pull_request:
+    paths:
+      - Dockerfile
+      - scripts/caddy-compat-matrix.sh
+      - docs/plans/current_spec.md
+      - .github/workflows/caddy-pr1-compat.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  compatibility-matrix:
+    name: PR-1 Compatibility Matrix (Candidate)
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version: '1.26.0'
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Run deterministic compatibility matrix gate
+        run: |
+          bash scripts/caddy-compat-matrix.sh \
+            --candidate-version 2.11.1 \
+            --patch-scenarios A,B,C \
+            --platforms linux/amd64,linux/arm64 \
+            --smoke-set boot_caddy,plugin_modules,config_validate,admin_api_health \
+            --output-dir test-results/caddy-compat \
+            --docs-report docs/reports/caddy-pr1-compatibility-matrix.md
+
+      - name: Upload compatibility artifacts
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: caddy-pr1-compatibility-artifacts
+          path: |
+            test-results/caddy-compat/**
+            docs/reports/caddy-pr1-compatibility-matrix.md
+          retention-days: 14
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -20,6 +20,7 @@ permissions:

 jobs:
  goreleaser:
+    if: ${{ !contains(github.ref_name, '-candidate') && !contains(github.ref_name, '-rc') }}
    runs-on: ubuntu-latest
    env:
      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
@@ -32,6 +33,17 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Enforce PR-2 release promotion guard
+        env:
+          REPO_VARS_JSON: ${{ toJSON(vars) }}
+        run: |
+          PR2_GATE_STATUS="$(printf '%s' "$REPO_VARS_JSON" | jq -r '.CHARON_PR2_GATES_PASSED // "false"')"
+          if [[ "$PR2_GATE_STATUS" != "true" ]]; then
+            echo "::error::Releasable tag promotion is blocked until PR-2 security/retirement gates pass."
+            echo "::error::Set repository variable CHARON_PR2_GATES_PASSED=true only after PR-2 approval."
+            exit 1
+          fi
+
      - name: Set up Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with: