Resource Constraint Management:
Problem:
- Tests hanging indefinitely during execution in CI
- 2-core runners resource-constrained vs local dev machines
- No timeout enforcement allows tests to run forever
Changes:
1. playwright.config.js:
- Reduced per-test timeout: 90s → 60s (CI only)
- Comment clarifies CI resource constraints
- Local dev keeps 90s for debugging
2. .github/workflows/e2e-tests-split.yml:
- Added timeout-minutes: 15 to all test steps
- Ensures CI fails explicitly after 15 minutes
- Prevents workflow hanging until 6-hour GitHub limit
Expected Outcome:
- Tests fail fast with timeout error instead of hanging
- Clearer debugging: timeout vs hang vs test failure
- CI resources freed up faster for other jobs
Phase: 2 of 3 (Resource Constraints)
See: docs/plans/ci_hang_remediation.md
- Add curl retry mechanism (3 attempts) for GeoIP database download
- Add 30-second timeout to prevent hanging on network issues
- Create placeholder file if download fails or checksum mismatches
- Allows Docker build to complete even when external database unavailable
- GeoIP feature remains optional - users can provide own database at runtime
Fixes security-weekly-rebuild workflow failures
- Changed workflow name to reflect sequential execution for stability.
- Reduced test sharding from 4 to 1 per browser, resulting in 3 total jobs.
- Updated job summaries and documentation to clarify execution model.
- Added new documentation file for E2E CI failure diagnosis.
- Adjusted job summary tables to reflect changes in shard counts and execution type.
Restructure 7 modal components to use 3-layer architecture preventing
native select dropdown menus from being blocked by modal overlays.
Components fixed:
- ProxyHostForm: ACL selector and Security Headers dropdowns
- User management: Role and permission mode selection
- Uptime monitors: Monitor type selection (HTTP/TCP)
- Remote servers: Provider selection dropdown
- CrowdSec: IP ban duration selection
The fix separates modal background overlay (z-40) from form container
(z-50) and enables pointer events only on form content, allowing
native dropdown menus to render above all modal layers.
Resolves user inability to select security policies, user roles,
monitor types, and other critical configuration options through
the UI interface.
CrowdSec LAPI authentication and UI translations now work correctly:
Backend:
- Implemented automatic bouncer registration on LAPI startup
- Added health check polling with 30s timeout before registration
- Priority order: env var → file → auto-generated key
- Logs banner warning when environment key is rejected by LAPI
- Saves bouncer key to /app/data/crowdsec/bouncer_key with secure permissions
- Fixed 6 golangci-lint issues (errcheck, gosec G301/G304/G306)
Frontend:
- Fixed translation keys displaying as literal strings
- Added ready checks to prevent rendering before i18n loads
- Implemented password-style masking for API keys with eye toggle
- Added 8 missing translation keys for CrowdSec console enrollment and audit logs
- Enhanced type safety with null guards for key status
The Cerberus security dashboard now activates successfully with proper
bouncer authentication and fully localized UI text.
Resolves: #609
- Implemented `getCrowdsecKeyStatus` API call to retrieve the current status of the CrowdSec API key.
- Created `CrowdSecKeyWarning` component to display warnings when the API key is rejected.
- Integrated `CrowdSecKeyWarning` into the Security page, ensuring it only shows when relevant.
- Updated i18n initialization in main.tsx to prevent race conditions during rendering.
- Enhanced authentication setup in tests to handle various response statuses more robustly.
- Adjusted security tests to accept broader error responses for import validation.
workflow_run triggers only fire for push events, not pull_request events,
causing PRs to skip integration and E2E tests entirely. Add dual triggers
to all test workflows so they run for both push (via workflow_run) and
pull_request events, while maintaining single-build architecture.
All workflows still pull pre-built images from docker-build.yml - no
redundant builds introduced. This fixes PR test coverage while preserving
the "Build Once, Test Many" optimization for push events.
Fixes: Build Once architecture (commit 928033ec)
