gnezim
23f8c82540
ci-deploy / build-deploy-test (push) Failing after 9m54s
Run 544's real cause was deeper than just "WAF rate-limit": the upstream WAF (flights.test.aeroflot.ru) blocks the default curl UA unconditionally, returning its HTML "Доступ временно ограничен" page with HTTP 200. A genuine browser-like User-Agent (tested: Chrome/120 on Linux) passes through and gets the real JSON. Confirmed by direct upstream probe via the corp-VPN tunnel: curl -A '<default>' → 3392b text/html (block page) curl -A 'Mozilla/5.0 ...' → 28KB+ application/json (real data) So every prior pre-warm "warmed" the WAF block page into the nginx cache, and the runner was effectively never reaching the API. The previous commit's body validation would now catch this — but only to fail-fast, not to fix it. Real fix: send a browser UA. Three places updated: * scripts/ci/wait-for-url.sh — passes -A on every retry. * ci-deploy.yml diagnose + pre-warm — UA shared via local var. * release-verify.yml diagnose — same UA on customer-URL probes. Note: the matching nginx config (proxy_no_cache $no_cache_html + proxy_cache_bypass $http_cache_control on /api/dictionary/) was deployed manually to pve-201 and verified — second hits now show x-cache-status: HIT serving 28KB application/json. HTML responses no longer get cached.
64 lines
2.8 KiB
YAML
64 lines
2.8 KiB
YAML
name: release-verify
|
|
|
|
# Workflow C: run after Jenkins has finished building (operator triggers manually).
|
|
# Smoke-checks that http://flights-ui.devwebzavod.ru is alive and that its /api
|
|
# wiring responds — the e2e suite is intentionally NOT run here (parity gaps
|
|
# against the customer build are tracked separately).
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
verify:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
env:
|
|
TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
|
|
TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Notify start
|
|
if: ${{ env.TELEGRAM_BOT_TOKEN != '' }}
|
|
run: scripts/ci/notify-telegram.sh start release-verify
|
|
|
|
- name: Add hosts entry for customer URL
|
|
# `flights-ui.devwebzavod.ru` has no public DNS — operator hosts
|
|
# resolve it via local /etc/hosts to 46.235.186.67 (the customer's
|
|
# web ingress IP). Mirror that override on the runner so curl can
|
|
# reach the host. Without this, every probe fails with
|
|
# `Could not resolve host`.
|
|
run: echo "46.235.186.67 flights-ui.devwebzavod.ru" | sudo tee -a /etc/hosts
|
|
|
|
- name: Wait for customer URL
|
|
id: wait_customer
|
|
run: scripts/ci/wait-for-url.sh http://flights-ui.devwebzavod.ru/ru-ru/onlineboard 60 5
|
|
|
|
- name: Diagnose customer URL reachability
|
|
id: customer_diag
|
|
# Mirrors ci-deploy's tunnel-reachability probe but against the
|
|
# customer URL — proves /api wiring is intact post-Jenkins. The
|
|
# upstream WAF blocks the default curl UA, so every probe needs a
|
|
# browser-like User-Agent.
|
|
run: |
|
|
UA='Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120 Safari/537.36'
|
|
echo "--- /api/health ---"
|
|
curl -sSI -A "$UA" --max-time 10 http://flights-ui.devwebzavod.ru/api/health | head -10 || true
|
|
echo "--- /api/dictionary/1/world_regions (expect JSON, ~5KB) ---"
|
|
curl -sS -A "$UA" --max-time 10 \
|
|
-w "\n[size=%{size_download} time=%{time_total}s code=%{http_code}]\n" \
|
|
http://flights-ui.devwebzavod.ru/api/dictionary/1/world_regions | head -c 400; echo
|
|
echo "--- second hit on the same dict (expect HIT if nginx caches) ---"
|
|
curl -sSI -A "$UA" --max-time 10 \
|
|
http://flights-ui.devwebzavod.ru/api/dictionary/1/world_regions | grep -iE "^HTTP|x-cache|x-envoy" || true
|
|
|
|
- name: Notify (success)
|
|
if: success() && env.TELEGRAM_BOT_TOKEN != ''
|
|
run: scripts/ci/notify-telegram.sh ok release-verify "customer URL reachable + /api responsive"
|
|
|
|
- name: Notify (failure)
|
|
if: failure() && env.TELEGRAM_BOT_TOKEN != ''
|
|
run: scripts/ci/notify-telegram.sh fail release-verify "customer URL probe failed — see Gitea run"
|