ci: make Caddyfile validation download robust

The validate-caddyfile workflow fetched the Caddy binary by first hitting
api.github.com/releases/latest to resolve the version tag, then building a
release-asset URL from it. That API call is unauthenticated, so it shares
the 60-requests/hour-per-IP limit across all GitHub-hosted runners and
returns 403 under load. On failure jq emits "null", the URL becomes
caddy_null_linux_amd64.tar.gz, and `curl -sL` silently pipes a 404 page
into tar — a confusing, flaky failure on every PR that touches the Caddyfile.

Switch to Caddy's official download API, which serves the latest linux/amd64
binary directly: one request, no GitHub API, no jq/tar parsing. Add `-f` so
curl fails loudly on an HTTP error instead of writing an error page to disk.
This commit is contained in:
Rasmus Wejlgaard 2026-06-15 20:34:44 +01:00
parent ac8dabe9a4
commit 6096d938d3

View file

@ -23,6 +23,10 @@ jobs:
- name: Validate Caddyfile
if: steps.check.outputs.has_file == 'true'
run: |
curl -sL "https://github.com/caddyserver/caddy/releases/latest/download/caddy_$(curl -sL https://api.github.com/repos/caddyserver/caddy/releases/latest | jq -r .tag_name | tr -d v)_linux_amd64.tar.gz" | tar xz caddy
# Official download API serves the latest binary directly — no
# unauthenticated api.github.com call (which is rate-limited to
# 60/hr per IP across shared runners and would 403). -f makes curl
# fail loudly on an HTTP error instead of saving an error page.
curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o caddy
chmod +x caddy
./caddy validate --config ansible/services/caddy/Caddyfile --adapter caddyfile