From e9d5f9bc7632ef23e13cab23a700ec4c46ee9c8a Mon Sep 17 00:00:00 2001 From: "Rasmus \"Pez\" Wejlgaard" Date: Mon, 15 Jun 2026 20:38:21 +0100 Subject: [PATCH] ci: make Caddyfile validation download robust (#134) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The validate-caddyfile workflow fetched the Caddy binary by first hitting api.github.com/releases/latest to resolve the version tag, then building a release-asset URL from it. That API call is unauthenticated, so it shares the 60-requests/hour-per-IP limit across all GitHub-hosted runners and returns 403 under load. On failure jq emits "null", the URL becomes caddy_null_linux_amd64.tar.gz, and `curl -sL` silently pipes a 404 page into tar — a confusing, flaky failure on every PR that touches the Caddyfile. Switch to Caddy's official download API, which serves the latest linux/amd64 binary directly: one request, no GitHub API, no jq/tar parsing. Add `-f` so curl fails loudly on an HTTP error instead of writing an error page to disk. --- .github/workflows/validate-caddyfile.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate-caddyfile.yml b/.github/workflows/validate-caddyfile.yml index f849b9d..650de91 100644 --- a/.github/workflows/validate-caddyfile.yml +++ b/.github/workflows/validate-caddyfile.yml @@ -23,6 +23,10 @@ jobs: - name: Validate Caddyfile if: steps.check.outputs.has_file == 'true' run: | - curl -sL "https://github.com/caddyserver/caddy/releases/latest/download/caddy_$(curl -sL https://api.github.com/repos/caddyserver/caddy/releases/latest | jq -r .tag_name | tr -d v)_linux_amd64.tar.gz" | tar xz caddy + # Official download API serves the latest binary directly — no + # unauthenticated api.github.com call (which is rate-limited to + # 60/hr per IP across shared runners and would 403). -f makes curl + # fail loudly on an HTTP error instead of saving an error page. + curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o caddy chmod +x caddy ./caddy validate --config ansible/services/caddy/Caddyfile --adapter caddyfile