mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
ci: make Caddyfile validation download robust (#134)
The validate-caddyfile workflow fetched the Caddy binary by first hitting api.github.com/releases/latest to resolve the version tag, then building a release-asset URL from it. That API call is unauthenticated, so it shares the 60-requests/hour-per-IP limit across all GitHub-hosted runners and returns 403 under load. On failure jq emits "null", the URL becomes caddy_null_linux_amd64.tar.gz, and `curl -sL` silently pipes a 404 page into tar — a confusing, flaky failure on every PR that touches the Caddyfile. Switch to Caddy's official download API, which serves the latest linux/amd64 binary directly: one request, no GitHub API, no jq/tar parsing. Add `-f` so curl fails loudly on an HTTP error instead of writing an error page to disk.
This commit is contained in:
parent
ac8dabe9a4
commit
e9d5f9bc76
1 changed files with 5 additions and 1 deletions
6
.github/workflows/validate-caddyfile.yml
vendored
6
.github/workflows/validate-caddyfile.yml
vendored
|
|
@ -23,6 +23,10 @@ jobs:
|
|||
- name: Validate Caddyfile
|
||||
if: steps.check.outputs.has_file == 'true'
|
||||
run: |
|
||||
curl -sL "https://github.com/caddyserver/caddy/releases/latest/download/caddy_$(curl -sL https://api.github.com/repos/caddyserver/caddy/releases/latest | jq -r .tag_name | tr -d v)_linux_amd64.tar.gz" | tar xz caddy
|
||||
# Official download API serves the latest binary directly — no
|
||||
# unauthenticated api.github.com call (which is rate-limited to
|
||||
# 60/hr per IP across shared runners and would 403). -f makes curl
|
||||
# fail loudly on an HTTP error instead of saving an error page.
|
||||
curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o caddy
|
||||
chmod +x caddy
|
||||
./caddy validate --config ansible/services/caddy/Caddyfile --adapter caddyfile
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue