pez-infra/.github/workflows/validate-caddyfile.yml
Rasmus "Pez" Wejlgaard e9d5f9bc76
ci: make Caddyfile validation download robust (#134)
The validate-caddyfile workflow fetched the Caddy binary by first hitting
api.github.com/releases/latest to resolve the version tag, then building a
release-asset URL from it. That API call is unauthenticated, so it shares
the 60-requests/hour-per-IP limit across all GitHub-hosted runners and
returns 403 under load. On failure jq emits "null", the URL becomes
caddy_null_linux_amd64.tar.gz, and `curl -sL` silently pipes a 404 page
into tar — a confusing, flaky failure on every PR that touches the Caddyfile.

Switch to Caddy's official download API, which serves the latest linux/amd64
binary directly: one request, no GitHub API, no jq/tar parsing. Add `-f` so
curl fails loudly on an HTTP error instead of writing an error page to disk.
2026-06-15 20:38:21 +01:00

32 lines
1.1 KiB
YAML

name: Validate Caddyfile
on:
pull_request:
jobs:
caddy-validate:
name: caddy validate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Check for Caddyfile
id: check
run: |
if [ -f ansible/services/caddy/Caddyfile ]; then
echo "has_file=true" >> "$GITHUB_OUTPUT"
else
echo "has_file=false" >> "$GITHUB_OUTPUT"
echo "No Caddyfile found — skipping."
fi
- name: Validate Caddyfile
if: steps.check.outputs.has_file == 'true'
run: |
# Official download API serves the latest binary directly — no
# unauthenticated api.github.com call (which is rate-limited to
# 60/hr per IP across shared runners and would 403). -f makes curl
# fail loudly on an HTTP error instead of saving an error page.
curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o caddy
chmod +x caddy
./caddy validate --config ansible/services/caddy/Caddyfile --adapter caddyfile