mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The validate-caddyfile workflow fetched the Caddy binary by first hitting api.github.com/releases/latest to resolve the version tag, then building a release-asset URL from it. That API call is unauthenticated, so it shares the 60-requests/hour-per-IP limit across all GitHub-hosted runners and returns 403 under load. On failure jq emits "null", the URL becomes caddy_null_linux_amd64.tar.gz, and `curl -sL` silently pipes a 404 page into tar — a confusing, flaky failure on every PR that touches the Caddyfile. Switch to Caddy's official download API, which serves the latest linux/amd64 binary directly: one request, no GitHub API, no jq/tar parsing. Add `-f` so curl fails loudly on an HTTP error instead of writing an error page to disk.
32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
name: Validate Caddyfile
|
|
|
|
on:
|
|
pull_request:
|
|
|
|
jobs:
|
|
caddy-validate:
|
|
name: caddy validate
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- name: Check for Caddyfile
|
|
id: check
|
|
run: |
|
|
if [ -f ansible/services/caddy/Caddyfile ]; then
|
|
echo "has_file=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "has_file=false" >> "$GITHUB_OUTPUT"
|
|
echo "No Caddyfile found — skipping."
|
|
fi
|
|
|
|
- name: Validate Caddyfile
|
|
if: steps.check.outputs.has_file == 'true'
|
|
run: |
|
|
# Official download API serves the latest binary directly — no
|
|
# unauthenticated api.github.com call (which is rate-limited to
|
|
# 60/hr per IP across shared runners and would 403). -f makes curl
|
|
# fail loudly on an HTTP error instead of saving an error page.
|
|
curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=amd64" -o caddy
|
|
chmod +x caddy
|
|
./caddy validate --config ansible/services/caddy/Caddyfile --adapter caddyfile
|