From f353121c4378c1d335180b41928c5a49aac2dedd Mon Sep 17 00:00:00 2001 From: "replicas-connector[bot]" Date: Sat, 30 May 2026 16:43:29 +0000 Subject: [PATCH] ci(matrix-bridge): typecheck/test + auth-gate smoke test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PRs touching replicas-matrix-bridge/ now run npm typecheck + npm test (previously these were only run locally before each deploy). On merges to main, also probe the deployed worker to assert: - /admin/listener/reset returns 401 without ADMIN_TOKEN - /debug/listener returns 401 without ADMIN_TOKEN - /health stays 200 (must remain public for uptime checks) Prevents regression of the security gate added in PR #18 — if a future change accidentally drops the ADMIN_TOKEN check on any of the protected paths, this job fails and the deploy is flagged. Co-Authored-By: itsablabla Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/matrix-bridge-ci.yml | 70 ++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/matrix-bridge-ci.yml diff --git a/.github/workflows/matrix-bridge-ci.yml b/.github/workflows/matrix-bridge-ci.yml new file mode 100644 index 00000000..9bc3094c --- /dev/null +++ b/.github/workflows/matrix-bridge-ci.yml @@ -0,0 +1,70 @@ +name: Matrix Bridge CI + +on: + push: + branches: [main] + paths: + - 'replicas-matrix-bridge/**' + - '.github/workflows/matrix-bridge-ci.yml' + pull_request: + paths: + - 'replicas-matrix-bridge/**' + - '.github/workflows/matrix-bridge-ci.yml' + +jobs: + test: + runs-on: ubuntu-latest + defaults: + run: + working-directory: replicas-matrix-bridge + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '20' + - name: Install dependencies + run: npm ci + - name: Typecheck + run: npm run typecheck + - name: Test + run: npm test + + auth-gate-smoke-test: + name: Auth gate smoke test + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: + - name: Assert /admin/listener/reset returns 401 without ADMIN_TOKEN + run: | + STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + -X POST https://replicas-matrix-bridge.jadengarza.workers.dev/admin/listener/reset) + echo "no-auth status: $STATUS" + if [ "$STATUS" != "401" ]; then + echo "❌ /admin/listener/reset returned $STATUS without auth (expected 401)" + echo "The ADMIN_TOKEN gate has regressed — every admin/debug endpoint is exposed." + exit 1 + fi + echo "✅ Auth gate is enforced on /admin/* endpoints" + + - name: Assert /debug/listener returns 401 without ADMIN_TOKEN + run: | + STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + -X GET https://replicas-matrix-bridge.jadengarza.workers.dev/debug/listener) + echo "no-auth status: $STATUS" + if [ "$STATUS" != "401" ]; then + echo "❌ /debug/listener returned $STATUS without auth (expected 401)" + exit 1 + fi + echo "✅ Auth gate is enforced on /debug/* endpoints" + + - name: Assert /health stays public (no auth required) + run: | + STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + -X GET https://replicas-matrix-bridge.jadengarza.workers.dev/health) + echo "/health status: $STATUS" + if [ "$STATUS" != "200" ]; then + echo "❌ /health returned $STATUS (expected 200 — must stay public for uptime checks)" + exit 1 + fi + echo "✅ /health is public"