From 4fb65e12d3ca36945cfcdc614ed6860b26b8c734 Mon Sep 17 00:00:00 2001 From: Mark Wylde Date: Tue, 24 Mar 2026 22:52:15 +0000 Subject: [PATCH] fix: repair main test and release validation --- .github/workflows/release.yml | 8 ++++++-- packaging_regression_test.go | 28 ++++++++++++++++++++++++++++ runtime_helpers_test.go | 5 ++++- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 374a0a0..f0cc8d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,8 +62,12 @@ jobs: test -f "$verify_dir/libwrapguard.so" test -f "$verify_dir/README.md" test -f "$verify_dir/example-wg0.conf" - "$verify_dir/wrapguard" --version - "$verify_dir/wrapguard" --help + if [ "${{ matrix.arch }}" = "amd64" ]; then + "$verify_dir/wrapguard" --version + "$verify_dir/wrapguard" --help + else + file "$verify_dir/wrapguard" | grep -qi "aarch64\\|arm64" + fi - name: Generate checksum run: | diff --git a/packaging_regression_test.go b/packaging_regression_test.go index 7e81caf..a0c6bc0 100644 --- a/packaging_regression_test.go +++ b/packaging_regression_test.go @@ -31,6 +31,34 @@ func TestReleaseWorkflowPackagesExpectedMacOSArtifacts(t *testing.T) { } } +func TestReleaseWorkflowValidatesLinuxArm64ArchivesWithoutExecutingBinary(t *testing.T) { + data, err := os.ReadFile(filepath.Join(".github", "workflows", "release.yml")) + if err != nil { + t.Fatalf("failed to read release workflow: %v", err) + } + + content := string(data) + requiredSnippets := []string{ + `archive="wrapguard-${{ github.event.release.tag_name }}-linux-${{ matrix.arch }}.tar.gz"`, + `if [ "${{ matrix.arch }}" = "amd64" ]; then`, + `"$verify_dir/wrapguard" --version`, + `"$verify_dir/wrapguard" --help`, + `file "$verify_dir/wrapguard" | grep -qi "aarch64\\|arm64"`, + } + + for _, snippet := range requiredSnippets { + if !strings.Contains(content, snippet) { + t.Fatalf("release workflow missing required Linux validation snippet: %q", snippet) + } + } + + forbiddenSnippet := `if [ "${{ matrix.arch }}" = "arm64" ]; then + "$verify_dir/wrapguard" --version` + if strings.Contains(content, forbiddenSnippet) { + t.Fatalf("release workflow should not execute the Linux arm64 binary during archive validation") + } +} + func TestSmokeMacOSTargetValidatesExpectedRuntimeArtifacts(t *testing.T) { data, err := os.ReadFile("Makefile") if err != nil { diff --git a/runtime_helpers_test.go b/runtime_helpers_test.go index c04e367..682cfd7 100644 --- a/runtime_helpers_test.go +++ b/runtime_helpers_test.go @@ -1134,13 +1134,16 @@ func TestRunSelfTestSucceedsWithInjectedProbe(t *testing.T) { "Self-test check passed: IPC socket is reachable", "Self-test check passed: SOCKS listener is reachable", "Self-test check passed: interceptor READY", - "Self-test check passed: intercepted outbound connect", "Self-test completed successfully", } { if !strings.Contains(got, want) { t.Fatalf("runSelfTest output missing %q: %q", want, got) } } + if !strings.Contains(got, "Self-test check passed: intercepted outbound connect") && + !strings.Contains(got, "Self-test check passed: SOCKS server observed intercepted outbound connect") { + t.Fatalf("runSelfTest output missing outbound connect confirmation: %q", got) + } } func writeDoctorRuntimeFixture(t *testing.T, includeLibrary bool) string {