Skip to content

Integration Tests #1074

Integration Tests

Integration Tests #1074

Workflow file for this run

# Tier 2 integration suite - runs only when a PR is added to the merge queue.
#
# Design (microsoft/apm#770):
# - Tier 1 (ci.yml) runs unit tests + binary build on every PR push and on
# every merge_group event. No secrets needed there.
# - Tier 2 (this workflow) runs smoke + integration + release-validation
# against the tentative merge commit that the merge queue creates.
#
# Required-check satisfaction at PR time:
# - Branch protection requires only `gate` (from `merge-gate.yml`), which
# aggregates all PR-time signals. The four check names produced by THIS
# workflow (Build/Smoke/Integration/Release Validation - all Linux) are
# not required at PR time; they only run on the `gh-readonly-queue/main/*`
# SHA the merge queue creates, against the tentative merge commit.
# - This workflow intentionally does NOT trigger on pull_request events.
# Doing so would let a fork PR check out and run code with the secrets
# declared below, which is a supply-chain attack vector. Keep this file
# `merge_group`-only forever.
#
# Trust model:
# - merge_group only fires when a user with write access enqueues a PR.
# - The gh-readonly-queue/main/* ref contains the PR's code merged into
# main and is created by GitHub, not by the contributor.
# - Trust boundary = write-access grant, managed in repo settings.
# Write access is granted only to vetted contributors.
# - Fork PRs without write access never reach this workflow and never see
# CI secrets.
#
# Binary is built inline rather than downloaded from ci.yml so this workflow
# tests exactly the merge-queue tentative merge SHA without cross-workflow
# artifact plumbing.
name: Integration Tests
env:
PYTHON_VERSION: '3.12'
on:
merge_group:
branches: [ main ]
types: [ checks_requested ]
permissions:
contents: read
jobs:
build:
name: Build (Linux)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Install dependencies
run: uv sync --extra dev --extra build
- name: Install UPX
run: |
sudo apt-get update
sudo apt-get install -y upx-ucl
- name: Build binary
run: |
chmod +x scripts/build-binary.sh
uv run ./scripts/build-binary.sh
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: apm-mq-linux-x86_64
path: |
./dist/apm-linux-x86_64
./dist/apm-linux-x86_64.sha256
include-hidden-files: true
retention-days: 7
if-no-files-found: error
smoke-test:
name: Smoke Test (Linux)
needs: [build]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
# Artifact root is ./dist/ (least common ancestor of the uploaded paths
# in the build job), so download to ./dist/ to preserve the
# dist/apm-linux-x86_64/apm layout the conftest expects.
- name: Download binary
uses: actions/download-artifact@v4
with:
name: apm-mq-linux-x86_64
path: ./dist/
- name: Make binary executable
run: chmod +x ./dist/apm-linux-x86_64/apm
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Install dependencies
run: uv sync --extra dev
# Smoke target is test_core_smoke.py: a hermetic, network-free pre-flight
# over the README's three promises (portable / secure / governed). It
# runs against the built binary in ~10s and fails the merge queue early
# if the bundle is broken before the 30-min integration suite even
# starts. The legacy test_runtime_smoke.py covers the experimental
# `apm run` execution layer and stays in the heavy integration job
# under requires_runtime_* markers.
- name: Run core smoke tests
env:
APM_E2E_TESTS: "1"
APM_BINARY_PATH: ${{ github.workspace }}/dist/apm-linux-x86_64/apm
run: uv run pytest tests/integration/test_core_smoke.py -v
integration-tests:
name: Integration Tests (Linux)
needs: [build, smoke-test]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
# Artifact root is ./dist/ (least common ancestor of the uploaded paths in
# the build job), so download to ./dist/ to preserve dist/apm-linux-x86_64/apm.
- name: Download binary
uses: actions/download-artifact@v4
with:
name: apm-mq-linux-x86_64
path: ./dist/
- name: Make binary executable
run: chmod +x ./dist/apm-linux-x86_64/apm
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '24'
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install uv
uses: astral-sh/setup-uv@v6
with:
enable-cache: true
- name: Install test dependencies
run: uv sync --extra dev
- name: Run integration tests
env:
APM_E2E_TESTS: "1"
APM_RUN_INTEGRATION_TESTS: "1"
GITHUB_APM_PAT: ${{ secrets.GH_CLI_PAT }}
ADO_APM_PAT: ${{ secrets.ADO_APM_PAT }}
run: |
chmod +x scripts/test-integration.sh
uv run ./scripts/test-integration.sh
# Bumped from 20 to 30 minutes when test discovery widened from
# the 28 enumerated files to the full tests/integration/ suite
# (PR2 of #1166).
timeout-minutes: 30
release-validation:
name: Release Validation (Linux)
needs: [build, integration-tests]
runs-on: ubuntu-24.04
steps:
- name: Checkout test scripts
uses: actions/checkout@v4
with:
sparse-checkout: scripts
path: repo
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '24'
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
# See note in integration-tests: download to dist/ to preserve layout.
- name: Download binary
uses: actions/download-artifact@v4
with:
name: apm-mq-linux-x86_64
path: /tmp/apm-isolated-test/dist/
- name: Make binary executable
run: chmod +x /tmp/apm-isolated-test/dist/apm-linux-x86_64/apm
- name: Create APM symlink for testing
run: |
cd /tmp/apm-isolated-test
ln -s "$(pwd)/dist/apm-linux-x86_64/apm" "$(pwd)/apm"
echo "/tmp/apm-isolated-test" >> $GITHUB_PATH
- name: Prepare test scripts
run: |
cp -r repo/scripts /tmp/apm-isolated-test/scripts
- name: Run release validation tests
env:
APM_E2E_TESTS: "1"
GITHUB_APM_PAT: ${{ secrets.GH_CLI_PAT }}
ADO_APM_PAT: ${{ secrets.ADO_APM_PAT }}
run: |
cd /tmp/apm-isolated-test
chmod +x scripts/test-release-validation.sh
./scripts/test-release-validation.sh
timeout-minutes: 20