ci: add integration tests

alukach · alukach · commit befe0ca268ff · 2026-03-13T11:37:31.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -72,3 +72,74 @@ jobs:
       - uses: Swatinem/rust-cache@v2
       - run: cargo install cargo-audit
       - run: cargo audit
+
+  integration:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+
+      - uses: dtolnay/rust-toolchain@v1
+        with:
+          toolchain: stable
+          targets: wasm32-unknown-unknown
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Start MinIO
+        run: |
+          docker run -d --name minio \
+            -p 9000:9000 \
+            -e MINIO_ROOT_USER=minioadmin \
+            -e MINIO_ROOT_PASSWORD=minioadmin \
+            minio/minio:latest server /data
+
+          # Wait for MinIO to be ready
+          for i in $(seq 1 30); do
+            if curl -sf http://localhost:9000/minio/health/live > /dev/null 2>&1; then
+              echo "MinIO is ready"
+              break
+            fi
+            sleep 1
+          done
+
+      - name: Seed MinIO buckets
+        run: |
+          curl -sSL https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc
+          chmod +x /usr/local/bin/mc
+
+          mc alias set local http://localhost:9000 minioadmin minioadmin
+          mc mb --ignore-existing local/public-data
+          mc mb --ignore-existing local/private-uploads
+          mc anonymous set download local/public-data
+          echo "Hello from s3-proxy!" | mc pipe local/public-data/hello.txt
+          echo '{"status":"ok"}' | mc pipe local/public-data/health.json
+          echo "Secret payload" | mc pipe local/private-uploads/docs/secret.txt
+
+      - name: Write .dev.vars
+        run: |
+          echo "SESSION_TOKEN_KEY=$(openssl rand -base64 32)" > examples/cf-workers/.dev.vars
+
+      - name: Start wrangler dev
+        working-directory: examples/cf-workers
+        run: |
+          npx wrangler dev --config wrangler.integration.toml --port 8787 &
+
+          # Wait for wrangler to be ready
+          for i in $(seq 1 60); do
+            if curl -so /dev/null http://localhost:8787/ 2>/dev/null; then
+              echo "Wrangler dev is ready"
+              break
+            fi
+            sleep 2
+          done
+
+      - uses: astral-sh/setup-uv@v5
+
+      - name: Run integration tests
+        run: uvx --with pytest,boto3,requests pytest tests/integration/ -v
diff --git a/examples/cf-workers/wrangler.integration.toml b/examples/cf-workers/wrangler.integration.toml
@@ -0,0 +1,120 @@
+# CI integration-test config — CF Workers + local MinIO
+# Based on wrangler.toml but trimmed to MinIO-only buckets.
+
+compatibility_date = "2024-11-11"
+main = "build/worker/shim.mjs"
+name = "multistore"
+
+[build]
+command = "cargo install worker-build && worker-build --release"
+
+[vars]
+VIRTUAL_HOST_DOMAIN = "s3.local"
+
+[vars.PROXY_CONFIG]
+
+# --- Buckets (MinIO only) ---
+
+[[vars.PROXY_CONFIG.buckets]]
+allowed_roles = ["github-actions"]
+anonymous_access = true
+backend_type = "s3"
+name = "public-data"
+
+[vars.PROXY_CONFIG.buckets.backend_options]
+access_key_id = "minioadmin"
+bucket_name = "public-data"
+endpoint = "http://localhost:9000"
+region = "us-east-1"
+secret_access_key = "minioadmin"
+
+[[vars.PROXY_CONFIG.buckets]]
+allowed_roles = ["github-actions"]
+anonymous_access = false
+backend_type = "s3"
+name = "private-uploads"
+
+[vars.PROXY_CONFIG.buckets.backend_options]
+access_key_id = "minioadmin"
+bucket_name = "private-uploads"
+endpoint = "http://localhost:9000"
+region = "us-east-1"
+secret_access_key = "minioadmin"
+
+# --- Static credentials ---
+
+[[vars.PROXY_CONFIG.credentials]]
+access_key_id = "AKTEST000000000001"
+created_at = "2024-01-01T00:00:00Z"
+enabled = true
+principal_name = "integration-test-user"
+secret_access_key = "testSecretKey00000000000000000001"
+
+[[vars.PROXY_CONFIG.credentials.allowed_scopes]]
+actions = ["get_object", "head_object", "put_object", "delete_object", "list_bucket"]
+bucket = "public-data"
+prefixes = []
+
+[[vars.PROXY_CONFIG.credentials.allowed_scopes]]
+actions = ["get_object", "head_object", "put_object", "delete_object", "list_bucket"]
+bucket = "private-uploads"
+prefixes = []
+
+# --- Roles ---
+
+[[vars.PROXY_CONFIG.roles]]
+max_session_duration_secs = 3600
+name = "GitHub Actions"
+role_id = "github-actions"
+subject_conditions = ["*"]
+trusted_oidc_issuers = [
+  "https://token.actions.githubusercontent.com",
+]
+
+[[vars.PROXY_CONFIG.roles.allowed_scopes]]
+actions = ["get_object", "head_object", "put_object", "delete_object", "list_bucket"]
+bucket = "public-data"
+prefixes = []
+
+[[vars.PROXY_CONFIG.roles.allowed_scopes]]
+actions = ["get_object", "head_object", "put_object", "delete_object", "list_bucket"]
+bucket = "private-uploads"
+prefixes = []
+
+[[vars.PROXY_CONFIG.roles]]
+max_session_duration_secs = 3600
+name = "GitHub Actions (No Access)"
+role_id = "github-actions-no-access"
+subject_conditions = ["*"]
+trusted_oidc_issuers = [
+  "https://token.actions.githubusercontent.com",
+]
+
+# --- Rate limiting bindings (required by wrangler dev) ---
+
+[[ratelimits]]
+name = "ANON_RATE_LIMITER"
+namespace_id = "1001"
+  [ratelimits.simple]
+  limit = 200
+  period = 10
+
+[[ratelimits]]
+name = "AUTH_RATE_LIMITER"
+namespace_id = "1002"
+  [ratelimits.simple]
+  limit = 1_000
+  period = 10
+
+# --- Bandwidth metering ---
+
+[vars.BANDWIDTH_QUOTAS]
+public-data = { limit_bytes = 2_147_483_648, window_secs = 300 }
+
+[[durable_objects.bindings]]
+name = "BANDWIDTH_METER"
+class_name = "BandwidthMeter"
+
+[[migrations]]
+tag = "v1"
+new_sqlite_classes = ["BandwidthMeter"]
diff --git a/tests/integration/test_integration.py b/tests/integration/test_integration.py
