Test hook failures and cert trust end-to-end#7
Merged
Conversation
Two gaps surfaced while debugging the install hooks: 1. DDEV runs post-start hooks non-fatally, so a broken hook is logged but the start still exits 0 — the tests only caught it via downstream symptoms. Add a `refute_hook_failure` guard (asserts the restart output has no "Task failed") after each restart, so any silently-failing hook is caught at the source. 2. The cert hook (mkcert CA -> browser NSS store) had no coverage: the suite only opened https://example.com, which uses a public CA. Switch the browsing checks to the project's own mkcert-signed URL (serving an index.html from the docroot), which exercises the cert hook end-to-end — an untrusted CA fails the navigation with ERR_CERT_AUTHORITY_INVALID. Also assert the CA is present via certutil -L. Dropping example.com removes the external-network dependency from CI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two coverage gaps surfaced while debugging the install hooks.
1. Detect silently-failing hooks
DDEV runs post-start hooks non-fatally — a failing hook is logged (
Task failed: …) butddev restartstill exits0. Every regression this repo hit recently (the/usr/local/binsymlink, the invalidinstall chromium) was a hook failing silently, caught only via a downstream symptom.Adds
refute_hook_failure(asserts the restart output contains noTask failed) after each restart in both pipelines, so any broken hook is caught at the source.2. Actually test cert trust
The cert hook adds the mkcert CA to chromium's NSS store, but nothing exercised it — the suite only opened
https://example.com/(a public CA). Now:certutil … -Lcontainsmkcert-ca), andhttps://${PROJNAME}.ddev.site/, serving anindex.htmlfrom the docroot). An untrusted CA fails the navigation withERR_CERT_AUTHORITY_INVALID, so a greenopenproves chromium trusts the mkcert cert end-to-end.Switching off
example.comalso drops the external-network dependency from CI.🤖 Generated with Claude Code