Skip to content

Test hook failures and cert trust end-to-end#7

Merged
andrewbelcher merged 1 commit into
mainfrom
test-hook-and-cert-coverage
Jun 22, 2026
Merged

Test hook failures and cert trust end-to-end#7
andrewbelcher merged 1 commit into
mainfrom
test-hook-and-cert-coverage

Conversation

@andrewbelcher

Copy link
Copy Markdown
Contributor

Two coverage gaps surfaced while debugging the install hooks.

1. Detect silently-failing hooks

DDEV runs post-start hooks non-fatally — a failing hook is logged (Task failed: …) but ddev restart still exits 0. Every regression this repo hit recently (the /usr/local/bin symlink, the invalid install chromium) was a hook failing silently, caught only via a downstream symptom.

Adds refute_hook_failure (asserts the restart output contains no Task failed) after each restart in both pipelines, so any broken hook is caught at the source.

2. Actually test cert trust

The cert hook adds the mkcert CA to chromium's NSS store, but nothing exercised it — the suite only opened https://example.com/ (a public CA). Now:

  • assert the CA is in the store (certutil … -L contains mkcert-ca), and
  • switch the browsing checks to the project's own mkcert-signed URL (https://${PROJNAME}.ddev.site/, serving an index.html from the docroot). An untrusted CA fails the navigation with ERR_CERT_AUTHORITY_INVALID, so a green open proves chromium trusts the mkcert cert end-to-end.

Switching off example.com also drops the external-network dependency from CI.

🤖 Generated with Claude Code

Two gaps surfaced while debugging the install hooks:

1. DDEV runs post-start hooks non-fatally, so a broken hook is logged but the start
   still exits 0 — the tests only caught it via downstream symptoms. Add a
   `refute_hook_failure` guard (asserts the restart output has no "Task failed")
   after each restart, so any silently-failing hook is caught at the source.

2. The cert hook (mkcert CA -> browser NSS store) had no coverage: the suite only
   opened https://example.com, which uses a public CA. Switch the browsing checks
   to the project's own mkcert-signed URL (serving an index.html from the docroot),
   which exercises the cert hook end-to-end — an untrusted CA fails the navigation
   with ERR_CERT_AUTHORITY_INVALID. Also assert the CA is present via certutil -L.

Dropping example.com removes the external-network dependency from CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@andrewbelcher andrewbelcher enabled auto-merge (squash) June 22, 2026 14:57
@andrewbelcher andrewbelcher merged commit 1a28aca into main Jun 22, 2026
2 checks passed
@andrewbelcher andrewbelcher deleted the test-hook-and-cert-coverage branch June 22, 2026 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant