test(api7): deploy test components by docker compose

[jarvis9443]

Summary

Replace the tarball-based API7 E2E test infrastructure with Docker Compose, deploying only Dashboard + PostgreSQL (the components ADC actually tests against). Also adds dev version testing for the api7 backend.

Changes

Docker Compose for API7 E2E

• New: libs/backend-api7/e2e/assets/docker-compose.yaml — Dashboard + PostgreSQL services
• New: libs/backend-api7/e2e/assets/dashboard-conf.yaml — Minimal dashboard config (TLS, log, DSN only)
• Rewritten: global-setup.ts — Uses docker compose up/down, named setup/teardown exports
• Deleted: global-teardown.ts — Teardown handled by named export in global-setup.ts

Dev version testing (api7 only)

• Added dev to api7 CI matrix
• API7 dev: uses GHCR images (ghcr.io/api7/api7-ee-3-integrated:dev) with BACKEND_API7_DEV_LICENSE
• fail-fast: false on api7 matrix to prevent healthy jobs from being canceled
• packages: read permission at api7 job level for GHCR access

Version updates

• Updated 3.8.22 → 3.8.23, 3.9.2 → 3.9.9

Test fix

• Removed https_verify_certificate from sync-and-dump-2 test expectation (dev CP no longer returns this default field)

Why only Dashboard + PostgreSQL?

ADC E2E tests only interact with the Dashboard Admin API (/apisix/admin/* proxied through Dashboard on port 7443). No data plane traffic is ever sent to the gateway. The previous tarball approach deployed DPM, Gateway, and etcd unnecessarily.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added dev matrix entries and moved job-level backend envs into per-matrix GITHUB_ENV writes (with conditional GHCR login); added Docker Compose assets for API7 dashboard + Postgres; migrated e2e setup to Docker Compose with HTTP readiness polling and made teardown returned from setup.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/e2e.yaml	Added top-level packages: read; extended matrices with dev; replaced job-level envs by writing backend variables into GITHUB_ENV per-matrix value; conditional docker/login-action@v3 for dev; adjusted API7 variable export and license sourcing from secrets.
Docker Compose Assets libs/backend-api7/e2e/assets/dashboard-conf.yaml, libs/backend-api7/e2e/assets/docker-compose.yaml	New dashboard config (TLS, logging, Postgres DSN, session, cron) and compose file defining postgresql (healthcheck) and dashboard services, mount of dashboard-conf.yaml, exposed port, and api7 bridge network.
Test Setup/Teardown libs/backend-api7/e2e/support/global-setup.ts, libs/backend-api7/e2e/support/global-teardown.ts	Replaced local bootstrap with docker compose up -d from assets dir; added runCompose helper and conditional docker compose pull for dev; introduced waitForDashboard HTTP polling (GET /api/status, fallback POST /api/login); global-setup now returns an async teardown that runs docker compose down -v; global-teardown marked explicit no-op.

Sequence Diagram(s)

sequenceDiagram
  participant CI as CI Runner
  participant Env as GITHUB_ENV
  participant DC as Docker Compose
  participant PG as PostgreSQL
  participant DB as Dashboard
  participant TS as Test Suite

  CI->>Env: write matrix-backed BACKEND_* variables
  CI->>DC: (optionally docker/login for dev) run `docker compose up -d`
  DC->>PG: start postgres container
  PG-->>DC: healthcheck passes (pg_isready)
  DC->>DB: start dashboard (mount config, use env tags)
  DB->>PG: connect & initialize
  CI->>DB: poll GET /api/status (waitForDashboard)
  alt status ok
    DB-->>CI: 200 OK
  else fallback
    CI->>DB: POST /api/login (accept any status)
    DB-->>CI: login response
  end
  CI->>TS: run e2e tests against dashboard
  TS-->>CI: tests complete
  CI->>DC: invoke teardown (async returned) -> `docker compose down -v`

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Security Check	❌ Error	PR introduces critical security risks: hardcoded PostgreSQL credentials in docker-compose.yaml, API7 license secrets exposed via Docker environment variables without log redaction, and unverified TLS configuration requiring 1.2+ enforcement.	Replace hardcoded PostgreSQL credentials with GitHub Actions secrets; mount license secrets as files instead of environment variables; verify TLS 1.2+ enforcement and certificate verification in dashboard-conf.yaml; implement secret log filtering in docker compose operations.
E2e Test Quality Review	⚠️ Warning	E2E tests lack adequate error handling: waitForDashboard() uses validateStatus() to suppress errors instead of validating Dashboard readiness, and tests have insufficient error scenario coverage (<10% of test suite targets error conditions).	Fix error handling in waitForDashboard() to properly validate status codes and throw on max retries; add 15-20% error scenario and boundary case tests; add explicit error checking for docker compose pull operations.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(api7): deploy test components by docker compose' is accurate and concise. It clearly captures the main change: replacing the tarball deployment with Docker Compose for E2E test components, and correctly scopes it to api7.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/api7-e2e-docker-compose

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

libs/backend-api7/e2e/support/global-setup.ts (1)

174-202: ⚠️ Potential issue | 🟠 Major

Clean up the compose stack on setup/bootstrap failure too.

The teardown function is only returned after setupAPI7(), initUser(), and generateToken() all succeed. If docker compose up -d works but waitForDashboard() or the user bootstrap fails, Vitest never receives the teardown callback and the stack stays up for the next run.

Suggested shape

 export default async () => {
-  if (process.env['SKIP_API7_SETUP'] !== 'true') await setupAPI7();
+  const shouldManageStack = process.env['SKIP_API7_SETUP'] !== 'true';
+  const teardown = async () => {
+    if (!shouldManageStack) return;
+    console.log('Tearing down API7 via Docker Compose');
+    runCompose('down', '-v');
+  };
+
   try {
+    if (shouldManageStack) await setupAPI7();
     await initUser();
     await generateToken();
   } catch (err) {
-    console.log(err);
+    await teardown();
     throw err;
   }
...
-  return async () => {
-    if (process.env['SKIP_API7_SETUP'] === 'true') return;
-    console.log('Tearing down API7 via Docker Compose');
-    spawnSync('sh', ['-c', 'docker compose down -v'], {
-      cwd: assetsDir,
-      stdio: 'inherit',
-    });
-  };
+  return teardown;
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/backend-api7/e2e/support/global-setup.ts` around lines 174 - 202, The
teardown callback must be returned/registered even if setupAPI7(), initUser(),
or generateToken() fail so the compose stack is always cleaned; create the
teardown function (the async function that runs spawnSync('sh', ['-c', 'docker
compose down -v'], ...)) before calling setupAPI7()/initUser()/generateToken()
and ensure it is returned in all code paths (e.g., define teardown early and use
try { await setupAPI7(); await initUser(); await generateToken(); } catch (err)
{ console.log(err); throw err; } finally { if (process.env['SKIP_API7_SETUP']
!== 'true') return teardown; } or simply wrap the bootstrap in try/finally and
always return the teardown), referencing the existing setupAPI7, initUser,
generateToken functions and the spawnSync teardown logic so the compose stack is
cleaned on any failure.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e.yaml:
- Around line 146-152: The workflow is missing the explicit permissions needed
for GHCR pulls; add "packages: read" to the workflow permissions so the
GITHUB_TOKEN can authenticate to ghcr.io for the "Login to GHCR" step that uses
docker/login-action@v3 (and subsequent pulls of
ghcr.io/api7/api7-ee-3-integrated:dev). Update the workflow-level permissions
block to include packages: read alongside contents: read, ensure the job using
GITHUB_TOKEN inherits those permissions, and keep the existing
docker/login-action@v3 step and secret usage unchanged.
- Around line 130-142: The step "Determine API7 image and license" currently
writes BACKEND_API7_LICENSE to $GITHUB_ENV via a single-line echo which breaks
on multiline secrets; replace those echo lines with GitHub Actions heredoc
syntax to append the license safely (e.g., use a <<EOF block redirected to
$GITHUB_ENV) for both the dev and non-dev branches so multiline license values
are preserved; keep the other env writes the same but ensure
BACKEND_API7_LICENSE uses the heredoc approach in both branches.

In `@libs/backend-api7/e2e/assets/docker-compose.yaml`:
- Around line 22-23: The compose file currently pins the Dashboard to host port
"7443:7443"; change the docker-compose.yaml ports entry to use an ephemeral host
port (e.g., replace "7443:7443" with "0:7443" or remove ports and use "expose: -
7443") so multiple concurrent runs can start, and update global-setup.ts (which
currently hardcodes https://localhost:7443) to discover the actual mapped host
port at runtime and set the SERVER value / axios baseURL accordingly (read the
container's mapped port via your docker/test harness and inject the resolved
https://localhost:<mappedPort> into SERVER or the axios client before tests
run).

In `@libs/backend-api7/e2e/support/global-setup.ts`:
- Around line 72-82: The spawnSync invocation that runs `docker compose
${pullPolicy} up -d` currently only checks result.status; update the setup block
around the spawnSync call (symbols: spawnSync, result, assetsDir, pullPolicy) to
explicitly handle launch errors (check result.error) and signal termination
(check result.signal) and include those details in the thrown Error or logged
message; likewise, in the teardown path that invokes docker compose down,
capture its spawnSync result, check result.error/result.signal/result.status,
and fail or log with detailed context instead of ignoring it so teardown
failures don't silently leave resources running.

---

Outside diff comments:
In `@libs/backend-api7/e2e/support/global-setup.ts`:
- Around line 174-202: The teardown callback must be returned/registered even if
setupAPI7(), initUser(), or generateToken() fail so the compose stack is always
cleaned; create the teardown function (the async function that runs
spawnSync('sh', ['-c', 'docker compose down -v'], ...)) before calling
setupAPI7()/initUser()/generateToken() and ensure it is returned in all code
paths (e.g., define teardown early and use try { await setupAPI7(); await
initUser(); await generateToken(); } catch (err) { console.log(err); throw err;
} finally { if (process.env['SKIP_API7_SETUP'] !== 'true') return teardown; } or
simply wrap the bootstrap in try/finally and always return the teardown),
referencing the existing setupAPI7, initUser, generateToken functions and the
spawnSync teardown logic so the compose stack is cleaned on any failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1795c012-fbd1-4020-8ed1-3d9ab187adec

📥 Commits

Reviewing files that changed from the base of the PR and between b3ef55f and 62724df.

📒 Files selected for processing (5)

• .github/workflows/e2e.yaml
• libs/backend-api7/e2e/assets/dashboard-conf.yaml
• libs/backend-api7/e2e/assets/docker-compose.yaml
• libs/backend-api7/e2e/support/global-setup.ts
• libs/backend-api7/e2e/support/global-teardown.ts

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/e2e.yaml (1)

154-160: ⚠️ Potential issue | 🟠 Major

Missing packages: read permission for GHCR image pull.

The GHCR login step uses GITHUB_TOKEN to authenticate, but the workflow-level permissions (lines 2-3) only declare contents: read. Pulling the private image ghcr.io/api7/api7-ee-3-integrated:dev requires explicit packages: read permission.

 permissions:
   contents: read
+  packages: read

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 154 - 160, The workflow is missing
the required workflow-level permission to pull GHCR images; update the workflow
permissions to include packages: read so the "Login to GHCR" step (uses:
docker/login-action@v3) can authenticate with GITHUB_TOKEN and pull ghcr.io
images. Add or extend the permissions block to include packages: read alongside
any existing permissions (e.g., contents: read).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/e2e.yaml:
- Around line 154-160: The workflow is missing the required workflow-level
permission to pull GHCR images; update the workflow permissions to include
packages: read so the "Login to GHCR" step (uses: docker/login-action@v3) can
authenticate with GITHUB_TOKEN and pull ghcr.io images. Add or extend the
permissions block to include packages: read alongside any existing permissions
(e.g., contents: read).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aec15adf-3da7-4e64-8ff0-d96855664db5

📥 Commits

Reviewing files that changed from the base of the PR and between 62724df and 5bc84ef.

📒 Files selected for processing (1)

• .github/workflows/e2e.yaml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/e2e.yaml (1)

131-151: Fail fast when license secrets are missing to avoid opaque downstream failures.

Right now, if a secret is unset/empty, the workflow still writes BACKEND_API7_LICENSE and fails much later. Add an explicit guard in each branch for clearer diagnostics.

💡 Suggested hardening

       - name: Determine API7 image and license
         run: |
           if [ "${{ matrix.version }}" = "dev" ]; then
+            if [ -z "${{ secrets.BACKEND_API7_DEV_LICENSE }}" ]; then
+              echo "::error::Missing required secret BACKEND_API7_DEV_LICENSE"
+              exit 1
+            fi
             echo "BACKEND_API7_VERSION=999.999.999" >> $GITHUB_ENV
             echo "API7_DASHBOARD_IMAGE=ghcr.io/api7/api7-ee-3-integrated" >> $GITHUB_ENV
             echo "API7_IMAGE_TAG=dev" >> $GITHUB_ENV
             {
               echo "BACKEND_API7_LICENSE<<EOLICENSE"
               echo "${{ secrets.BACKEND_API7_DEV_LICENSE }}"
               echo "EOLICENSE"
             } >> $GITHUB_ENV
           else
+            if [ -z "${{ secrets.BACKEND_API7_LICENSE }}" ]; then
+              echo "::error::Missing required secret BACKEND_API7_LICENSE"
+              exit 1
+            fi
             echo "BACKEND_API7_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
             echo "API7_DASHBOARD_IMAGE=api7/api7-ee-3-integrated" >> $GITHUB_ENV
             echo "API7_IMAGE_TAG=v${{ matrix.version }}" >> $GITHUB_ENV
             {
               echo "BACKEND_API7_LICENSE<<EOLICENSE"
               echo "${{ secrets.BACKEND_API7_LICENSE }}"
               echo "EOLICENSE"
             } >> $GITHUB_ENV
           fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 131 - 151, The workflow currently
writes BACKEND_API7_LICENSE even when secrets.BACKEND_API7_DEV_LICENSE or
secrets.BACKEND_API7_LICENSE are empty, causing opaque failures later; add an
explicit guard in both branches (the dev branch where matrix.version == "dev"
and the else branch) to check the corresponding secret is non-empty (inspect
matrix.version and the secret variables secrets.BACKEND_API7_DEV_LICENSE and
secrets.BACKEND_API7_LICENSE) and if empty emit a clear error (e.g., echo
"::error::... missing secret" or >&2) and exit 1 immediately to fail fast before
writing BACKEND_API7_LICENSE to GITHUB_ENV.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/e2e.yaml:
- Around line 131-151: The workflow currently writes BACKEND_API7_LICENSE even
when secrets.BACKEND_API7_DEV_LICENSE or secrets.BACKEND_API7_LICENSE are empty,
causing opaque failures later; add an explicit guard in both branches (the dev
branch where matrix.version == "dev" and the else branch) to check the
corresponding secret is non-empty (inspect matrix.version and the secret
variables secrets.BACKEND_API7_DEV_LICENSE and secrets.BACKEND_API7_LICENSE) and
if empty emit a clear error (e.g., echo "::error::... missing secret" or >&2)
and exit 1 immediately to fail fast before writing BACKEND_API7_LICENSE to
GITHUB_ENV.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7cf69d29-506b-4330-b036-0390093a16ba

📥 Commits

Reviewing files that changed from the base of the PR and between 5bc84ef and 3efc568.

📒 Files selected for processing (3)

• .github/workflows/e2e.yaml
• libs/backend-api7/e2e/assets/docker-compose.yaml
• libs/backend-api7/e2e/support/global-setup.ts

✅ Files skipped from review due to trivial changes (1)

• libs/backend-api7/e2e/assets/docker-compose.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• libs/backend-api7/e2e/support/global-setup.ts

[nic-6443]

Test case failures caused by https_verify_certificate need to be fixed

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/e2e.yaml (1)

132-152: Fail early when required API7 license secret is missing.

At Line 140 and Line 149, an unset secret becomes an empty BACKEND_API7_LICENSE, and the job fails later with less actionable errors. Add an explicit guard in this step to fail fast with a clear message.

Proposed hardening

       - name: Determine API7 image and license
         run: |
           if [ "${{ matrix.version }}" = "dev" ]; then
+            if [ -z "${{ secrets.BACKEND_API7_DEV_LICENSE }}" ]; then
+              echo "::error::Missing required secret BACKEND_API7_DEV_LICENSE"
+              exit 1
+            fi
             echo "BACKEND_API7_VERSION=999.999.999" >> $GITHUB_ENV
             echo "API7_DASHBOARD_IMAGE=ghcr.io/api7/api7-ee-3-integrated" >> $GITHUB_ENV
             echo "API7_IMAGE_TAG=dev" >> $GITHUB_ENV
             {
               echo "BACKEND_API7_LICENSE<<EOLICENSE"
               echo "${{ secrets.BACKEND_API7_DEV_LICENSE }}"
               echo "EOLICENSE"
             } >> $GITHUB_ENV
           else
+            if [ -z "${{ secrets.BACKEND_API7_LICENSE }}" ]; then
+              echo "::error::Missing required secret BACKEND_API7_LICENSE"
+              exit 1
+            fi
             echo "BACKEND_API7_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
             echo "API7_DASHBOARD_IMAGE=api7/api7-ee-3-integrated" >> $GITHUB_ENV
             echo "API7_IMAGE_TAG=v${{ matrix.version }}" >> $GITHUB_ENV
             {
               echo "BACKEND_API7_LICENSE<<EOLICENSE"
               echo "${{ secrets.BACKEND_API7_LICENSE }}"
               echo "EOLICENSE"
             } >> $GITHUB_ENV
           fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 132 - 152, Add a guard after reading
the license secret into BACKEND_API7_LICENSE to fail fast if the secret is
empty: after echoing the HERE-doc for BACKEND_API7_LICENSE (when using
secrets.BACKEND_API7_DEV_LICENSE or secrets.BACKEND_API7_LICENSE) check that the
resulting variable is non-empty and, if empty, emit a clear error message and
exit 1 so the job stops immediately instead of failing later with obscure
errors; update the "Determine API7 image and license" step to validate
BACKEND_API7_LICENSE and exit on missing secret.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/e2e.yaml:
- Around line 132-152: Add a guard after reading the license secret into
BACKEND_API7_LICENSE to fail fast if the secret is empty: after echoing the
HERE-doc for BACKEND_API7_LICENSE (when using secrets.BACKEND_API7_DEV_LICENSE
or secrets.BACKEND_API7_LICENSE) check that the resulting variable is non-empty
and, if empty, emit a clear error message and exit 1 so the job stops
immediately instead of failing later with obscure errors; update the "Determine
API7 image and license" step to validate BACKEND_API7_LICENSE and exit on
missing secret.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f8a9202-fa92-491c-abcd-714949fbf291

📥 Commits

Reviewing files that changed from the base of the PR and between 73adbed and cb274cc.

📒 Files selected for processing (1)

• .github/workflows/e2e.yaml

[jarvis9443]

Fixed — removed https_verify_certificate from the sync-and-dump-2 test expectation. The dev CP no longer returns this default field in health check config, and toMatchObject without it works for both old and new versions.